Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.
Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).
Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!
I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!
A wrap-up of the podcast will be located on the podcast archives within a few days.
I’m looking forward to talking with many of you tomorrow!
I’m happy to report that the vSphere 5.5 Hardening Guide has been released for General Availability. My thanks to all that contributed their feedback to make this happen. The guide has been given a full makeover with regard to documentation references. I’m in Renate’s debt for those stellar contributions. Additionally, some guidelines have been removed and some new ones added.
Along with the guide, similar to the 5.1 release, I’m releasing a change log worksheet.
One thing to note, the “Profiles” column has been renamed “Risk Profiles”. This was done to bring to light the function of the column. I am frequently quizzed by IT administrators that have been told to “Implement the Hardening Guide”. As written, the Hardening Guide is a list of guidelines, not mandates. Please note that some guidelines in the Risk Profile 1 category can break functionality!
As with any security measures, they should not be applied in a blanket fashion. I would encourage IT administrations and security folks to work together and assess each guideline for applicability, risk management and impact to the business and operations. The Risk Profiles help to categorize the guidelines that could be applicable to your environment.
I’m working with the VMware web team to have the guide and the change log officially moved over to the Hardening Guide page on VMware.com. I will update the discussion in the Communities and post a reply to this blog article when that has been completed.
As always, your input is very valuable to me and VMware as a whole. If you have questions that can’t be asked in a public forum, reach out to me via email, mfoley-at-vmware.com. For more frequent updates to vSphere security news and facts, follow me on Twitter at @vSphereSecurity
Part of my role at VMware is to work closely with our customers and partners, sharing experiences and feedback with internal VMware Product Management and Engineers to help make our products better. One area that has been dominantly more focused than others over the last 12 months has obviously been vCenter Single Sign-On.
Due to this feedback, one of the drivers for the new vCenter Single Sign-On was to provide backwards compatibility and to highlight this, a recent Knowledge Base article released.
I’m happy to announce the availability of the vSphere 5.5 Hardening Guide Release Candidate. A SIGNIFICANT amount of documentation updates have been incorporated into the guide to really round it out. There have been some new additions and some deletions to the guide. All changes are documented in the changelog spreadsheet.
You can download the guide and the changelog here. All changes are color-coded in the changelog and within the RC release spreadsheet. The colors will be removed from the final GA document but will remain in the changelog.
I would encourage you to review the document and provide feedback ASAP. The goal is to release this for General Availability in the next week unless significant changes come in. You can reply to the discussion with your updates or contact me directly at mfoley @ vmware.com.
When the guide is released for GA, it will up uploaded to the normal location
Have you ever wondered how Roles and Permissions work using the vSphere Web Client? Here’s a great video brought to you by VMware Tech Pubs. Peter Shepherd does a great job in introducing you to Roles and Permissions and how to get the most out of them. He will lead you through the steps to create an administrator role for a specific virtual machine in four and a half minutes!
In Parts 1 and 2 we introduced the VMware Hardened Virtual Appliances and went over password management. In Part 3, we’ll focus on a new tool, dodscript.sh, to make configuring your VMware Hardened Virtual Appliances comply with enhanced security requirements like DISA and go over access control and time management.
One of the coolest thing that I think many in the Federal space will jump for joy over is the new inclusion of a script for modifying many DISA required settings. These settings are:
Hopefully by now you’ve read Part 1. In there we discussed the new security features of many new VMware virtual appliances, including some that are being released with vSphere 5.5. In this post and the two following, we’ll start the discussion on how to enable your virtual appliances to be compliant with site-specific requirements. If you’re falling under DISA STIG requirements, the next few posts are for you! It’s time to get your geek on with Parts 2, 3 & 4!
With VMworld San Francisco in our rear view mirror, the flow of information coming in from many sources is staggering! Well, in that spirit, here’s some more!
At VMware we take security very seriously. We are working very hard to deliver products that are more secure out of the box. The direction we have taken is to ship hardened systems where you have to make a conscious decision to loosen controls. An outcome of this effort is some great changes to virtual appliances!