vSphere 5.1 Hardening Guide - Official Release

vSphere 5.1 Hardening Guide - Official Release

Hi,

I'm pleased to announce to availabilty of the official release of the vSphere 5.1 Hardening Guide. The guide is being released as an Excel spreadsheet only. This guide follows the same format as the 5.0 guide.


All reference and documentation URL's and code samples have been updated for 5.1. The guide is available below.


Please note: The permanent home for VMware security/hardening guides is located here: http://vmware.com/go/securityguides

This guide will move to that location soon.

Also availabe is a separate document containing the Change Log for the guide. The Change Log is available below.

Thanks to everyone who contributed feedback on the Public Drafts and also the team at VMware for their outstanding work in making this guide possible.

mike

Attachments
Comments

Excellent guide, but need to point out something that seems to be incorrect.

In the ESXi tab it says that you cannot set the following using Host Profiles:

set-shell-interactive-timeout

set-shell-timeout

verify-admin-group (you can change the default group)

This to me is incorrect as I have configured these settings on all my ESXi 5.1 hosts using Host Profiles

Mike - When can we expect an updated compliance checker for 5.1?

I'll take a look and if that's incorrect, I'll fix it for a future release. Thanks for pointing it out!

The compliance checker is done by another group. I'll ask them to chime in.

Any news from the compliane checker team? We would love to be able to do the checks with an automated tool.

We wouldn't mind testing the tool with the developers.

On The vNetwork tab, the rule "label-vswitches" says "Virtual switches within the ESXi Server require a field for the name of the switch. This label is important because it serves as a functional descriptor for the switch, just as physical switches require a host name. Labelling virtual switches will indicate the function or the IP subnet of the virtual switch. For instance, labelling the virtual switch as “internal” or some variation will indicate that the virtual switch is only for internal networking between a virtual machine’s private virtual switch with no physical network adaptors bound to it."

I cannot find how/where to change the name of a "vSphere Standard Switch". Please can you advise me how to do his or confirm that the rule is impossible to implement.

Thank you.

Hi,

It's actually the naming of port groups and not the switches themselves. You can change the port group names in the properties of the vSwitch in the C# client, the web client and via esxcli and Powershell commands (set-virtualswitch).

There's a number of blog articles floating around about changing the names. Duncan Epping wrote an excellent "back to basics configuring a vswitch" for example.

mike

Thanks for replying, Mike, but the rule states, "Virtual switches within the ESXi Server require a field for the name of the switch. This label is important because it serves as a functional descriptor for the switch, just as physical switches require a host name."

The previous rule in the spreadsheet (the rule entitled "label-portgroups" as opposed to the rule "label-vswitches" deals with naming of port groups and says "A network label identifies each port group with a name. These names are important because they serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and their functions becomes difficult as the network becomes more complex."

Please can you clarify as it seems to me that either the rule must be invalid or it must be possible to rename vSwitches.

Thanks again!

Would still be grateful for some clarification on this please, Mike.

You are correct. This will be updated in the 5.5 guide.

Version history
Revision #:
1 of 1
Last update:
‎04-15-2013 01:12 PM
Updated by: