This is the official release of the vSphere 5.0 Security Hardening Guide, v1.0. The format of this guide has changed from previous versions. The guide is being released as a Excel spreadsheet only. The guideline metadata from earlier guides has been greatly expanded and standardized. CLI commands for assessment and remediation of the guidelines is included for the vCLI, ESXi Shell, and PowerCLI. For additional information, please see the Intro tab of the spreadsheet.
No mention of changing the default group for AD auth (ESX Admins). Advanced param in gui is
Config.HostAgent.plugins.hostsvc.esxAdminsGroup
but I don't see it listed under #esxcli system settings advanced
and I'm not finding another cli reference to this setting.
I as well didn't like excel format.
Hey Charu and team, am I just confused, or is the setting
isolation.tools.dnd.disable=”FALSE” supposed to be "TRUE" to disable DND?
Thanks!
--Shack
There's a bug in the Excel Sheet, in the rows "disable-hgfs" and "restrict-host-info" under the PowerCLI Command Assessment and PowerCLI Command Remediation the same Advanced Setting is listed "tools.guestlib.enableHostInfo" This is correct for "restrict-host-info" but not for "disable-hgfs" that should be isolation.tools.hgfsServerSet.disable with value $true
The Profile column on the VM sheet sometimes mentions profiles 4 and 5, while the Intro sheet only mentions profiles 1-3.
What should we understand under Profiles 4 and 5 ? Optional ? And in that case what is the difference between 4 and 5 ?
Profile 4 and 5 still seem to be there.
If they are intentional, what is their meaning ?
Sorry, I didn't see your comment. Fixed now in v1.1.
Thanks.
It was of course just a detail in an otherwise great document.
Hey guys,
One thing I noticed in the 5.0 hardening guide is that there is still a check to ensure that vCenter Update Manager is not updating the VM that VCM is installed on. However, based on this discussion: http://communities.vmware.com/thread/330563, it seems that vCenter Update Manager no longer performs updating of guest OSes (such as Windows).
So, is this still a relevant check in the 5.0 hardening guide?
Thanks!
vCenter Update Manager no longer manages OS patches, but it still does VMware Tools updates and virtual hardware updates.
How exactly do you use the Hardening Guide? I can't find a how-to out there, but we have to run through the hardening guide for a compliance audit and its pretty far over my head.
I noticed "isolation.tools.setInfo.disable" is no longer part of the guide. That setting does have a big downside, but what is the rational for not including it in Risk Profile 1?
BTW. Great work, but I do find it a bit cumbersome to use.
Thanks,
Philippe