VMware would like to announce the availability of a public draft for the vSphere 4.0 Security Hardening Guide.  This guide represents a new approach to providing security guidance from VMware. As compared with the previous VI3 Hardening Guides, the current guide has the following highlights 

  • Structure: this version uses a standardized format, with formally defined sections, templates, and reference codes.  The goal is to increase clarity and reduce ambiguity, make it easier to reference individual guidelines, and most of all, enhance the ability to automate guideline enforcement.
  • Recommendation levels: in following with the formats used by NIST, CIS, and others, this guide categorizes all guidelines into three security levels.  Instead of recommending a single set of guidelines for all environments, this guide encourages more of a risk-based approach, so that individual administrators can decide which guidelines apply to their environment.

Overall, there are more than 100 guidelines. The guide itself is split into the following major sections:

  • Introduction
  • Virtual Machines
  • Host
  • vNetwork
  • vCenter
  • Console OS (for ESX)

The Introduction section describes the structure, recommendation levels, and other aspects of the guide in more detail.

Another new aspect of the guide is the desire to create it with input from the VMware community.  This draft is available for public comment for a period of approximately one month. VMware’s intention is to incorporate public feedback into the next revision of the guide, which will be the final version.   However, this current revision is the result of a private review of an initial draft, and so we believe that the final version will not differ too significantly.  This revision can therefore be used for customer production deployments today, with the caveat that some new guidelines might be added and some existing ones slightly modified.

We invite anybody who’s interested to download the draft, analyze it and provide comments. Items for which additional feedback from the community is desired are indicated in the text of the guide, e.g. in italics/highlighted, with a “TODO” label, in a subsection titled “To Be Addressed”.

The sections of the guide have been posted to the VMware Communities in the "Security and vShield Zones” area.  They can be found in the Documents tab.  For each section, please provide feedback in the Comments area for the specific document.