Home > Blogs > VMware vSphere Blog > Author Archives: Mike Foley
Mike Foley

About Mike Foley

Mike Foley is a Senior Technical Marketing Manager at VMware. His primary focus is on security of the core platform (vSphere). He is the current keeper of the vSphere Hardening Guide. His primary goal is to help IT/VI Admins build more secure platforms that stand up to scrutiny from security teams. Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security and contributed as a member of the product architect team. Mike has a blog at http://yelof.com and contributes to the VMware vSphere and Security blogs as well. Follow him at @vSphereSecurity on Twitter

SSH keys when using Lockdown Mode – A 5.x Hardening Guide update

Hi,

I was informed today that there is a behavior in the 5.1 through 5.5 Update 1 Hardening Guides that is incorrectly documented.

The two affected guidelines are:

  • ESXi.enable-lockdown-mode
  • ESXi.remove-authorized-keys

Continue reading

vSphere Hardening Guide 5.5 Update 1 Released!

I’m happy to announce the general availability of the vSphere Hardening Guide for vSphere 5.5 Update 1. This has been a work in progress for a little while now and I’m glad to get it out there!

There are 4 new additions to the guide. Please review.

  1. enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
  2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
  3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
  4. change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc.. One interesting change is the “enable-nfc-ssl” control. That has been renamed to “verify-nfc-ssl” now that SSL is enabled by default in 5.5 for NFC traffic. All of the changes are called out in the Change Log.

I’d like to thank the many customers and internal folks who have contributed and pointed out the errors that needed correcting. It’s great to have so many folks that are willing to pitch in!

Head on over to the vSphere Hardening Guide page to grab your copy now!

Thanks and please feel free to contact me on Twitter at @vspheresecurity or email to mfoley at vmware.com if you have any input you’d like to share.

Enjoy!

mike

vSphere Hardening Guide 5.5 Update 1 Beta 2 released

After a lot of great feedback from the community, here’s Beta 2.1 of the vSphere Hardening Guide for vSphere 5.5 Update 1.

There were some editing mishaps (cut off cells in the Excel sheet) that have been fixed since the Beta 1 release.

Also, all the *-no-self-signed-certs guidelines have been updated to be more in line with the contents in the ESX Security Whitepaper.

You can get the Beta 2.1 of the guide from the Security and Compliance Community.

The goal is to release this updated Hardening Guide the 1st week of June.

Thanks for all the great feedback. I look forward to getting more!

If you want to keep it private, send me email. mfoley at vmware dot com. I’ll return your emails as quickly as I can.

mike

vSphere Hardening Guide 5.5 Update 1 Beta released

Hi everyone,

It’s that time again! Actually, it’s the first time that I’m aware of that the vSphere hardening guide has been updated between major releases! Please head on over to the Security and Compliance VMware Community and download the beta of the vSphere 5.5 Update 1 Hardening Guide.

This is a beta release of the guide and as such, I would very much appreciate your prompt feedback. Please reply here or in the Community THIS WEEK. I’d like to release this for General Availability next week.

Here are the proposed changes in the guide.

There are 4 new additions to the guide. Please review.

  1. enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
  2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
  3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
  4. change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc..

I had considered removing “disable-datastore-browser” and “disable-mob“. I’m holding off at the moment on those. I think they add more trouble than they protect but I’d like to get more input. Feedback on these two would be GREATLY appreciated.

Remember, I really do listen to your feedback. This is as much your guide as it is VMware’s. I look forward to your comments!

mike

What happened to that Hardening Guide setting?

Hi!

As usual, most of my blog posts come from customer or field questions. Here’s a new one crossed my path recently.

A customer, running vSphere 5.1, was finding some anomalies within their VM’s. Their belief was that some of the vSphere Hardening Guide settings were causing it. When this was assigned to me, I noticed that they were referencing the vSphere 4.1 hardening guide!

The customer was applying guidelines from the 4.1 guide against a 5.1 system. They believed that the guideline was still relevant because it was referenced in a KB. (I’m going to try and get that fixed!)

The guideline setting is “guest.commands.enabled”. The 4.1 guide said to set this to False. The 4.1 guide AND the KB both state that setting this to False would disable the operation of VMware Consolidated Backup (VCB) and VMware Update Manager (VUM), both of which call the VIX API for guest operations.

Cue the old Henny Youngman “Doc, it hurts when I do this!” so the Doctor says “Don’t do that!”  Thanks, I’ll be here all week. Try the veal! <rimshot>

Continue reading

Security Updates in vSphere 5.5 Update 1 + Hardening Guide news

5.5 Update 1 Release Notes

vSphere 5.5 Update 1 was released on March 11th, 2014. The primary drivers for this release were lots of bug fixes and support for VSAN. At the risk of duplicating a huge amount of the release notes, please review in detail those things that are important to you. There’s a number of things in Upgrade and Installation and there’s a specific Security section that would be of interest. Also review the Known Issues section as there’s some interesting tidbits in there as well.

5.5 Hardening Guide Update

I will be releasing an update to the vSphere Hardening Guide to go along with 5.5 Update 1 in the next couple of weeks. I’ve been collecting updates since it was released shortly after 5.5. No MAJOR changes, just minor fixes and a couple of clarifications and at least one deletion. More on this soon. I know it’s a hot button for some folks.

If there’s something YOU think needs to be corrected, now is the time to let me know!

Get in touch as a reply to this blog or preferably an email to me. I’m mfoley at VMware.com.

Thanks,

mike

Can an admin peek inside my VM?

A great question crossed my desk today from a customer. “Can a VI Admin who has root access to ESXi “abuse” their privileges and “peek” inside the guests of VM’s hosted on the server?”

The short answer? If your ESXi admin has root or full administrator privileges, they can do anything. Nobody should be surprised by this! HOWEVER, you can mitigate, limit and monitor what is being done.

But first, let’s quickly review what is meant by “peek inside the guest”. In the human world, Continue reading

Security of the VMware Hypervisor – A Whitepaper

Hi!

I’m happy to announce the availability of a whitepaper that I had been working on much of the past year. Since I joined VMware back in January of 2013, an almost weekly request was for a whitepaper that help IT team explain the security of the VMware vSphere hypervisor, a.k.a. ESXi, to a security professional.

Continue reading

Have you checked the root password expiration on your 5.5 VCSA today?

Hi,

Now that 5.5 has been out a while and many of you have been making the move to the VMware vCenter Virtual Appliance (a.k.a. VCSA), here’s a friendly reminder to check the password expiration of the root account on the virtual appliance! If you’ve been following my blogs, you’ll remember in Part 2 of the “Virtual Appliances getting more secure with vSphere 5.5” series, I HIGHLY recommended that you check root password expiration ASAP!

The VCSA root password is set to expire 90 days from deployment time. Go to Part 2 of the series to find out how to set your expiration to a longer date. Note that from the VAMI interface, you can supply an email address to notify 7 days prior to expiration of the password. Don’t miss updating this step! Log into the VAMI web interface via https://<vcsa FQDN or IP>:5480. Go to the Admin tab and update whether the password expires, for how long and what email address to notify. Make sure your SMTP configuration works correctly.

Screen Shot 2014-01-06 at 11.23.21 AM

[Update] There has been a KB released on 10-Jan-2014 for those that may be locked out of their appliance or want to disable the forced lockout. I urge you to review KB2069041

mike

VMware Communities Podcast – Hardening Guide and secure virtual appliances

Tomorrow, November 6th, I’ll be hosting the VMware Communities Roundtable Podcast! We’ll be talking about the recently released vSphere 5.5 Hardening Guide and the massive amount of work that’s been done to secure VMware virtual appliances!

Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.

Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).

Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!

I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!

A wrap-up of the podcast will be located on the podcast archives within a few days.

I’m looking forward to talking with many of you tomorrow!

mike