Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
21222324252627282930
General Security Guidelines for VCM Servers
In the server zone, VCM systems store and manipulate the collected data and change requests for every
managed machine.
All server zone systems must have the following properties:
n
Unavailable for login by general users
n
Protected from the open Internet by firewalls
n
Updated to the current operating system patch levels
n
Routinely backed up
n
Trusted by managed resource administrators
Specifically, managed resource administrators implicitly delegate administrative rights over their
resources when they allow the VCM Agent to be installed. Consequently, the managed resource
administrators must have administrative trust in both the VCM users and in the VCM servers.
Protection Profiles
Operating systems for VCM servers must conform to the Controlled Access Protection Profile (CAPP) or
General Purpose Operating System Protection Profile (GPOSPP), described on the Common Criteria
Evaluation and Validation Scheme Web site.
The protection profiles ensure the following safeguards:
n
Access to the system is protected by a certified authentication process.
n
User data is protected from other users.
n
Security functions of the operating system are protected from unauthorized changes.
Windows 2000, 2003, XP, and Vista, 2003 Server, and 2008 Server, 2008 Server R2, and Windows 7 conform
to the CAPP. Windows 7 and Windows Server 2008 R2 conform to the GPOSPP.
Physical Security
An administrator must maintain possession and control of any VCM server zone system. The loss of
possession or control of a VCM server zone system subjects the server to offline analysis, which can mean
the loss of confidentiality or integrity of its data or the misuse of its software. Even the temporary loss of
possession presents a risk, regardless of whether confidentiality appears to have been preserved.
If the VCM server zone systems run on virtual machines, the administrator must maintain possession and
control of physical machines on which the virtual machines are hosted.
Use physical (possession, locks) or cryptographic (encrypted file system) means to maintain continuous
control of VCM server zone systems.
Disabling Automatic Login
VCM systems in the server zone must require login access control.
Automatic login is a convenience that logs a specific Windows user into a machine after the machine
finishes restarting. Because it bypasses the access control that the login prompt provides, always disable
automatic Windows login on VCM systems in the server zone.
VCM Security Guide
22
VMware, Inc.