6.7
Table Of Contents
- vSphere Security
- Contents
- About vSphere Security
- Security in the vSphere Environment
- vSphere Permissions and User Management Tasks
- Securing ESXi Hosts
- General ESXi Security Recommendations
- Configure ESXi Hosts with Host Profiles
- Use Scripts to Manage Host Configuration Settings
- ESXi Passwords and Account Lockout
- SSH Security
- PCI and PCIe Devices and ESXi
- Disable the Managed Object Browser
- ESXi Networking Security Recommendations
- Modifying ESXi Web Proxy Settings
- vSphere Auto Deploy Security Considerations
- Control Access for CIM-Based Hardware Monitoring Tools
- Certificate Management for ESXi Hosts
- Host Upgrades and Certificates
- Certificate Mode Switch Workflows
- ESXi Certificate Default Settings
- View Certificate Expiration Information for Multiple ESXi Hosts
- View Certificate Details for a Single ESXi Host
- Renew or Refresh ESXi Certificates
- Change the Certificate Mode
- Replacing ESXi SSL Certificates and Keys
- Use Custom Certificates With Auto Deploy
- Restore ESXi Certificate and Key Files
- Customizing Hosts with the Security Profile
- ESXi Firewall Configuration
- Customizing ESXi Services from the Security Profile
- Enable or Disable a Service in the Security Profile
- Lockdown Mode
- Manage the Acceptance Levels of Hosts and VIBs
- Assigning Privileges for ESXi Hosts
- Using Active Directory to Manage ESXi Users
- Using vSphere Authentication Proxy
- Enable vSphere Authentication Proxy
- Add a Domain to vSphere Authentication Proxy with the vSphere Web Client
- Add a Domain to vSphere Authentication Proxy with the camconfig Command
- Use vSphere Authentication Proxy to Add a Host to a Domain
- Enable Client Authentication for vSphere Authentication Proxy
- Import the vSphere Authentication Proxy Certificate to ESXi Host
- Generate a New Certificate for vSphere Authentication Proxy
- Set Up vSphere Authentication Proxy to Use Custom Certificates
- Configuring Smart Card Authentication for ESXi
- Using the ESXi Shell
- UEFI Secure Boot for ESXi Hosts
- Securing ESXi Hosts with Trusted Platform Module
- ESXi Log Files
- General ESXi Security Recommendations
- Securing vCenter Server Systems
- vCenter Server Security Best Practices
- Verify Thumbprints for Legacy ESXi Hosts
- Verify that SSL Certificate Validation Over Network File Copy Is Enabled
- Required Ports for vCenter Server and Platform Services Controller
- Additional vCenter Server TCP and UDP Ports
- Securing Virtual Machines
- Enable or Disable UEFI Secure Boot for a Virtual Machine
- Limit Informational Messages From Virtual Machines to VMX Files
- Prevent Virtual Disk Shrinking
- Virtual Machine Security Best Practices
- General Virtual Machine Protection
- Use Templates to Deploy Virtual Machines
- Minimize Use of the Virtual Machine Console
- Prevent Virtual Machines from Taking Over Resources
- Disable Unnecessary Functions Inside Virtual Machines
- Remove Unnecessary Hardware Devices
- Disable Unused Display Features
- Disable Unexposed Features
- Disable VMware Shared Folders Sharing Host Files to the Virtual Machine
- Disable Copy and Paste Operations Between Guest Operating System and Remote Console
- Limiting Exposure of Sensitive Data Copied to the Clipboard
- Restrict Users From Running Commands Within a Virtual Machine
- Prevent a Virtual Machine User or Process From Disconnecting Devices
- Prevent Guest Operating System Processes from Sending Configuration Messages to the Host
- Avoid Using Independent Nonpersistent Disks
- Virtual Machine Encryption
- Use Encryption in Your vSphere Environment
- Set up the Key Management Server Cluster
- Create an Encryption Storage Policy
- Enable Host Encryption Mode Explicitly
- Disable Host Encryption Mode
- Create an Encrypted Virtual Machine
- Clone an Encrypted Virtual Machine
- Encrypt an Existing Virtual Machine or Virtual Disk
- Decrypt an Encrypted Virtual Machine or Virtual Disk
- Change the Encryption Policy for Virtual Disks
- Resolve Missing Key Issues
- Unlock Locked Virtual Machines
- Resolve ESXi Host Encryption Mode Issues
- Re-Enable ESXi Host Encryption Mode
- Set Key Management Server Certificate Expiration Threshold
- vSphere Virtual Machine Encryption and Core Dumps
- Securing Virtual Machines with Virtual Trusted Platform Module
- Add a Virtual Trusted Platform Module to a Virtual Machine
- Enable Virtual Trusted Platform Module for an Existing Virtual Machine
- Remove Virtual Trusted Platform Module from a Virtual Machine
- Identify Virtual Trusted Platform Enabled Virtual Machines
- View vTPM Module Device Certificates
- Export and Replace vTPM Module Device Certificates
- Securing Windows Guest Operating Systems with Virtualization-based Security
- Virtualization-based Security Best Practices
- Enable Virtualization-based Security on a Virtual Machine
- Enable Virtualization-based Security on an Existing Virtual Machine
- Enable Virtualization-based Security on the Guest Operating System
- Disable Virtualization-based Security
- Identify VBS-Enabled Virtual Machines
- Securing vSphere Networking
- Introduction to vSphere Network Security
- Securing the Network With Firewalls
- Secure the Physical Switch
- Securing Standard Switch Ports with Security Policies
- Securing vSphere Standard Switches
- Standard Switch Protection and VLANs
- Secure vSphere Distributed Switches and Distributed Port Groups
- Securing Virtual Machines with VLANs
- Creating Multiple Networks Within a Single ESXi Host
- Internet Protocol Security
- Ensure Proper SNMP Configuration
- vSphere Networking Security Best Practices
- Best Practices Involving Multiple vSphere Components
- Synchronizing Clocks on the vSphere Network
- Storage Security Best Practices
- Verify That Sending Host Performance Data to Guests Is Disabled
- Setting Timeouts for the ESXi Shell and vSphere Web Client
- Managing TLS Protocol Configuration with the TLS Configurator Utility
- Ports That Support Disabling TLS Versions
- Enabling or Disabling TLS Versions in vSphere
- Perform an Optional Manual Backup
- Enable or Disable TLS Versions on vCenter Server Systems
- Enable or Disable TLS Versions on ESXi Hosts
- Enable or Disable TLS Versions on External Platform Services Controller Systems
- Scan vCenter Server for Enabled TLS Protocols
- Revert TLS Configuration Changes
- Enable or Disable TLS Versions on vSphere Update Manager on Windows
- Defined Privileges
- Alarms Privileges
- Auto Deploy and Image Profile Privileges
- Certificates Privileges
- Content Library Privileges
- Cryptographic Operations Privileges
- Datacenter Privileges
- Datastore Privileges
- Datastore Cluster Privileges
- Distributed Switch Privileges
- ESX Agent Manager Privileges
- Extension Privileges
- External Stats Provider Privileges
- Folder Privileges
- Global Privileges
- Health Update Provider Privileges
- Host CIM Privileges
- Host Configuration Privileges
- Host Inventory
- Host Local Operations Privileges
- Host vSphere Replication Privileges
- Host Profile Privileges
- Network Privileges
- Performance Privileges
- Permissions Privileges
- Profile-driven Storage Privileges
- Resource Privileges
- Scheduled Task Privileges
- Sessions Privileges
- Storage Views Privileges
- Tasks Privileges
- Transfer Service Privileges
- Virtual Machine Configuration Privileges
- Virtual Machine Guest Operations Privileges
- Virtual Machine Interaction Privileges
- Virtual Machine Inventory Privileges
- Virtual Machine Provisioning Privileges
- Virtual Machine Service Configuration Privileges
- Virtual Machine Snapshot Management Privileges
- Virtual Machine vSphere Replication Privileges
- dvPort Group Privileges
- vApp Privileges
- vServices Privileges
- vSphere Tagging Privileges
The VMware Host Client uses port 902 to provide a connection for guest operating system MKS activities
on virtual machines. It is through this port that users interact with the guest operating systems and
applications of the virtual machine. VMware does not support configuring a different port for this function.
Secure the Physical Switch
Secure the physical switch on each ESXi host to prevent attackers from gaining access to the host and its
virtual machines.
For best protection of your hosts, ensure that physical switch ports are configured with spanning tree
disabled and ensure that the non-negotiate option is configured for trunk links between external physical
switches and virtual switches in Virtual Switch Tagging (VST) mode.
Procedure
1 Log in to the physical switch and ensure that spanning tree protocol is disabled or that Port Fast is
configured for all physical switch ports that are connected to ESXi hosts.
2 For virtual machines that perform bridging or routing, check periodically that the first upstream
physical switch port is configured with BPDU Guard and Port Fast disabled and with spanning tree
protocol enabled.
In vSphere 5.1 and later, to prevent the physical switch from potential Denial of Service (DoS)
attacks, you can turn on the guest BPDU filter on the ESXi hosts.
3 Log in to the physical switch and ensure that Dynamic Trunking Protocol (DTP) is not enabled on the
physical switch ports that are connected to the ESXi hosts.
4 Routinely check physical switch ports to ensure that they are properly configured as trunk ports if
connected to virtual switch VLAN trunking ports.
Securing Standard Switch Ports with Security Policies
The VMkernel port group or virtual machine port group on a standard switch has a configurable security
policy. The security policy determines how strongly you enforce protection against impersonation and
interception attacks on VMs.
Just like physical network adapters, virtual machine network adapters can impersonate another VM.
Impersonation is a security risk.
n
A VM can send frames that appear to be from a different machine so that it can receive network
frames that are intended for that machine.
n
A virtual machine network adapter can be configured so that it receives frames targeted for other
machines
When you add a VMkernel port group or virtual machine port group to a standard switch, ESXi configures
a security policy for the ports in the group. You can use this security policy to ensure that the host
prevents the guest operating systems of its VMs from impersonating other machines on the network. The
guest operating system that might attempt impersonation does not detect that the impersonation was
prevented.
vSphere Security
VMware, Inc. 197