6.4
Table Of Contents
- Secure Configuration
- Contents
- Secure Configuration
- vRealize Operations Manager Security Posture
- Secure Deployment of vRealize Operations Manager
- Secure Configuration of vRealize Operations Manager
- Secure the vRealize Operations Manager Console
- Change the Root Password
- Managing Secure Shell, Administrative Accounts, and Console Access
- Enable or Disable Secure Shell on a vRealize Operations Manager node
- Create a Local Administrative Account for Secure Shell
- Restrict Secure Shell Access
- Maintain Secure Shell Key File Permissions
- Harden the Secure Shell Server Configuration
- Harden the Secure Shell Client Configuration
- Disable Direct Logins as Root
- Disable SSH Access for the Admin User Account
- Set Boot Loader Authentication
- Single-User or Maintenance Mode Authentication
- Monitor Minimal Necessary User Accounts
- Monitor Minimal Necessary Groups
- Resetting the vRealize Operations Manager Administrator Password (Linux)
- Configure NTP on VMware Appliances
- Disable the TCP Timestamp Response on Linux
- Enable FIPS 140-2 Mode
- TLS for Data in Transit
- Application Resources That Must be Protected
- Configure PostgreSQL Client Authentication
- Apache Configuration
- Disable Configuration Modes
- Managing Nonessential Software Components
- Secure the USB Mass Storage Handler
- Secure the Bluetooth Protocol Handler
- Secure the Stream Control Transmission Protocol
- Secure the Datagram Congestion Control Protocol
- Secure Reliable Datagram Sockets Protocol
- Secure the Transparent Inter-Process Communication Protocol
- Secure Internet Packet Exchange Protocol
- Secure Appletalk Protocol
- Secure DECnet Protocol
- Secure Firewire Module
- Kernel Message Logging
- Windows Installed Deployment
- Linux Installed Deployment
- Endpoint Operations Management Agent
- Additional Secure Configuration Activities
- Network Security and Secure Communication
- Configuring Network Settings for Virtual Application Installation
- Prevent User Control of Network Interfaces
- Set the Queue Size for TCP Backlog
- Deny ICMPv4 Echoes to Broadcast Address
- Configure the Host System to Disable IPv4 Proxy ARP
- Configure the Host System to Ignore IPv4 ICMP Redirect Messages
- Configure the Host System to Ignore IPv6 ICMP Redirect Messages
- Configure the Host System to Deny IPv4 ICMP Redirects
- Configure the Host System to Log IPv4 Martian Packets
- Configure the Host System to use IPv4 Reverse Path Filtering
- Configure the Host System to Deny IPv4 Forwarding
- Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
- Configure the Host System to Deny IPv6 Forwarding
- Configure the Host System to Use IPv4 TCP Syncookies
- Configure the Host System to Deny IPv6 Router Advertisements
- Configure the Host System to Deny IPv6 Router Solicitations
- Configure the Host System to Deny IPv6 Router Preference in Router Solicitations
- Configure the Host System to Deny IPv6 Router Prefix
- Configure the Host System to Deny IPv6 Router Advertisement Hop Limit Settings
- Configure the Host System to Deny IPv6 Router Advertisement Autoconf Settings
- Configure the Host System to Deny IPv6 Neighbor Solicitations
- Configure the Host System to Restrict IPv6 Maximum Addresses
- Configuring Ports and Protocols
- Configuring Network Settings for Virtual Application Installation
- Auditing and Logging on your vRealize Operations Manager System
- Index
Disable Configuration Modes
As a best practice, when you install, congure, or maintain vRealize Operations Manager, you can modify
the conguration or seings to enable troubleshooting and debugging of your installation.
Catalog and audit each of the changes you make to ensure that they are properly secured. Do not put the
changes into production if you are not sure that your conguration changes are correctly secured.
Verifying the Host Server's Secure Baseline
You can use the Microsoft Baseline Security Analyzer (MBSA) to check whether your server has the latest
updates or hot xes. You can use MBSA to install any missing security patches from Microsoft to keep your
server up-to-date with Microsoft security recommendations. You can download this tool from Microsoft.
The latest tool, at the time this document was published, can be found here: hp://www.microsoft.com/en-
us/download/details.aspx?id=7558.
N Contact your Microsoft vendor for guidance on the most appropriate use of this tool.
Verifying that the Host Server Is Securely Configured
You can use the Windows Security Conguration Wizard (SCW) and the Microsoft Security Compliance
Manager toolkit to verify that the host server is securely congured.
1 Start the SCW from the administrative tools of your Windows server. This tool can identify the roles of
your server and the installed features including networking, Windows rewalls, and registry seings.
2 Compare the report with the latest hardening guidance from the relevant Microsoft Security
Compliance Manager (SCM) for your Windows server.
3 Based on the results, you can congure the security seings for each feature such as network services,
account seings, and Windows rewalls, and apply the seings to your server.
For more information on the SCW tool, go to hp://technet.microsoft.com/en-us/library/cc754997.aspx.
N Contact your Microsoft vendor for guidance on the most appropriate use of these tools.
Linux Installed Deployment
Enabling NTP Service
For critical time sourcing, you can disable the host time synchronization and use the Network Time Protocol
(NTP). NTP in production is a means to accurately track user actions and to realize potential malicious
aacks and intrusion through accurate audit and log keeping.
The ntp daemon is included on the appliance and is used to provide synchronized time services. You can
nd the conguration le for NTP in /etc/ntp.conf.
TLS for Data in Transit
As a security best practice, ensure that the system is deployed with secure transmission channels.
Configure Strong Protocols for vRealize Operations Manager
Protocols such as SSLv2 and SSLv3 are no longer considered secure including SSLv2 and SSLv3. As a best
security practice for transport layer protection, provide support for only the TLS protocols.
Prior to production, you must verify that SSLv2 and SSLv3 are disabled.
Secure Configuration
34 VMware, Inc.