Monday, 16 May 2016

Securing vSphere Infrastructure

Most of the time when delivering vSphere Courses i got similar question from my audience in which they are concerned about Securing their vSphere infrastructure, So thought of dedicating an article in my blog post.

Securing vSphere involves various aspects which are not only limited to vCenter Server but also securing your ESXi and Virtual Machine. 

Securing vCenter Server

  • Install vCenter Server using a Service Account instead of Windows Account.
  • Service Account used must be the Administrator on the Local Machine.
  • Grant less Privileges to the vCenter Server DB user, moreover we may need some privileges for the installation and certainly can be removed once the installation is done.
  • Remove all expired certificates and ensure there are no logs exist related to failed installation of vCenter Server.
  • Set Up NTP for each node in your environment as the certificate infrastructure requires an accurate time stamp and will not work correctly if nodes are out of sync.
  • Ensure the applications uses unique service accounts when connecting to vCenter Server.
  • By Default vpx user password is changed automatically in 30 days which can be changed as per the Organization Standards, however ensure that the ageing policy is not too short.
  • Create a Custom Role with appropriate privileges and assign it to other administrators as not all Administrator users must have Administrator Role.
  • For improved security, avoid putting the vCenter Server system on any network other than a management network, and ensure that vSphere management traffic is on a restricted network.
  • Communications between client components and a vCenter Server system or ESXi hosts are protected by SSL-based encryption by default. Linux versions of these components do not perform certificate validation. Consider restricting the use of these clients.

Securing ESXi
  • By Default SSH and ESXi Shell Services are not running and only the Root user is allowed to login to DCUI, SSH and Shell should always be considered as a last resort for troubleshooting and timeout should be set properly to avoid Risks.
  • Firewall Ports are opened if you start the corresponding service make use of web client to manage the firewall ports.
  • Use Scripted Installation and Auto Deploy for provisioning of your ESXi hosts.
  • VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If company policy requires it, we can replace the existing certificates with certificates that are signed by a third-party CA.
  • To protect the integrity of the ESXi host, do not allow users to install unsigned (community-supported) VIBs. An unsigned VIB contains code that is not certified by, accepted by, or supported by VMware or its partners.
  • Following are the acceptance level supported  VMware Certified, VMware Accepted, Partner Supported, Community Supported.
  • If our ESXi host is managed by a vCenter Server, perform management tasks through the vSphere Web Client.
  • Set a highly complex password for the root account and limit the use of the root account.
  • Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account.

Securing Virtual Machine
  • Ensure that anti-virus software, anti-spy ware, intrusion detection, and other protection are enabled for every virtual machine in your virtual infrastructure.
  • We can use templates that can contain a hardened, patched, and properly configured operating system to create other, application-specific templates, or you can use the application template to deploy virtual machines.
  •  Use native remote management services, such as terminal services and SSH, to interact with virtual machines.
  • Limit the connections to the console to as few connections as necessary.
  • We can make use Shares and Resource pools to prevent a denial of service attack that causes one virtual machine to consume so much of the host’s resources that other virtual machines on the same host cannot perform their intended functions.
  • Disable unused services in the operating system and Disconnect unused physical devices, such as CD/DVD drives, floppy drives, and USB adaptors.
  • Disable Copy and Paste Operations Between Guest Operating System and Remote Console.

Above Mentioned  are few points which i have covered and is not an exhaustive list for a complete list for securing your vSphere Infrastructure Refer vSphere Security Guide

No comments:

Post a Comment