5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
Microsoft Domain Controller Hardening Guidelines
To secure the domain controller for use with VCM, start by following Microsoft domain controller
hardening guidelines, available for various server versions on the Microsoft Web site.
The Microsoft guidelines are more comprehensive than the compliance templates and need to be followed
even if you are managing the domain controller with VCM.
Domain Controller Diagnostic Tests
Part of correctly configuring a domain controller for use with VCM is to run the dcdiag utility. The dcgiag
utility checks for general connectivity and responsiveness of a domain controller, which includes verifying
that the domain controller has the following properties.
n
Can be located in DNS
n
Responds to ICMP pings
n
Allows LDAP connectivity
n
Allows binding to the Active Directory RPC interface
Network Infrastructure Services
VCM relies on network infrastructure services. For VCM to operate correctly and reliably, you must
properly configure, secure, and make these services available and responsive. An active denial of service
(DoS) or other attack on network infrastructure services can affect VCM performance.
n
DNS and WINS. Translate domain names into IP addresses.
n
Email. Used for VCM notifications and alerts.
n
Time servers. Synchronize timekeeping across systems, which allows Kerberos authentication and
certificate validation to work.
n
DHCP. Even when not used directly on VCM servers, DHCP assigns IP addresses consistently in the
rest of the security environment.
Network Infrastructure Systems
VCM relies on secure infrastructure services; such as DNS, NTP, DHCP, routers, and services that issue
certificates. The systems on which these services are hosted must be at least as secure as VCM. Protect
network infrastructure systems with the following:
n
Firewalls or vShield
n
Anti-virus software
n
Current security updates
n
Controls or login authorizations that restrict access to trusted personnel only
Domain Accounts
VCM accounts must only be granted to users who are trusted, trained, and qualified as system and
network administrators. A "VCM account" is a domain or local account that is granted authorization to use
VCM.
VCM Security Guide
16
VMware, Inc.