I have a requirement to lock down our ESXi hosts based off of the vSphere hardening guides. One in particular is to disable the Managed Object Browser on the ESXi hosts. This can be found in the ESX/ESXi Host configuration portion of the vSphere Security hardening document. Code HCM02. If I comment out this section of the /etc/vmware/hostd/proxy.xml file the Host becomes disconnected from VC and the Web interface no longer works. So What am I doing wrong here. This is the portion of the file before I edit it:
So I am just commenting out this section to disable it. Once I restart the services.sh on the ESXi host is when the problems start. This can't be expected behavior is it? Thanks for any help!!
In the draft hardening guide (Rev B), a step was omitted from this procedure. You need to decrement the <_length> field by one after you remove the "mob" element. This will be corrected in the final version.
Please let us know if it doesn't work for you.
Hello,
I think I will leave this to VMware and will ping the appropriate people.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]
Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]
In the draft hardening guide (Rev B), a step was omitted from this procedure. You need to decrement the <_length> field by one after you remove the "mob" element. This will be corrected in the final version.
Please let us know if it doesn't work for you.
This in conjunction with renumbering the elements that followed was the full answer. I tried only decreasing the length number by one but that did not appear to be enough. If I want to remove access to download the VIC can I simply remove the client element and again follow these steps to decrease the length and renumber? Thanks for the help
Texiwill thanks for the assist.
One more thing. Do you have a projected time for the release of the finalized version? I will be going through a large portion of these configurations. If this forum is monitored by the security team I can post any other issues we run into here.
I'm going to post it today, actually. But, please do continue to provide feedback on the final version, as we will be issuing updates as needed. Thanks for your help.
Will do. How about making the Vic not able to ignore a non trusted
cert. We want to remove the ability to download the Vic from rack host
and vc or replace it with one that will not allow the user to use a
non trusted cert. Any thoughts on that?
On Apr 13, 2010, at 4:45 PM, Charu <communities-emailer@vmware.com
This is a common request, and we are looking into ways to implement this. Hopefully you see this show up in one of the future releases.