6.5.1
Table Of Contents
- vSphere Security
- Contents
- About vSphere Security
- Updated Information
- Security in the vSphere Environment
- vSphere Permissions and User Management Tasks
- Securing ESXi Hosts
- Configure ESXi Hosts with Host Profiles
- General ESXi Security Recommendations
- Use Scripts to Manage Host Configuration Settings
- ESXi Passwords and Account Lockout
- SSH Security
- PCI and PCIe Devices and ESXi
- Disable the Managed Object Browser
- ESXi Networking Security Recommendations
- Modifying ESXi Web Proxy Settings
- vSphere Auto Deploy Security Considerations
- Control Access for CIM-Based Hardware Monitoring Tools
- Certificate Management for ESXi Hosts
- Host Upgrades and Certificates
- Certificate Mode Switch Workflows
- ESXi Certificate Default Settings
- View Certificate Expiration Information for Multiple ESXi Hosts
- View Certificate Details for a Single ESXi Host
- Renew or Refresh ESXi Certificates
- Change the Certificate Mode
- Replacing ESXi SSL Certificates and Keys
- Use Custom Certificates With Auto Deploy
- Restore ESXi Certificate and Key Files
- Customizing Hosts with the Security Profile
- ESXi Firewall Configuration
- Customizing ESXi Services from the Security Profile
- Enable or Disable a Service in the Security Profile
- Lockdown Mode
- Manage the Acceptance Levels of Hosts and VIBs
- Assigning Privileges for ESXi Hosts
- Using Active Directory to Manage ESXi Users
- Using vSphere Authentication Proxy
- Enable vSphere Authentication Proxy
- Add a Domain to vSphere Authentication Proxy with the vSphere Web Client
- Add a Domain to vSphere Authentication Proxy with the camconfig Command
- Use vSphere Authentication Proxy to Add a Host to a Domain
- Enable Client Authentication for vSphere Authentication Proxy
- Import the vSphere Authentication Proxy Certificate to ESXi Host
- Generate a New Certificate for vSphere Authentication Proxy
- Set Up vSphere Authentication Proxy to Use Custom Certificates
- Configuring Smart Card Authentication for ESXi
- Using the ESXi Shell
- UEFI Secure Boot for ESXi Hosts
- ESXi Log Files
- Securing vCenter Server Systems
- vCenter Server Security Best Practices
- Verify Thumbprints for Legacy ESXi Hosts
- Verify that SSL Certificate Validation Over Network File Copy Is Enabled
- Required Ports for vCenter Server and Platform Services Controller
- Additional vCenter Server TCP and UDP Ports
- Securing Virtual Machines
- Enable or Disable UEFI Secure Boot for a Virtual Machine
- Limit Informational Messages From Virtual Machines to VMX Files
- Prevent Virtual Disk Shrinking
- Virtual Machine Security Best Practices
- General Virtual Machine Protection
- Use Templates to Deploy Virtual Machines
- Minimize Use of the Virtual Machine Console
- Prevent Virtual Machines from Taking Over Resources
- Disable Unnecessary Functions Inside Virtual Machines
- Remove Unnecessary Hardware Devices
- Disable Unused Display Features
- Disable Unexposed Features
- Disable HGFS File Transfers
- Disable Copy and Paste Operations Between Guest Operating System and Remote Console
- Limiting Exposure of Sensitive Data Copied to the Clipboard
- Restrict Users From Running Commands Within a Virtual Machine
- Prevent a Virtual Machine User or Process From Disconnecting Devices
- Prevent Guest Operating System Processes from Sending Configuration Messages to the Host
- Avoid Using Independent Nonpersistent Disks
- Virtual Machine Encryption
- Use Encryption in Your vSphere Environment
- Set up the Key Management Server Cluster
- Create an Encryption Storage Policy
- Enable Host Encryption Mode Explicitly
- Disable Host Encryption Mode
- Create an Encrypted Virtual Machine
- Clone an Encrypted Virtual Machine
- Encrypt an Existing Virtual Machine or Virtual Disk
- Decrypt an Encrypted Virtual Machine or Virtual Disk
- Change the Encryption Policy for Virtual Disks
- Resolve Missing Key Issues
- vSphere Virtual Machine Encryption and Core Dumps
- Securing vSphere Networking
- Introduction to vSphere Network Security
- Securing the Network With Firewalls
- Secure the Physical Switch
- Securing Standard Switch Ports with Security Policies
- Securing vSphere Standard Switches
- Standard Switch Protection and VLANs
- Secure vSphere Distributed Switches and Distributed Port Groups
- Securing Virtual Machines with VLANs
- Creating Multiple Networks Within a Single ESXi Host
- Internet Protocol Security
- Ensure Proper SNMP Configuration
- vSphere Networking Security Best Practices
- Best Practices Involving Multiple vSphere Components
- Synchronizing Clocks on the vSphere Network
- Storage Security Best Practices
- Verify That Sending Host Performance Data to Guests is Disabled
- Setting Timeouts for the ESXi Shell and vSphere Web Client
- Managing TLS Protocol Configuration with the TLS Configurator Utility
- Ports That Support Disabling TLS Versions
- Disabling TLS Versions in vSphere
- Install the TLS Configuration Utility
- Perform an Optional Manual Backup
- Disable TLS Versions on vCenter Server Systems
- Disable TLS Versions on ESXi Hosts
- Disable TLS Versions on Platform Services Controller Systems
- Revert TLS Configuration Changes
- Disable TLS Versions on vSphere Update Manager
- Defined Privileges
- Alarms Privileges
- Auto Deploy and Image Profile Privileges
- Certificates Privileges
- Content Library Privileges
- Cryptographic Operations Privileges
- Datacenter Privileges
- Datastore Privileges
- Datastore Cluster Privileges
- Distributed Switch Privileges
- ESX Agent Manager Privileges
- Extension Privileges
- Folder Privileges
- Global Privileges
- Host CIM Privileges
- Host Configuration Privileges
- Host Inventory
- Host Local Operations Privileges
- Host vSphere Replication Privileges
- Host Profile Privileges
- Network Privileges
- Performance Privileges
- Permissions Privileges
- Profile-driven Storage Privileges
- Resource Privileges
- Scheduled Task Privileges
- Sessions Privileges
- Storage Views Privileges
- Tasks Privileges
- Transfer Service Privileges
- Virtual Machine Configuration Privileges
- Virtual Machine Guest Operations Privileges
- Virtual Machine Interaction Privileges
- Virtual Machine Inventory Privileges
- Virtual Machine Provisioning Privileges
- Virtual Machine Service Configuration Privileges
- Virtual Machine Snapshot Management Privileges
- Virtual Machine vSphere Replication Privileges
- dvPort Group Privileges
- vApp Privileges
- vServices Privileges
- vSphere Tagging Privileges
When you manage a host using vCenter Server, the permissions associated with that host are created
through vCenter Server and stored on vCenter Server. If you connect directly to a host, only the roles that
are created directly on the host are available.
Note When you add a custom role and do not assign any privileges to it, the role is created as a Read
Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.
Creating Roles in the vSphere Web Client
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_creating_role_in_vsphere_webclient)
vCenter Server System Roles
A role is a predefined set of privileges. When you add permissions to an object, you pair a user or group
with a role. vCenter Server includes several system roles, which you cannot change.
vCenter Server System Roles
vCenter Server provides a few default roles. You cannot change the privileges associated with the default
roles. The default roles are organized as a hierarchy. Each role inherits the privileges of the previous role.
For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do
not inherit privileges from any of the system roles.
Administrator Role Users with the Administrator role for an object are allowed to view and
perform all actions on the object. This role also includes all privileges
inherent in the Read Only role. If you are acting in the Administrator role on
an object, you can assign privileges to individual users and groups. If you
are acting in the Administrator role in vCenter Server, you can assign
privileges to users and groups in the default vCenter Single Sign-On
identity source. Supported identity services include Windows Active
Directory and OpenLDAP 2.4.
By default, the administrator@vsphere.local user has the Administrator role
on both vCenter Single Sign-On and vCenter Server after installation. That
user can then associate other users with the Administrator role on
vCenter Server.
No Cryptography
Administrator Role
Users with the No cryptography administrator role for an object have the
same privileges as users with the Administrator role, except for
Cryptographic operations privileges. This role allows administrators to
designate other administrators that cannot encrypt or decrypt virtual
machines or access encrypted data, but that can perform all other
administrative tasks.
No Access Role Users with the No Access role for an object cannot view or change the
object in any way. New users and groups are assigned this role by default.
You can change the role on an object-by-object basis.
vSphere Security
VMware, Inc. 34