vSphere 5.0 Hardening Guide - Official Release

vSphere 5.0 Hardening Guide - Official Release

This is the official release of the vSphere 5.0 Security Hardening Guide, v1.0.  The format of this guide has changed from previous versions. The guide is being released as a Excel spreadsheet only.  The guideline metadata from earlier guides has been greatly expanded and standardized.  CLI commands for assessment and remediation of the guidelines is included for the vCLI, ESXi Shell, and PowerCLI.  For additional information, please see the Intro tab of the spreadsheet.

Thanks to everyone who provided feedback on the Public Draft, and also to the team at VMware who contributed to this guide in many significant ways.

UPDATED 06-AUG-2012
This guide has been updated to version 1.1.  Please see the Change Log tab for details.
UPDATED 05-SEP-2012
THE NEW HOME OF OFFICIAL VMWARE SECURITY HARDENING GUIDES IS http://vmware.com/go/securityguides.  Please check there for the latest versions of all guides.  THE VERSION OF THE GUIDE ATTACHED HERE SHOULD NO LONGER BE CONSIDERED CURRENT.
Attachments
Comments
Very great job. I don't like so much MS Excel, but the content is excellent.
A very good idea is the referral link about PowerCLI and vCLI.
Thanks!

Thanks for this very usefull excell sheets.

The commands are usefull

Akabou

http://www.akabou.fr/

No mention of changing the default group for AD auth (ESX Admins). Advanced param in gui is

Config.HostAgent.plugins.hostsvc.esxAdminsGroup

but I don't see it listed under #esxcli system settings advanced

and I'm not finding another cli reference to this setting.

I as well didn't like excel format.

Hey Charu and team, am I just confused, or is the setting

isolation.tools.dnd.disable=”FALSE” supposed to be "TRUE" to disable DND?

Thanks!

--Shack

There's a bug in the Excel Sheet, in the rows "disable-hgfs"  and "restrict-host-info" under the PowerCLI Command Assessment and PowerCLI Command Remediation the same Advanced Setting is listed "tools.guestlib.enableHostInfo" This is correct for "restrict-host-info" but not for "disable-hgfs" that should be isolation.tools.hgfsServerSet.disable with value $true

The Profile column on the VM sheet sometimes mentions profiles 4 and 5, while the Intro sheet only mentions profiles 1-3.

What should we understand under Profiles 4 and 5 ? Optional ? And in that case what is the difference between 4 and 5 ?

Profile 4 and 5 still seem to be there.

If they are intentional, what is their meaning ?

Sorry, I didn't see your comment.  Fixed now in v1.1.

Thanks.

It was of course just a detail in an otherwise great document.

Hey guys,

One thing I noticed in the 5.0 hardening guide is that there is still a check to ensure that vCenter Update Manager is not updating the VM that VCM is installed on. However, based on this discussion: http://communities.vmware.com/thread/330563, it seems that vCenter Update Manager no longer performs updating of guest OSes (such as Windows).

So, is this still a relevant check in the 5.0 hardening guide?

Thanks!

vCenter Update Manager no longer manages OS patches, but it still does VMware Tools updates and virtual hardware updates.

How exactly do you use the Hardening Guide? I can't find a how-to out there, but we have to run through the hardening guide for a compliance audit and its pretty far over my head.

I noticed "isolation.tools.setInfo.disable" is no longer part of the guide. That setting does have a big downside, but what is the rational for not including it in Risk Profile 1?

BTW. Great work, but I do find it a bit cumbersome to use.

Thanks,

Philippe

Version history
Revision #:
1 of 1
Last update:
‎06-01-2012 08:20 PM
Updated by: