Home > Blogs > VMware vSphere Blog > Category Archives: Security

Category Archives: Security

Logging USB devices plugged into ESXi

 

I just found an interesting question on an internal message board here in VMware. A customer was wondering if it was possible to disable USB ports at the ESXi level. They are a very security conscience organization and they want to block any opportunity for someone internally with malicious intent to plug in a USB drive. Normally, this would be done at the BIOS level of the hardware but some device manufactures don’t implement that functionality.

Continue reading

vCenter Server 5.5 Update 2 Released

Today VMware released Update 2 of its vSphere management solution, vCenter Server. In this release there are updates to the supported database versions and many resolved known issues.

What’s New

  • vCenter Server database support: vCenter Server now supports the following external databases:
    • Oracle 12c. Important: For pre-requisite requirements, see KB 2079443.
    • Microsoft SQL Server 2012 Service Pack 1
    • Microsoft SQL Server 2014
  • vCloud Hybrid Service: The vCloud Hybrid Service (vCHS) introduces a new container, Hybrid Cloud Service, on the vSphere Web Client home page. The Hybrid Cloud Service container contains the vCHS installer and the new vCloud Connector installer.
  • Customer Experience Improvement Program: The vSphere customer experience improvement program is introduced to collect configuration data for vSphere and transmit weekly to VMware for analysis in understanding the usage and improving the product. For more details, see the vSphere Documentation Center.

Continue reading

SDDC Reference Architecture

I’m pleased to announce the first in a series of reference architectures is now available.

This reference architecture showcases the integrations between VMware vCloud® Suite Enterprise, VMware NSX for vSphere®, and VMware vCenter Log Insight to create an on-demand infrastructure with a secure networking environment. It is based on real-world scenarios, user workloads, and infrastructure system configurations. It uses industry-standard servers, IP-based storage, and 10-Gigabit Ethernet (10GbE) networking to support a scalable and redundant architecture based on vCloud Suite Enterprise version 5.5.

Continue reading

SSH keys when using Lockdown Mode – A 5.x Hardening Guide update

Hi,

I was informed today that there is a behavior in the 5.1 through 5.5 Update 1 Hardening Guides that is incorrectly documented.

The two affected guidelines are:

  • ESXi.enable-lockdown-mode
  • ESXi.remove-authorized-keys

Continue reading

vSphere IAAS Interoperability: Virtual SAN, NSX, OpenStack

VSAN-NSX-OpenStackJust in time and right before everyone is off on a long 4th of July weekend here in the good old U.S. of A, I wanted to share a integration demo that I’ve been holding for some time now. Hopefully everyone can see the fireworks delivered by the demo as well.

In this demonstration we’re showcasing the advanced IAAS features and deep integration of vSphere with Virtual SAN, and NSX using Openstack as the Cloud Management Portal for a multi tenant IAAS platform.  To prove our point here, this is not just some isolated lab environment, this is a real environment running today and its leveraging currently available technologies.

The  environment utilized in this demonstration is actually the NSBU internal cloud which has over 200 environment as a mix of KVM and vSphere.  Virtual SAN is used for all vSphere data stores and NSX is used for all tenant connectivity with OpenStack providing a scalable and secure multi-tenant, multi-hypervisor environment.

This demonstration showcases the agility and flexibility of the integration capabilities of vSphere, NSX and Virtual SAN.  In the demonstration we rapidly standup of a two tier ‘application’ and demonstrate the connectivity between all elements of the virtual machines providing the applications.

When complete, all instances, networks and routers are decommissioned and the tenant is returned to an ‘empty state’.  The whole process takes less than 10 minutes (as can be seen in the instance uptime section in the horizon UI).

vSphere Hardening Guide 5.5 Update 1 Released!

I’m happy to announce the general availability of the vSphere Hardening Guide for vSphere 5.5 Update 1. This has been a work in progress for a little while now and I’m glad to get it out there!

There are 4 new additions to the guide. Please review.

  1. enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
  2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
  3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
  4. change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc.. One interesting change is the “enable-nfc-ssl” control. That has been renamed to “verify-nfc-ssl” now that SSL is enabled by default in 5.5 for NFC traffic. All of the changes are called out in the Change Log.

I’d like to thank the many customers and internal folks who have contributed and pointed out the errors that needed correcting. It’s great to have so many folks that are willing to pitch in!

Head on over to the vSphere Hardening Guide page to grab your copy now!

Thanks and please feel free to contact me on Twitter at @vspheresecurity or email to mfoley at vmware.com if you have any input you’d like to share.

Enjoy!

mike

Does Enhanced vMotion Compatibility (EVC) Affect Performance?

YES!

Now that I’ve scared you, lets take a look at these use cases.

Continue reading

vSphere Hardening Guide 5.5 Update 1 Beta 2 released

After a lot of great feedback from the community, here’s Beta 2.1 of the vSphere Hardening Guide for vSphere 5.5 Update 1.

There were some editing mishaps (cut off cells in the Excel sheet) that have been fixed since the Beta 1 release.

Also, all the *-no-self-signed-certs guidelines have been updated to be more in line with the contents in the ESX Security Whitepaper.

You can get the Beta 2.1 of the guide from the Security and Compliance Community.

The goal is to release this updated Hardening Guide the 1st week of June.

Thanks for all the great feedback. I look forward to getting more!

If you want to keep it private, send me email. mfoley at vmware dot com. I’ll return your emails as quickly as I can.

mike

vSphere Hardening Guide 5.5 Update 1 Beta released

Hi everyone,

It’s that time again! Actually, it’s the first time that I’m aware of that the vSphere hardening guide has been updated between major releases! Please head on over to the Security and Compliance VMware Community and download the beta of the vSphere 5.5 Update 1 Hardening Guide.

This is a beta release of the guide and as such, I would very much appreciate your prompt feedback. Please reply here or in the Community THIS WEEK. I’d like to release this for General Availability next week.

Here are the proposed changes in the guide.

There are 4 new additions to the guide. Please review.

  1. enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
  2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
  3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
  4. change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc..

I had considered removing “disable-datastore-browser” and “disable-mob“. I’m holding off at the moment on those. I think they add more trouble than they protect but I’d like to get more input. Feedback on these two would be GREATLY appreciated.

Remember, I really do listen to your feedback. This is as much your guide as it is VMware’s. I look forward to your comments!

mike

What happened to that Hardening Guide setting?

Hi!

As usual, most of my blog posts come from customer or field questions. Here’s a new one crossed my path recently.

A customer, running vSphere 5.1, was finding some anomalies within their VM’s. Their belief was that some of the vSphere Hardening Guide settings were causing it. When this was assigned to me, I noticed that they were referencing the vSphere 4.1 hardening guide!

The customer was applying guidelines from the 4.1 guide against a 5.1 system. They believed that the guideline was still relevant because it was referenced in a KB. (I’m going to try and get that fixed!)

The guideline setting is “guest.commands.enabled”. The 4.1 guide said to set this to False. The 4.1 guide AND the KB both state that setting this to False would disable the operation of VMware Consolidated Backup (VCB) and VMware Update Manager (VUM), both of which call the VIX API for guest operations.

Cue the old Henny Youngman “Doc, it hurts when I do this!” so the Doctor says “Don’t do that!”  Thanks, I’ll be here all week. Try the veal! <rimshot>

Continue reading