5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
n
SQL Server 2005 Best Practices Analyzer Tool
n
SQL Server 2008 R2 Best Practices Analyzer Tool
n
SQL Server 2012 Best Practices Analyzer Tool
A secure installation of VCM pays particular attention to the Security Best Practices items regarding
patching, physical security, service packs, and firewalls. See the following references, available from the
Microsoft Web site.
n
SQL Server 2005 Security Best Practices
SQL Server Best Practices
n
Security Considerations for a SQL Server Installation
Login Accounts for SQL Server
Configure SQL Server to accept existing Windows user account credentials for logging in. Do not set up
separate SQL Server login accounts.
Restrict Access to Configuration Tools
SQL Server contains configuration tools such as the system stored procedure called sp_configure or SQL
Server Surface Area Configuration Tool. Always restrict access to sp_configure or the SQL Server Surface
Area Configuration Tool. The tools allow users to activate services and features that are usually disabled
by default:
n
xp_cmdshell
n
SQL Server Web Assistant
n
CLR Integration
n
Adhoc remote queries (the OPENROWSET and OPENDATASOURCE functions)
n
OLE automation system procedures
n
System procedures for Database Mail and SQL Mail
n
Remote use of a dedicated administrator connection
NOTE Features managed with the Surface Area Configuration Tool in SQL Server 2005 are now managed
with Facets in Policy Based Management starting in SQL Server 2008.
Delegation for Split Installations
VCM can operate in a split-server installation, where the SQL Server database runs on a different machine
than that of the Collector and Web services. A split installation has the following SQL Server login
possibilities for the Collector service account.
n
Use a domain account for the Collector service.
n
Use the Local System account on the Collector machine for the Collector service.
In either case, the VCM Installation Manager will configure the SQL Server login for the Collector service
account and grant it appropriate rights. If Local System is used, which is only available when using the
Typical Install installation method, the domain computer account for the Collector machine
(computername$) is granted access to SQL Server to allow the Collector services needed access to VCM
databases.
VCM Security Guide
28
VMware, Inc.