Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
31323334353637383940
Web Server
7
Web Server
This chapter describes security and hardening guidelines that are unique to the Web server system where
Microsoft Internet Information Service (IIS) is installed and from which the VCM Web console is served.
The Web server machine might be the same one as the VCM Collector, or it might be a separate system if
you are running a split VCM installation.
Using VCM to Manage the Web Server
After you install VCM, use it to manage the Web server, subject it to assessment, and maintain its
integrity. Running the following VCM compliance template against the Web server detects and identifies
some of the security setting and configuration issues that you must address, including non-VCM
administrators who have access to systems and administrator functions.
VMware vCenter Configuration Manager Hardening - Host
NOTE If you have VCM installed and are preparing to set up another Web server, running the template
can help you preharden the candidate system.
The remaining Web server hardening steps in this chapter are in addition to those that you apply for all
server zone systems. See "Server Zone Security" on page 21.
Having a Web Server Machine Group in VCM
To better manage Web server systems, place them into a separate, dedicated Web server machine group
in VCM, and make sure that the machine group is not authorized to any nonadministrator VCM user.
Without a machine group, you might mix VCM Web server management with non-VCM servers, which
can result in the misconfiguration of necessary security settings.
Managing the right group of Web server allows them to be assessed routinely by the VCM security
assessment compliance tests and monitored for configuration and change, all of which can be managed
and tracked through VCM.
Failure to follow this guideline means that the security posture of unmanaged VCM Web servers cannot
be assessed, tracked, or controlled with VCM. Later, if a Web server comes under VCM management,
there is also the risk that it might be incorrectly placed into a machine group that is managed by
nonadministrator VCM users.
Using Windows Integrated Authentication
By default, IIS uses Windows integrated authentication for the VCM Web site root. The interface to the
VCM console is through a thin, browser-based interface to an IIS-served Web application located at the
/VCM virtual directory.
VMware, Inc.
31