5.6
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
Domain Infrastructure
2
Domain Infrastructure
Securing the domain infrastructure for use with VCM involves configuring the domain controller,
network infrastructure services, network infrastructure systems, certificates, accounts, and personnel.
Using VCM to Manage Infrastructure Zone Systems
After you install VCM, your first course of action should be to manage infrastructure zone systems in
VCM and subject them to assessment. VCM comes with compliance rules for domain controller best
practices, domain controller health, and other settings that are valuable in domain infrastructure zones. In
addition, you can create your own templates and rules.
The rest of this chapter briefly explains the infrastructure zone security hardening steps to pursue, either
manually or, if possible, through compliance rules.
Infrastructure Zone Machine Group
For the settings that you can apply using VCM, having the infrastructure systems in their own, dedicated
machine group provides a way of managing the systems and synchronizing their settings.
For example, you prevent non-VCM administrators from having administrator access to infrastructure
systems by placing all infrastructure systems in the dedicated machine group and configuring the group to
be accessible only to VCM administrators.
Domain Controller
VCM relies on a domain controller in order to perform the following functions:
n
Authenticate VCM users
n
Discover machines to manage
n
Enumerate domain group members
n
Run VCM services under Network Authority accounts
n
Authenticate administrators who control the systems on which VCM and its databases are installed
As the VCM installer and administrator, you identify the domain controller in VCM when you install,
discover domain controllers, add new Network Authority accounts, or add VCM users.
CAUTION Do not authorize VCM accounts to principals authenticated by an untrusted domain
controller, and do not join VCM servers to an untrustworthy domain.
VMware, Inc.
15