Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
21222324252627282930
Server Zone Security
4
Server Zone Security
Address the following security environment guidelines for all systems in the server zone, including the
VCM Collector, SQL Server host, and Web server. These three functions might reside all on one system, or
they might be distributed across two or three. Be sure to apply the security settings in this chapter to all
the systems that are used.
Server zone systems must be treated and managed with security measures that are consistent with those
used for the infrastructure zone.
n
For security instructions that are unique to the VCM Collector, see "VCM Collector Server" on page 25.
n
For security instructions that are unique to the SQL Server host, see "SQL Server" on page 27.
n
For security instructions that are unique to the Web server, see "Web Server" on page 31.
Using VCM to Manage Server Zone Systems
After you install VCM, your first course of action should be to manage server zone systems in VCM and
subject them to assessment. VCM comes with compliance rules for some of the necessary security settings
on the Collector, SQL database server, and Web server. In addition, you can create your own templates
and rules.
The rest of this chapter briefly explains security hardening steps to pursue, manually or through
compliance rules, for all server zone systems.
Machines in the VCM server zone need to be trusted more than those in the user interface, managed
machine, or provisioning zones. In VCM, server zone systems must be controlled with the same measures
used for infrastructure systems such as domain controllers.
Server Zone Administrator Role
VCM can manage its own servers, but it is unsafe to allow nonadministrator VCM users into server zone
systems. When nonadministrator VCM users administer a VCM server, they have access to all the data
and actions that are authorized to VCM. To help prevent this situation, create a role dedicated solely to
server zone administration.
Having a role dedicated to server zone administration minimizes the risk of granting access to VCM
servers to nonadministrator VCM users.
Server Zone Auditor Role
Create an auditor role, for example, VcmAuditor, in VCM that has read-only access to all VCM data but
has no rights to create change actions or invoke inspections. Place at least one user account in that role.
Having an auditor role is an industry best practice.
VMware, Inc.
21