Home > Blogs > VMware Security & Compliance Blog > Tag Archives: vsphere

Tag Archives: vsphere

VMware CP&C releases VMware vSphere 6.0 Hardening Guide Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of VMware vSphere 6.0 Hardening Guide Compliance toolkit in VMware vCenter Configuration Manager (VCM). The toolkit consists of automated compliance rules to assess your VMware vSphere 6 based virtualized environments against the hardening guide. It covers 100% of the hardening guide recommendations.

The hardening guide has three risk profiles that group the recommendations based on the sensitivity of your environment. You can pick the compliance toolkits for respective risk profile or get all the rules at once and then make modifications to suit your sensitivity category.

Continue reading

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for Virtual Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for Virtual Environment in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. We churned it pretty quickly and now have the PCI DSS 3.0 compliance toolkits available for below VMware vSphere based virtual environments:

VMware vSphere 5.0
VMware vSphere 5.1
VMware vSphere 5.5

Continue reading

vSphere Security Blog Update


Those of you that follow the vSphere Security blog are probably wondering why there hasn’t been much information posted here. I have been posting in the vSphere Blog in order to get more eyes on the security messaging of vSphere. I would encourage you to follow me there or at @vSphereSecurity on Twitter for more frequent updates.

Please note that the big news is the release of the vSphere 5.5 Hardening Guide. This release comes less than 3 weeks after the general availability of vSphere 5.5. If you have input into future hardening guide releases, please don’t hesitate to contact me!

Here’s a list of a few of the more recent items that I’ve posted in case you missed them.

  1. The vSphere 5.5 Hardening Guide has been released!
  2. vSphere Web Client Roles and Permissions How-To Video
  3. Virtual Appliances getting more secure with vSphere 5.5 – Part 1
  4. Virtual Appliances getting more secure with vSphere 5.5 – Part 2
  5. Virtual Appliances getting more secure with vSphere 5.5 – Part 3
  6. Virtual Appliances getting more secure with vSphere 5.5 – Part 4
  7. ESXi, syslog and logins
  8. “It’s a Unix system, I know this!”
  9. Grant shell access to this user? No worries mate!
  10. Skating your way to the SDDC

Thanks for all your interest in making vSphere an even better and more secure platform. I encourage you to get involved and reach out to me with your input, thoughts and concerns. Security is not a destination, it’s a journey so we can always be working to make things better!


VMware Common Criteria Update – April 2013

The following is an article from Eric Betts, who manages VMware’s Common Criteria certification program.

Feed back to VMware’s announcement of vSphere 5.1 achieving “In-Evaluation” has been overwhelmingly successful.  However, it also caused quite a flurry of questions regarding the change in EAL level from EAL4+ to EAL2+ and questions on EAL4 vs. EAL2.  This blog posting will help with clarifying VMware’s position and overview of reform changes in-progress with Common Criteria.

Information Technology (IT) customers often leverage third party validations, such as Common Criteria, for assurance of IT product features & implementation and compliance with a known standard.  Common Criteria is a methodology framework for the evaluation of IT products, mutually recognized by 26 member nations (up to EAL4) and is an ISO standard (ISO-15408).   These factors, among many others, have contributed to the success, acceptance and often the requirement for Common Criteria certifications for Government and Defense related procurement sales.  However, as with any technology, process or standard, they must evolve and adapt to address current technologies and industry trends to remain relevant.   Common Criteria is evolving to address such needs.

The National Information Assurance Partnership (NIAP) in cooperation with other countries has initiated a series of changes for reform.  Changes include enlisting the help of industry through technical communities for development of new Protection Profiles (PP), improving consistency, speed and efficiency of evaluations.  As part of the reform, requirements for specific EAL levels will be replaced with “Approved Protection Profiles” and products will be listed as “PP Compliant”.  These products which implement the functionality described in the protection profile will then be evaluated in a consistent manner and against the same security threats which have been observed by the larger security community.  In the event that there is no protection profile in place at the time of entering the evaluation evaluations will be accepted up to a maximum evaluation level of EAL2 which is roughly consistent with the level of detail in the current protection profiles.

Security claims for prior Common Criteria evaluations were driven by vendor developed Security Targets and optional Protection Profiles.  While this provided vendors with greater flexibility, it also enabled opportunity for inconsistent evaluations.  Going forward products will be required to conform to a set of security claims from a mandatory protection profile.  This baseline will improve consistency across evaluations, testing laboratories and international schemes.

The Common Criteria certification of vSphere 5.1 @ EAL2+ demonstrates VMware’s continued commitment to evolving standards, validation of the latest VMware platform and providing assurance to our customers.

The National Information Assurance Partnership (NIAP) developed a FAQ which provides in-depth details on the Common Criteria reform titled “Frequently Asked Questions for NIAP/CCEVS and the Use of Common Criteria in the US (28 March 2012)

The FAQ below is based on specific questions and discussions at VMware:

Q: Why is vSphere being certified at EAL2?

A: As stated in the NIAP FAQ, the ability to certify at EAL4 was sunset as part of the Common Criteria reform.  When vSphere started the certification process, EAL2 was the target level for commercial software.

Q: You just stated that Common Criteria evaluations at EAL4 are no longer possible, I searched and discovered VMware vCNS 5.1.2 on the “In-Evaluation” list at EAL4?  What gives??

A: Correct.  Short answer is timing and timelines.  vCNS entered into evaluation when while EAL4’s were still being accepted.  However, when vSphere entered into evaluation, certifications at EAL4 were no longer being accepted.

Q: Does certifying at EAL2+ mean that vSphere 5.1 is less secure?

A: No, absolutely not!  The certification process by which vSphere 5.1 is being evaluated  is changing.  vSphere 5.1 remains the trusted center piece of the industry-leading virtualization platform for building flexible cloud infrastructures with performance and reliability to run the most demanding enterprise applications.

Q: Why didn’t vSphere 5.1 conform to a mandatory Protection Profile?

A: When vSphere 5.1 entered into evaluation a protection profile for virtualization was not available.  vSphere 5.1 will be a Security Target based evaluation.  The vSphere 5.1 Security Target contains a full comprehensive set of security claims where applicable, portions were leveraged from existing protection profiles like General Purpose Operating System (GPOS).

Also see NIAP FAQ questions #14 & #16.

VMware was an active participant in the Tech Community that developed the foundation content for the Virtualization Protection Profile.  The Protection Profile for Virtualization is currently under development and the estimated completion date is Q3/2013.

See complete NAIP PP lists:

–       Completed:    http://www.niap-ccevs.org/pp/

–       In draft:          http://www.niap-ccevs.org/pp/draft_pps/

Q: Why is vSphere 5.1 being certified through Canada and not the US?

A: Common Criteria certifications up to EAL4+ are mutually recognized by all member nations.  All schemes are governed and accredited by identical standards, so location isn’t important.  The decision to certify though Canada was a decision based on several business factors.

Also see the Common Criteria Recognition Agreement “Vision Statement”.

Q: Why are some products still being certified at EAL4 through other schemes?

A: While the US, Canada and most other schemes are in lock-step agreement with proposed timelines and processes for reform, some schemes decided to postpone new NIAP direction and continue to perform evaluations at EAL4 for specific country requirements.

Join the conversation:

VMware community discussion: “VMware Common Criteria Security Certification Update


vSphere 5.0 Security Hardening Guide Released

I would like to announce the official release of the vSphere 5.0 Security Hardening Guide.  This version represents a significant step in the evolution of this guide.  Based on feedback from customers and partners, the guide was re-structured from the ground up with the following key aspects:

  • The guide is being released exclusively in spreadsheet format.  Many of you have indicated that, although the accompanying text found in previous versions of the guide is interesting, the specific steps for assessment and remediation of the recommendations are really what matters.  Since people often end up putting the guide into spreadsheet format anyway, we figure we'd save you the trouble!
  • All guidelines have the same set of metadata, and a new standardized and extensible identification scheme.  This will enable customers to more readily adapt the guide to suit their particular environment by selecting the specific guidelines and fields that are of interest to them, and also help them in the generation of standard checklists and similar documents.
  • A primary goal for this guide was to enable greater automatability.  To this end, the guide includes both assessment and remediation commands for the three main vSphere CLIs: vSphere CLI (vCLI), ESXi Shell, and PowerCLI.  References have also been added to sections of the vSphere API documentation that relate to each specific guideline. 
  • The previous recommendation levels have been replaced by a system using Profiles. This is part of the move towards putting the guide into industry-standard format, a potential benefit that will be fully realized in the future.

The Introduction tab of the guide describes the new naming scheme, structure, recommendation levels, and other aspects of the guide in more detail.  Please read this tab first before diving into the rest of the guide, as it provides important context.

The vSphere 5.0 Security Hardening Guide has been posted to the VMware Communities in the "Security and Compliance” area, in the Documents tab.  Thanks to everyone who provided feedback on the Public Draft, and also to the team at VMware who contributed to this guide in many significant ways.

Charu Chaubal
Technical Marketing, Cloud Infrastructure 

vCenter Configuration Manager 5.5 is now Generally Available

As you are probably aware, back in October we unveiled the VMware vCenter Operations Management Suite designed to deliver integrated performance, capacity and configuration management for virtualized and cloud computing environments.  What is less well known is that VMware vCenter Configuration Manager is the anchor for the “configuration” management capabilities within the suite.  Having been part of Configuresoft for several years before it was first purchased by EMC and then sold to VMware, I feel a bit like a dad watching his baby grow up.  The technology that was Configuresoft is at the heart of vCenter Configuration Manager.

 With today marking the general availability of vCenter Configuration Manager 5.5, I am both excited and proud to see this one go out the door.  vCenter Configuration Manager has always been a great solution for ensuring that Operating System software, whether Windows, Linux or Unix is properly configured to meet a broad range of security best practices, vendor hardening guidelines and regulatory mandates (think HIPAA, PCI, SOX etc).  But with this release, vCenter Configuration Manager becomes an indispensable part of the VMware family – addressing core requirements of the Virtual Infrastructure teams looking to leverage the VMware Cloud Infrastructure Suite as the foundation for business critical workloads moving to the cloud.

The primary theme for vCenter Configuration Manager 5.5 release is “Cloud Ready”.  New capabilities within this release significantly increase the ability of the Virtual Infrastructure team to ensure that their VMware Infrastructure is properly configured to meet the rigorous demands associated with virtualizing business critical workloads; including addressing requirements associated with VMware’s own hardening guidelines.  

This new release dramatically increases the ability to track configuration changes and to assess configuration compliance across the VMware Infrastructure including ESX, ESXi, vCenter, vCloud Director and vShield products.  There are also a substantially greater number of new configuration actions that can be executed against vCenter and ESX, ESXi configurations.  These configuration actions can be executed against a single object or in bulk against multiple objects spanning multiple vCenters.  They can be executed as part of an organization’s general configuration management processes or as part of a configuration compliance program. 

The enhancements to vCenter Configuration Manager 5.5 put tremendous visibility and control at the fingertips of the Virtual Infrastructure team responsible for VMware Infrastructure.  To help illustrate this I have included an example of how vCenter Configuration Manager can help manage configuration changes across the VMware Infrastructure (Figure 1). This particular high level dashboard is focused on the Virtual Infrastructure team and shows all changes that have occurred across the VMware Infrastructure for a specific time period.  



You can quickly drill down into any of these dashboards to investigate anything of interest or concern.  In this example I’ve drilled down into a specific vCenter (Figure 2) to understand a change associated with the “client.timeout.normal” setting.  I can see that this setting has been changed from 60 seconds to 10 which I know is out of compliance with operational best practices for vCenter (which calls for this setting to be equal or greater than 60 seconds).

Fig 2

In addition to the ability to see and understand prior changes, vCenter Configuration Manager provides the ability to change configuration settings across the VMware infrastructure (Figure 3).  I can do this for a single object or for multiple objects.  Bulk configuration changes can be directed across objects that span vCenters. 

Fig 3

Finally (Figure 4) I can proactively manage configurations through compliance where I create rules and templates (collections of rules) for any configurations I want to ensure are uniformly applied across my entire virtual data center or subsets of “like objects” in my data center.  vCenter Configuration Manager comes with a rich set of templates out-of-the box that can be used as is or as the starting point for the development of your own internal best practices.  

Fig 4

The new capabilities of vCenter Configuration Manager 5.5 significantly increase the value delivered to customers purchasing the vCenter Operations Management Suite Enterprise Edition where today vCenter Configuration Manager is included to address critically important use cases associated with “hardening” the VMware Cloud Infrastructure Suite. 

Other significant enhancements to vCenter Configuration Manager in this release include:

  • Ability to create machine groups within vCenter Configuration Manager based on organizational constructs (clusters, virtual datacenter, application trust zones) within vCenter, vCloud Director and vShield.
  • Support for configuration and compliance management for virtualization specific constructs such as templates and offline VMs (via VMware vCenter Orchestrator workflows delivered separate from the release)
  • The ability to snapshot a VM before making a configuration change
  • Support for the “Security Content Automation Protocol” (version 1.0) –  important to federal agencies
  • A new REST based API that will allow vCenter Configuration Manager to more fully participate in VMware and 3rd party ecosystem solutions

Early feedback from customers involved in beta testing has been extremely positive.  The increased ability of vCenter Configuration Manager to harden the VMware Infrastructure combined with the existing strength of the product to harden the Operating System (Windows, Linux, Unix) make vCenter Configuration Manager fundamental to clouds built on VMware technology.  More information can be found by visiting the vCenter Configuration Manager page on VMware.com.   Also, be sure to download the free vSphere Compliance Checker which will help you better understand the value that vCenter Configuration Manager delivers to organizations looking to move business critical workloads to the cloud.

Peace Out!

George Gerchow, Director, VMware Center for Policy and Compliance


VMware’s CP&C releases another free Compliance Checker!

Buenos Dias,

I'm George Gerchow, Director of VMware's Center for Policy & Compliance. I'll be here all week to talk about Compliance in the Cloud and answer your questions. 

Today we are going to give you access to a FREE downloadable tool that helps you get started on the “Trusted Cloud” ride. 

It is the vSphere 4.1 Compliance Checker fresh off the virtual assembly line and compiled by the good folks at CP&C!

 Here is how it works: 

  • The Compliance Checker runs an assessment on ESX/ESXi hosts managed by vCenter
  • The assessment is based on a predefined subset of 29 of the vSphere 4.1 Security Hardening Guide rules and is run against the first 5 ESX/ESXi hosts found on the target vCenter
  • The results for each host include the rules, the rule descriptions, and the success or failure of each rule

At VMware, we like to call the Compliance Checkers “Crack” for IT as it get’s ya hooked and you will come back for more! 

Here is the link so you can get started hardening your vSphere Environment today: 


Now this poses a few questions and we would love to get your feedback: 

  1. Are free tools like this helpful?
  2. How do you currently lock down your vSphere environment?
  3. Would remediation of the non-compliance results be a good next step?
  4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…) 

I will be rollin’ into Denver today like Tom Brady rolled over the Miami Secondary last night but will be online waiting to hear from you. (FYI, IN Denver, I am giving a Keynote at a Healthcare seminar on Trusted Cloud)

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum: 

Here is a sneek peek of what the Checker looks like:


Thanks and have a great day from all of us at CP&C and VMware!

vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM) Released

The VMware Center for Policy and Compliance is excited to announce our content release of the vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM).
CP&C is a group of folks with alphabet soup behind their names that build content, thought leadership and evangelize our Security & Compliance  strategy all over the planet.
Why should you care about this latest release? That’s easy, the content supports ESX 4.1, ESXi 4.1 and vCenter 4.1. That means we can automate the continuous collection of data, compare it to our standards and within minutes provide prescriptive guidance on best practices and  reduce the LONG painful audit cycle.
Together VCM and Host Profiles become an important  part of creating a trusted virtual environment.  With VCM and the new CP&C content you can harden your ESX/i hosts based on vSphere standards and use Host Profiles to push these secure settings across your virtual infrastructure.  There is no longer a need to painstakingly pour-over the best practices or reference technical documentation in order to configure the Host Profile reference host(s) to meet these standards.
By the way, these standards have been recommended to the PCI Security Council as benchmark for 2.0 content around virtualization. (Stay Tuned!)
Yours Truly, George Gerchow – VMware Director of CP&C.
vSphere 4.1 Security Hardening Guidelines Compliance Dashboard snapshots: