Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
11121314151617181920
Microsoft Domain Controller Hardening Guidelines
To secure the domain controller for use with VCM, start by following Microsoft domain controller
hardening guidelines, available for various server versions on the Microsoft Web site.
The Microsoft guidelines are more comprehensive than the compliance templates and need to be followed
even if you are managing the domain controller with VCM.
Domain Controller Diagnostic Tests
Part of correctly configuring a domain controller for use with VCM is to run the dcdiag utility. The dcgiag
utility checks for general connectivity and responsiveness of a domain controller, which includes verifying
that the domain controller has the following properties.
n
Can be located in DNS
n
Responds to ICMP pings
n
Allows LDAP connectivity
n
Allows binding to the Active Directory RPC interface
Network Infrastructure Services
VCM relies on network infrastructure services. For VCM to operate correctly and reliably, you must
properly configure, secure, and make these services available and responsive. An active denial of service
(DoS) or other attack on network infrastructure services can affect VCM performance.
n
DNS and WINS. Translate domain names into IP addresses.
n
Email. Used for VCM notifications and alerts.
n
Time servers. Synchronize timekeeping across systems, which allows Kerberos authentication and
certificate validation to work.
n
DHCP. Even when not used directly on VCM servers, DHCP assigns IP addresses consistently in the
rest of the security environment.
Network Infrastructure Systems
VCM relies on secure infrastructure services; such as DNS, NTP, DHCP, routers, and services that issue
certificates. The systems on which these services are hosted must be at least as secure as VCM. Protect
network infrastructure systems with the following:
n
Firewalls or vShield
n
Anti-virus software
n
Current security updates
n
Controls or login authorizations that restrict access to trusted personnel only
Domain Accounts
VCM accounts must only be granted to users who are trusted, trained, and qualified as system and
network administrators. A "VCM account" is a domain or local account that is granted authorization to use
VCM.
VCM Security Guide
16
VMware, Inc.