5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
VCM User Interface System
9
VCM User Interface System
The VCM Web Console runs in Internet Explorer and connects to the VCM Web application served by IIS.
Because VCM users also browse the Internet using Internet Explorer, VCM requires security measures to
protect users of the VCM browser interface from spoofing and cross-site scripting attacks.
Using VCM to Manage the UI System
After you install VCM, your first course of action should be to manage user interface systems in VCM and
subject them to assessment. Run the following VCM compliance template against your user interface zone
systems to detect and identify some of the security setting and configuration issues that you need to
address, including VCM logins from unmanaged machines.
VCM Client Best Practices
NOTE If you have VCM installed and are preparing to set up a UI system, running the template can help
you preharden the candidate system.
The rest of this chapter briefly explains the user interface zone security hardening steps to pursue, either
manually or, if possible, through compliance rules.
User Interface Systems Machine Group
Placing all VCM user interface systems into a dedicated user interface machine group allows the VCM
administrator to separate the management of those systems and test the separation using compliance
rules. In addition, having the group allows the VCM administrator to prevent non-VCM administrators
from controlling user interface machines in the group. Except for VCM administrators, VCM users must
not manage the user interface systems of other VCM users.
Access Control
The security environment for machines in the user interface zone is less strict than in the server zone. User
interface machines are not required to be protected by firewalls or isolated from the Internet. In spite of
the less strict conditions, you must still implement the following measures for these machines:
n
Run operating systems that meet the Controlled Access Protection Profile (CAPP) or General Purpose
Operating System Protection Profile (GPOSPP), described on the Common Criteria Evaluation and
Validation Scheme Web site.
n
Patch them to the current security level.
n
Run anti-virus software.
VMware, Inc.
39