Recently I was asked by the vBrownbag community to present on vSphere 6 security. vBrownbag is a community-lead podcast series that features online webinars covering various Virtualization and VMware Certification topics, all led by members of the community. It’s an outstanding resource if you are looking to achieve certification or are just in the mood to learn. Read on to see how this webinar went and view for yourself.
Category Archives: Security
I’m happy to announce that the vSphere 6 Hardening Guide Public Beta 1 is now available.
The guide is being provided as Excel spreadsheet. I’m also making a PDF doc available for easier viewing. In addition, I've also included an Excel spreadsheet of the guidelines that have moved out of the guide and into documentation. THIS IS INCOMPLETE. We are still working on some of that content. (that's why this is a beta!)
Please read the blog on the changes that have happened to the guide. LOTS of changes and the blog will explain.
In vSphere 6.0 we now have a new concept called Exception Users. The intent of Exception Users is that they are not general admin users. I would consider them more of a “Service Account” type of access.
As a matter of fact, just the other day I got an email from someone internal at VMware that brought up a great use case for Exception Users. They were talking to a customer that wanted to access ESXi via a PowerCLI cmdlet (Get-VMHostAccount) to list out the local accounts on an ESXi server as part of their normal security reporting.
But they also wanted to enable Lockdown Mode and were finding it difficult to comply with both things. In vSphere 6.0 this is now much easier to address. Let’s get started.
Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.
With vSphere 6.0 the vCenter Virtual Server Appliance (VCSA), now has a component called the Platform Services Controller (PSC). The PSC handles things like SSO and the License Server and ships with its own Certificate Authority called VMware Certificate Authority (VMCA). In this blog post we’ll quickly go over some of the modes of VMCA operation and how to download and install the VMCA root certificate into your browser.
The vSphere Hardening Guide provides guidance on how to securely deploy VMware vSphere in a production environment. The vSphere Hardening Guide also serves as a foundation upon which regulatory compliance objectives are built. These organizations map compliance guidelines with vSphere Hardening Guide guidelines.
Hardening Guides are an industry recognized method of implementing stricter security to meet regulatory and local security standards above and beyond frameworks like Common Criteria.
Version 6.0 of the vSphere Hardening Guide is the next step in the evolution of the guide. A goal of the vSphere 6.0 Hardening Guide is to make the guide easier to implement and assess.
The intent of this article is to go over some of the major changes that come with the new 6.0 guide prior to its release. Consider this your “heads up”.
As VMware continues to use a "secure by default" policy, there are some up-coming security changes to the Transparent Page Sharing (TPS) memory mechanism you need to be aware of and should assess for potential performance impact.
If your attending Partner Exchange 2015 and are interested in planning installs and upgrades for the latest versions of vSphere and vSOM be sure and come check out my session, INF4268.
I just found an interesting question on an internal message board here in VMware. A customer was wondering if it was possible to disable USB ports at the ESXi level. They are a very security conscience organization and they want to block any opportunity for someone internally with malicious intent to plug in a USB drive. Normally, this would be done at the BIOS level of the hardware but some device manufactures don’t implement that functionality.
Today VMware released Update 2 of its vSphere management solution, vCenter Server. In this release there are updates to the supported database versions and many resolved known issues.
- vCenter Server database support: vCenter Server now supports the following external databases:
- Oracle 12c. Important: For pre-requisite requirements, see KB 2079443.
- Microsoft SQL Server 2012 Service Pack 1
- Microsoft SQL Server 2014
- vCloud Hybrid Service: The vCloud Hybrid Service (vCHS) introduces a new container, Hybrid Cloud Service, on the vSphere Web Client home page. The Hybrid Cloud Service container contains the vCHS installer and the new vCloud Connector installer.
- Customer Experience Improvement Program: The vSphere customer experience improvement program is introduced to collect configuration data for vSphere and transmit weekly to VMware for analysis in understanding the usage and improving the product. For more details, see the vSphere Documentation Center.