As usual, most of my blog posts come from customer or field questions. Here’s a new one crossed my path recently.
A customer, running vSphere 5.1, was finding some anomalies within their VM’s. Their belief was that some of the vSphere Hardening Guide settings were causing it. When this was assigned to me, I noticed that they were referencing the vSphere 4.1 hardening guide!
The customer was applying guidelines from the 4.1 guide against a 5.1 system. They believed that the guideline was still relevant because it was referenced in a KB. (I’m going to try and get that fixed!)
The guideline setting is “guest.commands.enabled”. The 4.1 guide said to set this to False. The 4.1 guide AND the KB both state that setting this to False would disable the operation of VMware Consolidated Backup (VCB) and VMware Update Manager (VUM), both of which call the VIX API for guest operations.
Cue the old Henny Youngman “Doc, it hurts when I do this!” so the Doctor says “Don’t do that!” Thanks, I’ll be here all week. Try the veal! <rimshot>
When talking with customers about our vSphere Distributed Switch I often find that they don’t know about a feature in the Traffic Filtering policy engine that allows for creation of Access Control Lists or ACLs. This is in additional to being able to tag traffic and pass Quality of Service (QoS) or Differentiated services Code Point (DSCP) values up to the physical network for prioritization.
vSphere 5.5 Update 1 was released on March 11th, 2014. The primary drivers for this release were lots of bug fixes and support for VSAN. At the risk of duplicating a huge amount of the release notes, please review in detail those things that are important to you. There’s a number of things in Upgrade and Installation and there’s a specific Security section that would be of interest. Also review the Known Issues section as there’s some interesting tidbits in there as well.
5.5 Hardening Guide Update
I will be releasing an update to the vSphere Hardening Guide to go along with 5.5 Update 1 in the next couple of weeks. I’ve been collecting updates since it was released shortly after 5.5. No MAJOR changes, just minor fixes and a couple of clarifications and at least one deletion. More on this soon. I know it’s a hot button for some folks.
If there’s something YOU think needs to be corrected, now is the time to let me know!
Get in touch as a reply to this blog or preferably an email to me. I’m mfoley at VMware.com.
I’ve had a number of requests for recommendations on the “best way” to restrict access to the ESXi host console. While this is easily done using the ESXi Lockdown Mode feature I’m finding there are some admins who are still under the impression that lockdown mode doesn’t work, and in order to prevent access to the host console you need to disable the console service. While there were some challenges with lockdown mode in the past, things changed in ESXi 5.1.
A great question crossed my desk today from a customer. “Can a VI Admin who has root access to ESXi “abuse” their privileges and “peek” inside the guests of VM’s hosted on the server?”
The short answer? If your ESXi admin has root or full administrator privileges, they can do anything. Nobody should be surprised by this! HOWEVER, you can mitigate, limit and monitor what is being done.
But first, let’s quickly review what is meant by “peek inside the guest”. In the human world, Continue reading →
The VMware Mobile Knowledge Portal iOS and Android app has recently been updated. It sports a great new look and feel and makes finding the information you need even easier by grouping it by area in our SDDC vision.
I’m happy to announce the availability of a whitepaper that I had been working on much of the past year. Since I joined VMware back in January of 2013, an almost weekly request was for a whitepaper that help IT team explain the security of the VMware vSphere hypervisor, a.k.a. ESXi, to a security professional.
Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.
Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).
Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!
I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!
A wrap-up of the podcast will be located on the podcast archives within a few days.
I’m looking forward to talking with many of you tomorrow!
I’m happy to report that the vSphere 5.5 Hardening Guide has been released for General Availability. My thanks to all that contributed their feedback to make this happen. The guide has been given a full makeover with regard to documentation references. I’m in Renate’s debt for those stellar contributions. Additionally, some guidelines have been removed and some new ones added.
Along with the guide, similar to the 5.1 release, I’m releasing a change log worksheet.
One thing to note, the “Profiles” column has been renamed “Risk Profiles”. This was done to bring to light the function of the column. I am frequently quizzed by IT administrators that have been told to “Implement the Hardening Guide”. As written, the Hardening Guide is a list of guidelines, not mandates. Please note that some guidelines in the Risk Profile 1 category can break functionality!
As with any security measures, they should not be applied in a blanket fashion. I would encourage IT administrations and security folks to work together and assess each guideline for applicability, risk management and impact to the business and operations. The Risk Profiles help to categorize the guidelines that could be applicable to your environment.
I’m working with the VMware web team to have the guide and the change log officially moved over to the Hardening Guide page on VMware.com. I will update the discussion in the Communities and post a reply to this blog article when that has been completed.
As always, your input is very valuable to me and VMware as a whole. If you have questions that can’t be asked in a public forum, reach out to me via email, mfoley-at-vmware.com. For more frequent updates to vSphere security news and facts, follow me on Twitter at @vSphereSecurity