I’m happy to announce the general availability of the vSphere Hardening Guide for vSphere 5.5 Update 1. This has been a work in progress for a little while now and I’m glad to get it out there!
There are 4 new additions to the guide. Please review.
- enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
- disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
- use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
- change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of email@example.com. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.
The rest are formatting, spelling, clarification, etc.. One interesting change is the “enable-nfc-ssl” control. That has been renamed to “verify-nfc-ssl” now that SSL is enabled by default in 5.5 for NFC traffic. All of the changes are called out in the Change Log.
I’d like to thank the many customers and internal folks who have contributed and pointed out the errors that needed correcting. It’s great to have so many folks that are willing to pitch in!
Head on over to the vSphere Hardening Guide page to grab your copy now!
Thanks and please feel free to contact me on Twitter at @vspheresecurity or email to mfoley at vmware.com if you have any input you’d like to share.