Hardeningguide Vsphere5 1 Ga Release Public

Virtual Machines
ESXi hosts
Virtual Network
vCenter Server plus its database and clients. Common vCenter and Windows specific guidance is here.
vCenter Web Client
vCenter SSO Server
vCenter Virtual Appliance (VCSA) specific guidance
vCenter Update Manager
Everything else is out of scope and hence NOT covered by the guide. This includes
vSphere Management Assistant (vMA)
any other add-on component
Each guideline is uniquely identified by the concatenation of Product-Version-Component-ID. Some examples:
vSphere-5.1-esxi-apply-patches
vSphere-5.1-vm-prevent-device-interaction-edit
vSphere-5.1-vnetwork-reject-mac-change-dvportgroup
vSphere-5.1-vcenter-isolated-vum-proxy
When referring to guidelines within a single version, the Product-Version may be omitted and the component-ID used by itself, e.g.
esxi-apply-patches
The Profile field indicates the relative increase in security provided by the guidelines. Some guidelines describe an issue with more than one defense, and these will be associated with more than one profile
Profile 3: guidelines that should be implemented in all environments
Profile 2: guidelines that should be implemented for more sensitive environments, e.g. those handling more sensitive data, those subject to stricter compliance rules, etc.
Profile 1: guidelines that only be implemented in the highest security environments, e.g. top-secret government or military, extremely sensitive data, etc.
Control Type indicates how the guideline is implemented
Parameter: A system-level parameter should be set to a particular value, either specified in the guideline or else site-specific
Configuration: A certain hardware and/or software configuration or combination of settings should be used
Operational: Indicates an ongoing check, either monitoring for certain actions or conditions, or else verifying the use of proper procedures
Assessment Procedure: describes how to validate whether or not the guideline is being followed. The remediation procedure is generally not described, but in some cases the remediation steps are available in an external reference.
The following fields are filled in where applicable or determinate
Configuration Parameter
Configuration File
Desired Value
Is Desired Value the Default?
Negative Functional Impact indicates if this guideline has any side effects that reduce or prevent normal functionality
Where possible, CLI commands for assessment and remediation are provided. The commands are provided for the vSphere CLI (vCLI), ESXi Shell, and PowerCLI.
Reference to the API which relates to a guideline is also provided if possible.
vSphere 5.1 Security Hardening Guide
General Availabilty (GA) Release
April 15, 2013
Description of fields
This guide covers the following components of vSphere
Scope of Guide
Important Note: This is a GA Release of the 5.1 vSphere Hardening Guide.
For the ESXi guidelines, a special column indicates whether or not the guidelines can be configured using Host Profiles
ID Product Version Component Subcomponent Title
control-resource-usage vSphere 5.1 Virtual Machines Resources Prevent virtual machines from taking over resources.
disable-autoinstall vSphere 5.1 Virtual Machines Tools Disable tools auto install
disable-console-copy vSphere 5.1 Virtual Machines Monitor Explicitly disable copy/paste operations
disable-console-dnd vSphere 5.1 Virtual Machines Monitor Explicitly disable copy/paste operations
disable-console-gui-options vSphere 5.1 Virtual Machines Monitor Explicitly disable copy/paste operations
disable-console-paste vSphere 5.1 Virtual Machines Monitor Explicitly disable copy/paste operations
disable-disk-shrinking-shrink vSphere 5.1 Virtual Machines Storage Disable virtual disk shrinking.
disable-disk-shrinking-wiper vSphere 5.1 Virtual Machines Storage Disable virtual disk shrinking.
disable-hgfs vSphere 5.1 Virtual Machines Monitor Disable HGFS file transfers
disable-independent-nonpersistent vSphere 5.1 Virtual Machines Storage Avoid using independent nonpersistent disks.
disable-intervm-vmci vSphere 5.1 Virtual Machines Communication Disable VM-to-VM communication through VMCI.
disable-logging vSphere 5.1 Virtual Machines Tools Disable VM logging
disable-monitor-control vSphere 5.1 Virtual Machines Monitor Disable VM Monitor Control
disable-unexposed-features-autologon vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-biosbbs vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-getcreds vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-launchmenu vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-memsfss vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-protocolhandler vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-shellaction vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-toporequest vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-trashfolderstate vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-trayicon vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unity vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unity-interlock vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unity-taskbar vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unity-unityactive vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unity-windowcontents vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-unitypush vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-versionget vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unexposed-features-versionset vSphere 5.1 Virtual Machines Monitor Disable certain unexposed features.
disable-unnecessary-functions vSphere 5.1 Virtual Machines Guest Disable unnecessary or superfluous functions inside VMs.
disable-vix-messages vSphere 5.1 Virtual Machines Tools Disable VIX messages from the VM
disconnect-devices-floppy vSphere 5.1 Virtual Machines Device Disconnect unauthorized devices
disconnect-devices-ide vSphere 5.1 Virtual Machines Device Disconnect unauthorized devices
disconnect-devices-parallel vSphere 5.1 Virtual Machines Device Disconnect unauthorized devices
disconnect-devices-serial vSphere 5.1 Virtual Machines Device Disconnect unauthorized devices
disconnect-devices-usb vSphere 5.1 Virtual Machines Device Disconnect unauthorized devices
limit-console-connections-one vSphere 5.1 Virtual Machines Communication Limit sharing of console connections
limit-console-connections-two vSphere 5.1 Virtual Machines Communication Limit sharing of console connections
limit-log-number vSphere 5.1 Virtual Machines Tools Limit VM logging
limit-log-size vSphere 5.1 Virtual Machines Tools Limit VM logging
limit-setinfo-size vSphere 5.1 Virtual Machines Communication Limit informational messages from the VM to the VMX file.
minimize-console-use vSphere 5.1 Virtual Machines Guest Minimize use of the VM console.
prevent-device-interaction-connect vSphere 5.1 Virtual Machines Device Prevent unauthorized removal, connection and modification of devices.
prevent-device-interaction-edit vSphere 5.1 Virtual Machines Device Prevent unauthorized removal, connection and modification of devices.
restrict-host-info vSphere 5.1 Virtual Machines Tools Do not send host information to guests.
secure-guest-os vSphere 5.1 Virtual Machines Guest Secure virtual machines as you would secure physical machines.
use-secure-serial-communication vSphere 5.1 Virtual Machines Guest Use secure protocols for virtual serial port access.
use-vm-templates vSphere 5.1 Virtual Machines Guest Use templates to deploy VMs whenever possible.
verify-network-filter vSphere 5.1 Virtual Machines Monitor Control access to VMs through the dvfilter network APIs.
verify-vmsafe-cpumem-agentaddress vSphere 5.1 Virtual Machines Monitor Control access to VMs through VMsafe CPU/memory APIs.
verify-vmsafe-cpumem-agentport vSphere 5.1 Virtual Machines Monitor Control access to VMs through VMsafe CPU/memory APIs.
verify-vmsafe-cpumem-enable vSphere 5.1 Virtual Machines Monitor Control access to VMs through VMsafe CPU/memory APIs.
Vulnerability Discussion Profile Control Type
By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you
can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to
consume so much of the hosts resources that other virtual machines on the same host cannot perform their intended functions. 1,2 Operational
Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots 1,2 Parameter
Copy and paste operations are disabled by default however by explicitly disabling this feature it will enable audit controls to check that this setting is correct. 1,2,3 Parameter
Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host
drive. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to invoke this
procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of
service. In most datacenter environments, disk shrinking is not done, so you should disable this feature by setting the parameters listed in Table 9. Repeated disk
shrinking can make a virtual disk unavailable. Capability is available to nonadministrative users in the guest. 1,2,3 Parameter
Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host
drive. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to invoke this
procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of
service. In most datacenter environments, disk shrinking is not done, so you should disable this feature by setting the parameters listed in Table 9. Repeated disk
shrinking can make a virtual disk unavailable. Capability is available to nonadministrative users in the guest. 1,2,3 Parameter
Certain automated operations such as automated tools upgrades use a component into the hypervisor called "Host Guest File System" and an attacker could
potentially use this to transfer files inside the guest OS 1 Parameter
The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were
ever on the machine. To safeguard against this risk, you should set production virtual machines to use either persistent disk mode or nonpersistent disk mode;
additionally, make sure that activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector.
Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. 1,2 Parameter
If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended
behavior, but custom-built software can have unexpected vulnerabilities that might potentially lead to an exploit. Additionally, it is possible for a VM to detect how
many other VMs are within the same ESXI system by simply registering the VM. This information might also be used for a potentially malicious objective. By default,
the setting is FALSE. The VM can be exposed to other VMs within the same system as long as there is at least one program connected to the VMCI socket interface.
THIS CONTROL HAS NO EFFECT IN 5.1. WHETHER SET TO ENABLED OR DISABLED, THE COMMUNICATION IS DISABLED. 1,2,3 Parameter
You can use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be
quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of
logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size
limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the
limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of- 1 Parameter
When Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this and this information is available to tools
inside the guest OS. This can give attackers information about the platform that they are running on that they may not get from a normal physical server. This
option completely disables all hooks for a virtual machine and the guest OS will not be aware that it is running in a virtual environment at all. 1 Parameter
Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some
VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling
them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host,
and thus may help prevent successful exploits. 1 Parameter
By disabling unnecessary system components that are not needed to support the application or service running on the system, you reduce the number of parts that
can be attacked. VMs often dont require as many services or functions as ordinary physical servers; so when virtualizing, you should evaluate whether a particular
service or function is truly needed. Any service running in a VM provides a potential avenue of attack. 1,2,3 Operational
The VIX API is a library for writing scripts and programs to manipulate virtual machines. If you do not make use of custom VIX programming in your environment,
then you should consider disabling certain features to reduce the potential for vulnerabilities. The ability to send messages from the VM to the host is one of these
features. Note that disabling this feature does NOT adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd
party solutions that rely upon this capability should continue to work. This is a deprecated interface. Enabling this setting is for Profile 1 only, to ensure that any
deprecated interface is turned off for audit purposes. 1 Parameter
Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required
to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only
temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be
FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is
instantiated. Any enabled or connected device represents another potential attack channel. 1,2 Parameter
By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a
notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might
connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if
a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console
sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed 1,2 Parameter
By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a
notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might
connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if
a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console
sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed 3 Parameter
limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of- 2,3 Parameter
limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of- 2,3 Parameter
The configuration file containing these name-value pairs is limited to a size of 1MB. This 1MB capacity should be sufficient for most cases, but you can change this
value if necessary. You might increase this value if large amounts of custom information are being stored in the configuration file. The default limit is 1MB;
this limit is applied even when the sizeLimit parameter is not listed in the .vmx file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is
filled. 1,2,3 Parameter
The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also
provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In
addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously. 1,2,3 Operational
Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or
disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine
settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not
always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the
guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual 1,2,3 Parameter
Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or
disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine
settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not
always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the
guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual 1,2,3 Parameter
If set to TRUE a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a
particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host. 1,2 Parameter
A key to understanding the security requirements of a virtualized environment is the recognition that a virtual machine is, in most respects, the equivalent of a
physical server. Therefore, it is critical that you employ the same security measures in virtual machines that you would for physical servers. The guest operating
system that runs in the virtual machine is subject to the same security risks as a physical system. 1,2,3 Operational
Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the
console of a server, and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for low-level access, which often does not have strong
controls like logging or privileges. 1,2,3 Operational
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a
known baseline level of security. You can then use this template to create other, application-specific templates, or you can use the application template to deploy
virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error. 1,2,3 Operational
A VM must be configured explicitly to accept access by the dvfilter network API. This should be done only for VMs for which you want this to be done. An attacker
might compromise the VM by making use of this introspection channel. 1,2,3 Parameter
The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose
of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore you should
monitor for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters:
one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP
address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for 1,2,3 Parameter
Assessment Procedure Configuration File Configuration Parameter
Use shares or reservations to guarantee resources to critical VMs. Use limits to constrain resource
consumption by virtual machines that have a greater risk of being exploited or attacked, or that run
applications that are known to have the potential to greatly consume resources. N/A N/A
Check virtual machine configuration file and verify that isolation.tools.autoinstall.disable is set to TRUE VMX isolation.tools.autoInstall.disable
Check virtual machine configuration and verify that option is missing or set to true VMX isolation.tools.copy.disable
Check virtual machine configuration and verify that option is missing or set to true VMX isolation.tools.dnd.disable
Check virtual machine configuration and verify that option is missing or set to false VMX isolation.tools.setGUIOptions.enable
Check virtual machine configuration and verify that option is missing or set to true VMX isolation.tools.paste.disable
Check virtual machine configuration file and verify that isolation.tools.diskShrink.disable is set to TRUE VMX isolation.tools.diskShrink.disable
Check virtual machine configuration file and verify that isolation.tools.diskWiper.disable is set to TRUE VMX isolation.tools.diskWiper.disable
Check virtual machine configuration file and verify that isolation.tools.hgfsServerSet.disable is set to TRUE VMX isolation.tools.hgfsServerSet.disable
If remote logging of events and activity is not configured for the guest, scsiX:Y.mode should be either: 1. Not
present 2. Not set to independent nonpersistent VMX scsiX:Y.mode
Check virtual machine configuration file and verify that vmci0.unrestricted is set to FALSE VMX vmci0.unrestricted
Check virtual machine configuration file and verify that logging is set to FALSE VMX logging
Check virtual machine configuration file and verify that isolation.monitor.control.disable is set to TRUE VMX isolation.monitor.control.disable
Check virtual machine configuration file and verify that isolation.tools.ghi.autologon.disable is set to TRUE VMX isolation.tools.ghi.autologon.disable
Check virtual machine configuration file and verify that isolation.bios.bbs.disable is set to TRUE VMX isolation.bios.bbs.disable
Check virtual machine configuration file and verify that isolation.tools.getCreds.disable is set to TRUE VMX isolation.tools.getCreds.disable
Check virtual machine configuration file and verify that isolation.tools.ghi.launchmenu.change is set to TRUE VMX isolation.tools.ghi.launchmenu.change
Check virtual machine configuration file and verify that isolation.tools.memSchedFakeSampleStats.disable is
set to TRUE VMX isolation.tools.memSchedFakeSampleStats.disable
Check virtual machine configuration file and verify that isolation.tools.ghi.protocolhandler.info.disable is set
to TRUE VMX isolation.tools.ghi.protocolhandler.info.disable
Check virtual machine configuration file and verify that isolation.ghi.host.shellAction.disable is set to TRUE VMX isolation.ghi.host.shellAction.disable
Check virtual machine configuration file and verify that isolation.tools.dispTopoRequest.disable is set to TRUE VMX isolation.tools.dispTopoRequest.disable
Check virtual machine configuration file and verify that isolation.tools.trashFolderState.disable is set to TRUE VMX isolation.tools.trashFolderState.disable
Check virtual machine configuration file and verify that isolation.tools.ghi.trayicon.disable is set to TRUE VMX isolation.tools.ghi.trayicon.disable
Check virtual machine configuration file and verify that isolation.tools.unity.disable is set to TRUE VMX isolation.tools.unity.disable
Check virtual machine configuration file and verify that isolation.tools.unityInterlockOperation.disable is set
to TRUE VMX isolation.tools.unityInterlockOperation.disable
Check virtual machine configuration file and verify that isolation.tools.unity.taskbar.disable is set to TRUE VMX isolation.tools.unity.taskbar.disable
Check virtual machine configuration file and verify that isolation.tools.unityActive.disable is set to TRUE VMX isolation.tools.unityActive.disable
Check virtual machine configuration file and verify that isolation.tools.unity.windowContents.disable is set to
TRUE VMX isolation.tools.unity.windowContents.disable
Check virtual machine configuration file and verify that isolation.tools.unity.push.update.disable is set to
TRUE VMX isolation.tools.unity.push.update.disable
Check virtual machine configuration file and verify that isolation.tools.vmxDnDVersionGet.disable is set to
TRUE VMX isolation.tools.vmxDnDVersionGet.disable
Check virtual machine configuration file and verify that isolation.tools.guestDnDVersionSet.disable is set to
TRUE VMX isolation.tools.guestDnDVersionSet.disable
Some of these steps include: 1. Disable unused services in the operating system. For example, if the system
runs a file server, make sure to turn off any Web services. 2. Disconnect unused physical devices, such as
CD/DVD drives, floppy drives, and USB adaptors. This is described in the Removing Unnecessary Hardware
Devices section in the ESXI Configuration Guide.
3. Turn off any screen savers. If using a Linux, BSD, or Solaris guest operating system, do not run the X N/A N/A
Check virtual machine configuration file and verify that isolation.tools.vixMessage.disable is set to TRUE VMX isolation.tools.vixMessage.disable
The following parameters should either NOT be present or should be set to FALSE, unless Floppy drives are
required: floppyX.present VMX floppyX.present
The following parameters should either NOT be present or should be set to FALSE, unless CD-ROM is
required: ideX:Y.present VMX ideX:Y.present
The following parameters should either NOT be present or should be set to FALSE, unless Parallel ports are
required: parallelX.present VMX parallelX.present
The following parameters should either NOT be present or should be set to FALSE, unless Serial ports are
required: serialX.present VMX serialX.present
The following parameters should either NOT be present or should be set to FALSE, unless USB controllers are
required: usb.present VMX usb.present
Check virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 1 VMX RemoteDisplay.maxConnections
Check virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 2 VMX RemoteDisplay.maxConnections
Check virtual machine configuration file and verify that log.keepOld is set to 10 VMX log.keepOld
Check virtual machine configuration file and verify that log.rotateSize is set to 100000 VMX log.rotateSize
Check virtual machine configuration file and verify that tools.setInfo.sizeLimit is set to 1048576 VMX tools.setInfo.sizeLimit
Instead of VM console, use native remote management services, such as terminal services and ssh, to
interact with virtual machines. Grant VM console access only when necessary. N/A N/A
Check virtual machine configuration file and verify that isolation.device.connectable.disable is set to TRUE VMX isolation.device.connectable.disable
Check virtual machine configuration file and verify that isolation.device.edit.disable is set to TRUE VMX isolation.device.edit.disable
Check virtual machine configuration file and verify that tools.guestlib.enableHostInfo is set to FALSE VMX tools.guestlib.enableHostInfo
Ensure that antivirus, antispyware, intrusion detection, and other protection are enabled for every virtual
machine in your virtual infrastructure. Make sure to keep all security measures up-to-date, including applying
appropriate patches. It is especially important to keep track of updates for dormant virtual machines that are
powered off, because it can be easy to overlook them. N/A N/A
Use a secure protocol like Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports. N/A
Provide templates for VM creation that contain hardened, patched, and properly configured OS
deployments. If possible, predeploy applications in templates as well, although care should be taken that the
application doesnt depend upon VM-specific information to be deployed. In vSphere, you can convert a
template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware
Update Manager also provides the ability to automatically patch the operating system and certain N/A N/A
If a VM is not supposed to be protected by a product using the dvfilter API, ensure that the following is not
present in its VMX file: ethernet0.filter1.name = dv-filter1
where ethernet0 is the network adaptor interface of the virtual machine that is to be protected, filter1 is
the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel
module that is protecting the VM. If the VM is supposed to be protected, ensure that the name of the data VMX ethernetn.filtern.name = filtername
If the VM is not being protected by a VMsafe CPU/memory product, then check virtual machine
configuration file and verify that vmsafe.agentAddress is not present. If it is being protect by a VMsafe
CPU/Memory product, make sure this is set to the correct value VMX vmsafe.agentAddress
configuration file and verify that vmsafe.agentPort is not present. If it is being protect by a VMsafe
CPU/Memory product, make sure this is set to the correct value VMX vmsafe.agentPort
configuration file and verify that vmsafe.enable is either not present, or set to FALSE VMX vmsafe.enable
Desired Value Change Type Is desired value the default? vSphere API
N/A N/A N/A N/A
TRUE modify NO
http://pubs.vmware.com/vsphere-
51/topic/com.vmware.wssdk.apiref.do
c/vim.option.OptionValue.html
TRUE Add or Modify YES
FALSE Add or Modify YES
TRUE Add NO
TRUE Add NO
TRUE Modify NO
not present or independent nonpersistent remove, modify
FALSE Modify YES
FALSE Add NO
TRUE Add or Modify NO
TRUE Modify NO
TRUE Modify NO
TRUE Modify NO
TRUE Modify NO
TRUE Modify NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Add NO
TRUE Modify NO
TRUE Add NO
TRUE Add NO
N/A N/A N/A N/A
TRUE Add NO
not present or FALSE remove, modify NO
c/vim.vm.device.VirtualDevice.html
1 modify NO
2 modify NO
10 Add NO
100000 Add NO
1048576 Add or Modify NO
N/A N/A N/A N/A
TRUE Modify NO
TRUE Modify NO
FALSE Modify YES
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
undefined unless using dvfilter modify or remove YES
not present, or site-specific modify or remove YES
not present, or site-specific modify or remove YES
FALSE or not present modify or remove YES
ESXi Shell Command Assessment ESXi Shell Command Remediation vCLI Command Assessment
N/A N/A N/A
grep -i "isolation.tools.autoInstall.disable" [VMX] N/A
vmware-cmd --server [SERVER] --username [USERNAME] --
password [PASSWORD]
/vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo
isolation.tools.diskWiper.disable
grep -i "isolation.tools.copy.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.copy.disable
grep -i isolation.tools.dnd.disable [VMX] N/A
password [PASSWORD]
isolation.tools.dnd.disable
grep -i isolation.tools.setGUIOptions.enable [VMX] N/A
password [PASSWORD]
isolation.tools.setGUIOptions.enable
grep -i isolation.tools.paste.disable [VMX] N/A
password [PASSWORD]
isolation.tools.paste.disable
grep -i "isolation.tools.diskShrink.disable" [VMX] N/A
password [PASSWORD]
grep -i "isolation.tools.diskWiper.disable" [VMX] N/A
password [PASSWORD]
grep -i "isolation.tools.hgfsServerSet.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.hgfsServerSet.disable
grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX] N/A
1. vifs --server [SERVER] --username [USERNAME] --password
[PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -
i "^scsi[0-9]*:[0-9]*.mode" [VMX]
grep -i "vmci0.unrestricted" [VMX] N/A
password [PASSWORD]
vmci0.unrestricted
grep -i "^logging" [VMX] N/A N/A
grep -i "isolation.monitor.control.disable" [VMX] N/A
password [PASSWORD]
isolation.monitor.control.disable
grep -i "isolation.tools.ghi.autologon.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.ghi.autologon.disable
grep -i "isolation.bios.bbs.disable" [VMX] N/A
password [PASSWORD]
isolation.bios.bbs.disable
grep -i "isolation.tools.getCreds.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.getCreds.disable
grep -i "isolation.tools.ghi.launchmenu.change" [VMX] N/A
password [PASSWORD]
isolation.tools.ghi.launchmenu.change
grep -i "isolation.tools.memSchedFakeSampleStats.disable"
[VMX] N/A
password [PASSWORD]
isolation.tools.memSchedFakeSampleStats.disable
grep -i "isolation.tools.ghi.protocolhandler.info.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.ghi.protocolhandler.info.disable
grep -i "isolation.ghi.host.shellAction.disable" [VMX] N/A
password [PASSWORD]
isolation.ghi.host.shellAction.disable
grep -i "isolation.tools.dispTopoRequest.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.dispTopoRequest.disable
grep -i "isolation.tools.trashFolderState.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.trashFolderState.disable
grep -i "isolation.tools.ghi.trayicon.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.ghi.trayicon.disable
grep -i "isolation.tools.unity.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.unity.disable
grep -i "isolation.tools.unityInterlockOperation.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.unityInterlockOperation.disable
grep -i "isolation.tools.unity.taskbar.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.unity.taskbar.disable
grep -i "isolation.tools.unityActive.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.unityActive.disable
grep -i "isolation.tools.unity.windowContents.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.unity.windowContents.disable
grep -i "isolation.tools.unity.push.update.disable" N/A
password [PASSWORD]
isolation.tools.unity.push.update.disable
grep -i "isolation.tools.vmxDnDVersionGet.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.vmxDnDVersionGet.disable
grep -i "isolation.tools.guestDnDVersionSet.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.guestDnDVersionSet.disable
N/A N/A N/A
grep -i "isolation.tools.vixMessage.disable" [VMX] N/A
password [PASSWORD]
isolation.tools.vixMessage.disable
grep -i "^floppy[0-9]*.present" [VMX] N/A
i "^floppy[0-9]*.present" [VMX]
grep -i "îde[0-9]*.present" [VMX] N/A
i "îde[0-9]*.present" [VMX]
grep -i "^parallel[0-9]*.present" [VMX] N/A
i "^parallel[0-9]*.present" [VMX]
grep -i "^serial[0-9]*.present" [VMX] N/A
i "^floppy[0-9]*.present" [VMX]
grep -i "ûsb[0-9]*.present" [VMX] N/A
i "ûsb[0-9]*.present" [VMX]
grep -i "RemoteDisplay.maxConnections" [VMX] N/A
password [PASSWORD]
RemoteDisplay.maxConnections
grep -i "RemoteDisplay.maxConnections" [VMX] N/A
password [PASSWORD]
RemoteDisplay.maxConnections
grep -i "log.keepOld" [VMX] N/A
password [PASSWORD]
log.keepOld
grep -i "log.rotateSize " [VMX] N/A
password [PASSWORD]
log.rotateSize
grep -i "tools.setInfo.sizeLimit" [VMX} N/A
password [PASSWORD]
tools.setInfo.sizeLimit
N/A N/A N/A
grep -i "isolation.device.connectable.disable" [VMX] N/A
password [PASSWORD]
isolation.device.connectable.disable
grep -i "isolation.device.edit.disable" [VMX] N/A
password [PASSWORD]
isolation.device.edit.disable
grep -i "tools.guestlib.enableHostInfo" [VMX] N/A
password [PASSWORD]
tools.guestlib.enableHostInfo
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
grep -i "êthernet[0-9]*.filter[0-9]*.name" [VMX] N/A
i "êthernet[0-9]*.filter[0-9]*.name" [VMX]
grep -i vmsafe.agentAddress [VMX] N/A
password [PASSWORD]
vmsafe.agentAddress
grep -i vmsafe.agentPort [VMX] N/A
password [PASSWORD]
vmsafe.agentPort
grep -i vmsafe.enable [VMX] N/A
password [PASSWORD]
vmsafe.enable
vCLI Command Remediation PowerCLI Command Assessment PowerCLI Command Remediation
N/A
# List all Resource shares on all VMs
Get-VM | Get-VMResourceConfiguration N/A
N/A
# List the VMs and their current settings
Get-VM | Get-AdvancedSetting -Name
"isolation.tools.autoInstall.disable"| Select Entity, Name, Value
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name
"isolation.tools.autoInstall.disable" -value $true
N/A
"isolation.tools.copy.disable" | Select Entity, Name, Value
"isolation.tools.copy.disable" -value $true
N/A
"isolation.tools.dnd.disable" | Select Entity, Name, Value
"isolation.tools.dnd.disable" -value $true
N/A
"isolation.tools.setGUIOptions.enable"| Select Entity, Name,
Value
"isolation.tools.setGUIOptions.enable" -value $false
N/A
"isolation.tools.paste.disable"| Select Entity, Name, Value
"isolation.tools.paste.disable" -value $true
N/A
"isolation.tools.diskShrink.disable"| Select Entity, Name, Value
"isolation.tools.diskShrink.disable" -value $true
N/A
"isolation.tools.diskWiper.disable"| Select Entity, Name, Value
"isolation.tools.diskWiper.disable" -value $true
N/A
"isolation.tools.hgfsServerSet.disable"| Select Entity, Name,
Value
"isolation.tools.hgfsServerSet.disable" -value $true
N/A
#List the VM's and their disk types
Get-VM | Get-HardDisk | Select Parent, Name, Filename,
DiskType, Persistence
#Alter the parameters for the following cmdlet to set the VM
Disk Type:
Get-VM | Get-HardDisk | Set-HardDisk
N/A
Get-VM | Get-AdvancedSetting -Name "vmci0.unrestricted" |
Select Entity, Name, Value
Get-VM | New-AdvancedSetting -Name "vmci0.unrestricted" -
value $false
N/A N/A N/A
N/A
"isolation.monitor.control.disable"| Select Entity, Name, Value
"isolation.monitor.control.disable" -value $true
N/A
"isolation.tools.ghi.autologon.disable"| Select Entity, Name,
Value
"isolation.tools.ghi.autologon.disable" -value $true
N/A
"isolation.bios.bbs.disable"| Select Entity, Name, Value
"isolation.bios.bbs.disable" -value $true
N/A
"isolation.tools.getCreds.disable"| Select Entity, Name, Value
"isolation.tools.getCreds.disable" -value $true
N/A
"isolation.tools.ghi.launchmenu.change" | Select Entity, Name,
Value
"isolation.tools.ghi.launchmenu.change" -value $true
N/A
"isolation.tools.memSchedFakeSampleStats.disable" | Select
Entity, Name, Value
"isolation.tools.memSchedFakeSampleStats.disable" -value
$true
N/A
"isolation.tools.ghi.protocolhandler.info.disable" | Select
Entity, Name, Value
"isolation.tools.ghi.protocolhandler.info.disable" -value $true
N/A
"isolation.ghi.host.shellAction.disable" | Select Entity, Name,
Value
"isolation.ghi.host.shellAction.disable" -value $true
N/A
"isolation.tools.dispTopoRequest.disable"| Select Entity,
Name, Value
"isolation.tools.dispTopoRequest.disable" -value $true
N/A
"isolation.tools.trashFolderState.disable"| Select Entity, Name,
Value
"isolation.tools.trashFolderState.disable" -value $true
N/A
"isolation.tools.ghi.trayicon.disable"| Select Entity, Name,
Value
"isolation.tools.ghi.trayicon.disable" -value $true
N/A
"isolation.tools.unity.disable"| Select Entity, Name, Value
"isolation.tools.unity.disable" -value $true
N/A
"isolation.tools.unityInterlockOperation.disable"| Select Entity,
Name, Value
"isolation.tools.unityInterlockOperation.disable" -value $true
N/A
"isolation.tools.unity.taskbar.disable" | Select Entity, Name,
Value
"isolation.tools.unity.taskbar.disable" -value $true
N/A
"isolation.tools.unityActive.disable" | Select Entity, Name,
Value
"isolation.tools.unityActive.disable" -value $True
N/A
"isolation.tools.unity.windowContents.disable" | Select Entity,
Name, Value
"isolation.tools.unity.windowContents.disable" -value $True
N/A
"isolation.tools.unity.push.update.disable" | Select Entity,
Name, Value
"isolation.tools.unity.push.update.disable" -value $true
N/A
"isolation.tools.vmxDnDVersionGet.disable"| Select Entity,
Name, Value
"isolation.tools.vmxDnDVersionGet.disable" -value $true
N/A
"isolation.tools.guestDnDVersionSet.disable"| Select Entity,
Name, Value
"isolation.tools.guestDnDVersionSet.disable" -value $true
N/A
N/A
"isolation.tools.vixMessage.disable"| Select Entity, Name,
Value
"isolation.tools.vixMessage.disable" -value $true
N/A
# Check for Floppy Devices attached to VMs
Get-VM | Get-FloppyDrive | Select Parent, Name,
ConnectionState
# Remove all Floppy drives attached to VMs
Get-VM | Get-FloppyDrive | Remove-FloppyDrive
N/A
# Check for CD/DVD Drives attached to VMs
Get-VM | Get-CDDrive
# Remove all CD/DVD Drives attached to VMs
Get-VM | Get-CDDrive | Remove-CDDrive
N/A
# In this Example you will need to add the functions from this
post: http://blogs.vmware.com/vipowershell/2012/05/working-
with-vm-devices-in-powercli.html
# Check for Parallel ports attached to VMs
Get-VM | Get-ParallelPort
# Remove all Parallel Ports attached to VMs
Get-VM | Get-ParallelPort | Remove-ParallelPort
N/A
# Check for Serial ports attached to VMs
Get-VM | Get-SerialPort
# Remove all Serial Ports attached to VMs
Get-VM | Get-SerialPort | Remove-SerialPort
N/A
# Check for USB Devices attached to VMs
Get-VM | Get-USBDevice
# Remove all USB Devices attached to VMs
Get-VM | Get-USBDevice | Remove-USBDevice
N/A
"RemoteDisplay.maxConnections" | Select Entity, Name, Value
"RemoteDisplay.maxConnections" -value 1
N/A
"RemoteDisplay.maxConnections" | Select Entity, Name, Value
"RemoteDisplay.maxConnections" -value 2
N/A
Get-VM | Get-AdvancedSetting -Name "log.keepOld"| Select
Entity, Name, Value
Get-VM | New-AdvancedSetting -Name "log.keepOld" -value
"10"
N/A
Get-VM | Get-AdvancedSetting -Name "log.rotateSize"| Select
Entity, Name, Value
Get-VM | New-AdvancedSetting -Name "log.rotateSize" -value
"100000"
N/A
Get-VM | Get-AdvancedSetting -Name "tools.setInfo.sizeLimit"
| Select Entity, Name, Value
"tools.setInfo.sizeLimit" -value 1048576
N/A
N/A
"isolation.device.connectable.disable" | Select Entity, Name,
Value
"isolation.device.connectable.disable" -value $true
N/A
"isolation.device.edit.disable" | Select Entity, Name, Value
"isolation.device.edit.disable" -value $true
N/A
"tools.guestlib.enableHostInfo"| Select Entity, Name, Value
"tools.guestlib.enableHostInfo" -value $false
N/A
N/A
N/A
N/A
"ethernetn.filtern.name*" | Select Entity, Name, Value
N/A
Get-VM | Get-AdvancedSetting -Name "vmsafe.agentAddress"
| Select Entity, Name, Value
N/A
Get-VM | Get-AdvancedSetting -Name "vmsafe.agentPort"|
N/A
Get-VM | Get-AdvancedSetting -Name "vmsafe.enable"|
Negative Functional Impact Reference Able to set using Host Profile?
N/A
This option disables tools auto install, all tools installs will have
to be manually started. N/A
This is the default setting so functionality remains the same N/A
N/A
N/A
This is the default setting so functionality remains the same N/A
Inability to shrink virtual machine disks in the event that a
datastore runs out of space. N/A
Inability to shrink virtual machine disks in the event that a
datastore runs out of space. N/A
This will cause the VMX process to not respond to commands
from the tools process, this may have a negative impact on
operations such as automated tools upgrades N/A
Wont be able to make use of nonpersistent mode, which
allows rollback to a known state when rebooting the VM. N/A
Virtual machines will be unable to communicate using VMCI
technology. doc reference for vmci obsoletion N/A
VM logs unavailable for troubleshooting and support. N/A
This configuration option may cause unexpected results, the
virtual machine will be completely unaware that it is running in
a virtualized setting. VMware tools will not install or function. N/A
N/A
N/A
N/A
N/A
N/A
Some automated tools and process may cease to function N/A
N/A
N/A
Guest will no longer be able to send messages via VIX API N/A
Virtual machine will need to be powered off to reverse change
if any of these devices are needed at a later time. N/A
Only one remote console connection to the VM will be
permitted. Other attempts will be rejected until the first
session disconnects. N/A
Only two remote console connections to the VM will be
permitted. Other attempts will be rejected until the one
session disconnects. This still allows sharing but keeps the
amount of connections limited N/A
N/A
N/A
N/A
N/A
Device interaction is blocked inside the guest OS using VMware
tools N/A
Device interaction is blocked inside the guest OS using VMware
tools N/A
Unable to retrieve performance information about the host
from inside the guest, there are times when this can be useful
for troubleshooting. N/A
N/A
N/A
N/A
incorrectly configuring this option can negatively impact
functionality of tools that use vmsafe API. N/A
ID Product Version Component Subcomponent
apply-patches vSphere 5.1 ESXI Install
config-firewall-access vSphere 5.1 ESXI Communication
config-ntp vSphere 5.1 ESXI Communication
config-persistent-logs vSphere 5.1 ESXI Logging
config-snmp vSphere 5.1 ESXI Communication
create-local-admin vSphere 5.1 ESXi Access
disable-dcui vSphere 5.1 ESXI Console
disable-esxi-shell vSphere 5.1 ESXI Console
disable-mob vSphere 5.1 ESXI Communication
disable-ssh vSphere 5.1 ESXi Console
enable-ad-auth vSphere 5.1 ESXI Access
enable-auth-proxy vSphere 5.1 ESXI Communication
enable-chap-auth vSphere 5.1 ESXI Storage
enable-host-profiles vSphere 5.1 ESXi Logging
enable-lockdown-mode vSphere 5.1 ESXI Console
enable-nfc-ssl vSphere 5.1 ESXI Communication
enable-remote-dump vSphere 5.1 ESXi Logging
enable-remote-syslog vSphere 5.1 ESXI Logging
esxi-no-self-signed-certs vSphere 5.1 ESXI Communication
limit-cim-access vSphere 5.1 ESXI Console
mask-zone-san vSphere 5.1 ESXI Storage
remove-authorized-keys vSphere 5.1 ESXi Console
set-dcui-access vSphere 5.1 ESXi Console
set-password-complexity vSphere 5.1 ESXI Access
set-shell-interactive-timeout vSphere 5.1 ESXI Console
set-shell-timeout vSphere 5.1 ESXI Console
unique-chap-secrets vSphere 5.1 ESXI Storage
verify-acceptance-level-accepted vSphere 5.1 ESXI Install
verify-acceptance-level-certified vSphere 5.1 ESXI Install
verify-acceptance-level-supported vSphere 5.1 ESXI Install
verify-admin-group vSphere 5.1 ESXI Access
verify-config-files vSphere 5.1 ESXI Console
verify-dvfilter-bind vSphere 5.1 ESXI Communication
verify-install-media vSphere 5.1 ESXI Install
verify-kernel-modules vSphere 5.1 ESXI Install
vmdk-zero-out vSphere 5.1 ESXi Storage
vpxuser-password-age vSphere 5.1 ESXI Access
Title
Keep ESXi system properly patched.
Configure the ESXi host firewall to restrict
access to services running on the host
Configure NTP time synchronization
Configure persistent logging for all ESXi host
Ensure proper SNMP configuration
Create a non-root user account for local
admin access
Disable DCUI to prevent local administrative
control.
Disable ESXi Shell unless needed for
diagnostics or troubleshooting.
Disable Managed Object Browser (MOB)
Disable SSH
Use Active Directory for local user
authentication.
When adding ESXi hosts to Active Directory
use the vSphere Authentication Proxy to
protect passwords
Enable bidirectional CHAP authentication for
iSCSI traffic.
Configure Host Profiles to monitor and alert
on configuration changes
Enable lockdown mode to restrict remote
access.
Enable SSL for Network File copy (NFC)
Configure a centralized location to collect
ESXi host core dumps
Configure remote logging for ESXi hosts
Do not use default self-signed certificates for
ESXi communication.
Do not provide administrator level access (i.e.
root) to CIM-based hardware monitoring
tools or other 3rd party applications.
Mask and zone SAN resources appropriately.
Remove keys from SSH authorized_keys file.
Set DCUI.Access to allow trusted users to
override lockdown mode
Establish a password policy for password
complexity.
Set a timeout to automatically terminate idle
ESXi Shell and SSH sessions.
Set a timeout to limit how long the ESXi Shell
and SSH services are allowed to run
Ensure uniqueness of CHAP authentication
secrets.
Verify Image Profile and VIB Acceptance
Levels.
Levels.
Levels.
Verify Active Directory group membership for
the "ESXi Admins" group.
Verify contents of exposed configuration files
Prevent unintended use of dvfilter network
APIs.
Verify the integrity of the installation media
before installing ESXi
Verify no unauthorized kernel modules are
loaded on the host.
Zero out VMDK files prior to deletion
Ensure that vpxuser auto-password change
meets policy.
Vulnerability Discussion Profile Control Type
By staying up to date on ESXi patches, vulnerabilities in the
hypervisor can be mitigated. An educated attacker can
exploit known vulnerabilities when attempting to attain
access or elevate privileges on an ESXi host. 1,2,3 Operational
Unrestricted access to services running on an ESXi host can
expose a host to outside attacks and unauthorized access.
Reduce the risk by configuring the ESXi firewall to only allow
access from authorized networks. 1,2,3 Configuration
By ensuring that all systems use the same relative time
source (including the relevant localization offset), and that
the relative time source can be correlated to an agreed-upon
time standard (such as Coordinated Universal TimeUTC),
you can make it simpler to track and correlate an intruders
actions when reviewing the relevant log files. Incorrect time
settings can make it difficult to inspect and correlate log files
to detect attacks, and can make auditing inaccurate. 1,2,3 Parameter
ESXi can be configured to store log files on an in-memory file
system. This occurs when the host's "/scratch" directory is
linked to "/tmp/scratch". When this is done only a single
day's worth of logs are stored at any time, in addition log
files will be reinitialized upon each reboot. This presents a
security risk as user activity logged on the host is only stored
temporarily and will not persistent across reboots. This can
also complicate auditing and make it harder to monitor
events and diagnose issues. ESXi host logging should always
be configured to a persistent datastore. 1,2,3 Parameter
If SNMP is not being used, it should remain disabled. If it is
being used, the proper trap destination should be
configured. If SNMP is not properly configured, monitoring
information can be sent to a malicious host that can then use
this information to plan an attack. Note: ESXi 5.1 supports
SNMPv3 which provides stronger security than SNMPv1 or
SNMPv2, including key authentication and encryption. 1,2,3 Parameter
By default each ESXi host has a single "root" admin account
that is used for local administration and to connect the host
to vCenter Server. To avoid sharing a common root account
it is recommended on each host to create at least one named
user account and assign it full admin privileges and to use
this account in lieu of a shared "root" account. Set a highly
complex password for the "root" account and secure it in a
safe location. Limit the use of "root" but do not remove the
"root" account. 1.2.3 Configuration
The DCUI allows for low-level host configuration such as
configuring IP address, hostname and root password as well
as diagnostic capabilities such as enabling the ESXi shell,
viewing log files, restarting agents, and resetting
configurations. Actions performed from the DCUI are not
tracked by vCenter Server. Even if Lockdown Mode is
enabled, users who are members of the DCUI.Access list can
perform administrative tasks in the DCUI bypassing RBAC and
auditing controls provided through vCenter. DCUI access can
be disabled. Disabling it prevents all local activity and thus
forces actions to be performed in vCenter Server where they
can be centrally audited and monitored. 1 Parameter
ESXi Shell is an interactive command line environment
available from the DCUI or remotely via SSH. Access to this
mode requires the root password of the server. The ESXi
Shell can be turned on and off for individual hosts. Activities
performed from the ESXi Shell bypass vCenter RBAC and
audit controls. The ESXi shell should only be turned on when
needed to troubleshoot/resolve problems that cannot be
fixed through the vSphere client or vCLI/PowerCLI. 1,2,3 Parameter
The managed object browser (MOB) provides a way to
explore the object model used by the VMkernel to manage
the host; it enables configurations to be changed as well. This
interface is meant to be used primarily for debugging the
vSphere SDK but because there are no access controls it
could also be used as a method obtain information about a
host being targeted for unauthorized access. 1,2,3 Parameter
The ESXi shell, when enabled, can be accessed directly from
the host console through the DCUI or remotely using SSH.
Remote access to the host should be limited to the vSphere
Client, remote command-line tools (vCLI/PowerCLI), and
through the published APIs. Under normal circumstances
remote access to the host using SSH should be disabled. 1,2,3 Parameter
Join ESXi hosts to an Active Directory (AD) domain to
eliminate the need to create and maintain multiple local user
accounts. Using AD for user authentication simplifies the ESXi
host configuration, ensures password complexity and reuse
policies are enforced and reduces the risk of security
breaches and unauthorized access. Note: if the AD group
"ESX Admins" (default) is created all users and groups that
are assigned as members to this group will have full
administrative access to all ESXi hosts the domain. Refer to
the "verify-admin-group" recommendation for more
information. 1,2,3 Configuration
If you configure your host to join an Active Directory domain
using Host Profiles the active directory credentials are saved
in the host profile and are transmitted over the network. To
avoid having to save active directory credentials in the Host
Profile and to avoid transmitting active directory credentials
over the network use the vSphere Authentication Proxy. 1,2,3 Parameter
vSphere allows for the use of bidirectional authentication of
both the iSCSI target and host. Choosing not to enforce more
stringent authentication can make sense if you create a
dedicated network or VLAN to service all your iSCSI devices.
By not authenticating both the iSCSI target and host, there is
a potential for a MiTM attack in which an attacker might
impersonate either side of the connection to steal data.
Bidirectional authentication can mitigate this risk. If the iSCSI
facility is isolated from general network traffic, it is less
vulnerable to exploitation. 1,2,3 Parameter
Monitoring for configuration drift and unauthorized changes
is critical to ensuring the security of an ESXi hosts. Host
Profiles provide an automated method for monitoring host
configurations against an established template and for
providing notification in the event deviations are detected. 1,2,3 Parameter
Enabling lockdown mode disables direct access to an ESXi
host requiring the host be managed remotely from vCenter
Server. Lockdown limits ESXi host access to the vCenter
server. This is done to ensure the roles and access controls
implemented in vCenter are always enforced and users
cannot bypass them by logging into a host directly. By
forcing all interaction to occur through vCenter Server, the
risk of someone inadvertently attaining elevated privileges or
performing tasks that are not properly audited is greatly
reduced. Note: Lockdown mode does not apply to users
who log in using authorized keys. When you use an
authorized key file for root user authentication, root users
are not prevented from accessing a host with SSH even when
the host is in lockdown mode. Note that users listed in the
DCUI.Access list for each host are allowed to override
lockdown mode and login to the DCUI. By default the "root"
user is the only user listed in the DCUI.Access list. 1,2,3 Parameter
NFC (Network File Copy) is the name of the mechanism used
to migrate or clone a VM between two ESXi hosts over the
network. By default, SSL is used only for the authentication
of the transfer, but If desired, SSL can also be enabled on the
data transfer. Without this setting VM contents could
potentially be sniffed if the management network is not
adequately isolated and secured. 1 Parameter
When a host crashes, an analysis of the resultant core dump
is essential to being able to identify the cause of the crash to
identify a resolution. Installing a centralized dump collector
helps ensure that core files are successfully saved and made
available in the event an ESXi host should ever panic. 1,2,3 Parameter
Remote logging to a central log host provides a secure,
centralized store for ESXi logs. By gathering host log files
onto a central host you can more easily monitor all hosts
with a single tool. You can also do aggregate analysis and
searching to look for such things as coordinated attacks on
multiple hosts. Logging to a secure, centralized log server
also helps prevent log tampering and also provides a long-
term audit record. To facilitate remote logging provides the
vSphere Syslog Collector. 1,2,3 Parameter
Using the default self-signed certificates leaves the SSL
connection open to Man-in-The-Middle (MiTM) attacks.
Replace default self-signed certificates with those from a
trusted CA, either commercial or organizational. 1,2,3 Configuration
The CIM system provides an interface that enables hardware-
level management from remote applications via a set of
standard APIs. To ensure that the CIM interface remains
secure only provide the minimum access necessary to these
applications. Do not provision CIM and other 3rd party tools
to run as root or another administrator account. Instead, use
a dedicated service account with a limited privilege set If
CIM or other 3rd party are granted unneeded administrator
level access they could potentially become a back door and
compromise security of the host. 1,2,3 Operational
You should use zoning and LUN masking to segregate SAN
activity. For example, you manage zones defined for testing
independently within the SAN so they do not interfere with
activity in the production zones. Similarly, you can set up
different zones for different departments. Zoning must take
into account any host groups that have been set up on the
SAN device. 1,2,3 Operational
ESXi hosts come with SSH which can be enabled to allow
remote access without requiring user authentication. To
enable password free access copy the remote users public
key into the "/etc/ssh/keys-root/authorized_keys" file on the
ESXi host. The presence of the remote user's public key in
the "authorized_keys" file identifies the user as trusted,
meaning the user is granted access to the host without
providing a password. Note: Lockdown mode does not
apply to root users who log in using authorized keys. When
you use an authorized key file for root user authentication,
root users are not prevented from accessing a host with SSH
even when the host is in lockdown mode. 1,2,3 Configuration
Lockdown disables direct host access requiring admins
manage hosts from vCenter. However, if a host becomes
isolated from vCenter the admin would become locked out
and would be unable to manage the host. To avoid
potentially becoming locked out of an ESXi hosts that is
running in locked down mode set the DCUI.Access to a list of
highly trusted users that are allowed to override the
lockdown mode and access the DCUI. 1,2,3 Parameter
ESXi uses the pam_passwdqc.so plug-in to set password
strength and complexity. It is important to use passwords
that are not easily guessed and that are difficult for password
generators to determine. Note, ESXi imposes no restrictions
on the root password. Password strength and complexity
rules only apply to non-root users. 1,2,3 Parameter
If a user forgets to logout of their SSH session the idle
connection will remain indefinitely increasing the potential
for someone to gain privileged access to the host. The
ESXiShellInteractiveTimeOut allows you to automatically
terminate idle shell sessions. 1,2,3 Parameter
When the ESXi Shell or SSH services are enabled on a host
they will run indefinitely. To avoid having these services left
running set the ESXiShellTimeOut . The ESXiShellTimeOut
defines a window of time after which the ESXi Shell and SSH
services will automatically be terminated. 1,2,3 Parameter
The mutual authentication secret for each host should be
different; if possible, the secret should be different for each
client authenticating to the server as well. This ensures that
if a single host is compromised, an attacker cannot create
another arbitrary host and authenticate to the storage
device. With a single shared secret, compromise of one host
can allow an attacker to authenticate to the storage device. 1,2,3 Parameter
Verify the ESXi Image Profile to only allow signed VIBs. An
unsigned VIB represents untested code installed on an ESXi
host. The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified - VIBs created, tested and signed by
VMware, (2) VMwareAccepted - VIBs created by a VMware
partner but tested and signed by VMware, (3)
PartnerSupported - VIBs created, tested and signed by a
certified VMware partner, and (4) CommunitySupported -
VIBs that have not been tested by VMware or a VMware
partner. Community Supported VIBs are not supported and
do not have a digital signature. To protect the security and
integrity of your ESXi hosts do not allow unsigned
(CommunitySupported) VIBs to be installed on your hosts. 2 Parameter
The AD group used by vSphere is defined by the
"esxAdminsGroup" attribute, by default this attribute is set
to "ESX Admins". All members of the "ESX Admins" group
are granted full administrative access to all ESXi hosts in the
domain. Monitor AD for the creation of this group and limit
membership to highly trusted users and groups. 1,2,3 Configuration
Although most configurations on ESXi are controlled via an
API, there are a limited set of configuration files that are
used directly to govern host behavior. These specific files are
exposed via the vSphere HTTPS-based file transfer API. Any
changes to these files should be correlated with an approved
administrative action, such as an authorized configuration
change. Tampering with these files has the potential to
enable unauthorized access to the host configuration and
virtual machines. WARNING: do not attempt to monitor files
that are NOT exposed via this file-transfer API, since this can
result in a destabilized system 1 Operational
If you are not using products that make use of the dvfilter
network API (e.g. VMSafe), the host should not be configured
to send network information to a VM. If the API is enabled,
an attacker might attempt to connect a VM to it, thereby
potentially providing access to the network of other VMs on
the host. If you are using a product that makes use of this
API then verify that the host has been configured correctly. 1,2,3 Parameter
Always check the SHA1 hash after downloading an ISO,
offline bundle, or patch to ensure integrity and authenticity
of the downloaded files. If you obtain physical media from
VMware and the security seal is broken, return the software
to VMware for a replacement. 1,2,3 Operational
VMware provides digital signatures for kernel modules. By
default the ESXi host does not permit loading of kernel
modules that lack a valid digital signature. However, this
behavior can be overridden allowing unauthorized kernel
modules to be loaded. Untested or malicious kernel
modules loaded on the ESXi host can put the host at risk for
instability and/or exploitation. 1,2,3 Operational
To help prevent sensitive data in VMDK files from being read
off the physical disk after it is deleted, the virtual disk should
be zeroed out prior to deletion. This will make it more
difficult for someone to reconstruct the contents of the
VMDK file. The CLI command 'vmkfstools -writezeroes' can
be used to write zeros to the entire contents of a VMDK file
prior to its deletion. 1,2 Operational
By default, the vpxuser password will be automatically
changed by vCenter every 30 days. Ensure that this setting
meets your policies; if not, configure to meet password aging
policies. NOTE: It is very important that the password aging
policy not be shorter than the interval that is set to
automatically change the vpxuser password, to preclude the
possibility that vCenter might get locked out of an ESXi host.
If an attacker obtains the vpxuser password, the password
can be used only for a limited amount of time. 1,2,3 Parameter
Assessment Procedure
Employ a process to keep ESXi hosts up to date with patches in accordance with industry-standards
and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with
this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email
alerts for them.
From the vSphere web client, select the host and go to "Manage" -> "Security Profile". In the
"Firewall" section select "Edit...". For each enabled service, (e.g. ssh, vSphere Web Access, http
client) provide a range of allowed IP addresses.
From the vSphere web client select the host and click "Manage" -> "Time Configuration" and click the
"Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the
startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is
recommended to synchronize the ESXi clock with a time server that is located on the management
network rather than directly with a time server on a public network. This time server can then
synchronize with a public source through a strictly controlled network connection with a firewall.
Logon to the ESXi shell and run "ls -al /" to verify "/scratch" is not linked to "/tmp/scratch". If
"/scratch" is linked to "/tmp/scratch" change it to a persistent datastore. First, Identify the datastore
path where you want to place scratch, then login to the vSphere web client, navigating to the host
and select "Manage" -> "Advanced System Settings", enter "Syslog.global.LogDir" in the filter. Set
the "Syslog.global.LogDir" to the desired datastore path. Note: the Syslog.global.LogDir must be set
for each host. The host syslog parameters can also be configured the vCLI or PowerCLI, or using an
API client.
From the ESXi Shell or vCLI run "esxcli system snmp get " to determine if SNMP is being used. If SNMP
is not being used, make sure that it is disabled by running "esxcli system snmp set --enable false ". If
SNMP is being used, refer to the vSphere Monitoring and Performance guide, chapter 8 for steps to
configure the required parameters. Notes: (1) SNMP must be configured on each ESXi host. (2) you
can also set SNMP settings using Host Profiles.
Local ESXi user accounts cannot be created using the vSphere web client, you must use the vSphere
client. Connect directly to the ESXi host using the vSphere Client. Login as root. Select the "Local
Users & Groups" tab and add a local user, be sure to grant shell access to this user. Then select the
"Permissions" tab and assign the "Administrator" role to the user. Repeat this for each ESXi hosts.
Notes: (1) even if you add your ESXi host to an Active Directory domain it is still recommended to add
at least one local user account to ensure admins can still login in the event the host ever becomes
isolated and unable to access Active Directory. (2) adding local user accounts can be automated
using Host Profiles.
From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to
"Services" and click "Edit...". Select "Direct Console UI", click "Stop" and change the Startup Policy "to
Start and Stop Manually". Note, consider using Lockdown mode to restrict access to the DCUI
opposed to disabling the DCUI. If the DCUI is disabled and the host becomes isolated from vCenter
you could become locked out.
From the DCUI: select "Troubleshooting Options" from the main menu and select "Enable ESXi Shell".
From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to
"Services" and click "Edit...". Select "ESXi Shell", click "Stop" and change the Startup Policy "to Start
and Stop Manually".. Note: A host warning is displayed in the web client anytime the ESXi Shell is
enabled on a host. If the ESXi shell is ever enabled be sure to set the ESXiShellTimeOut and
ESXiShellInteractiveTimeOut.
To determine if the MOB is enabled run the following command from the ESXi shell: "vim-cmd
proxysvc/service_list". To disable the MOB run 'vim-cmd proxysvc/remove_service "/mob"
"httpsWithRedirect"'. Note: You cannot disable the MOB while a host is in lockdown mode.
From the DCUI main menu select "Troubleshooting Options -> Disable ESXi SSH". From the vSphere
web client select the host and select "Manage" -> "Security Profile". Scroll down to "Services" and
click "Edit...". Select "SSH", click "Stop" and change the Startup Policy "to Start and Stop Manually".
Notes: A host warning is displayed in the web client anytime SSH is enabled on a host. If the SSH is
ever enabled be sure to set the ESXiShellTimeOut and ESXiShellInteractiveTimeOut.
From the vSphere Web Client, select the host and go to "Manage" -> "Authentication Services" and
click the "Join Domain" button. Provide the domain name along with the user credentials for an AD
user that has the rights to join computers to the domain. Notes: (1) you can use Host Profiles to
automate adding hosts to an AD domain. (3) Consider using the vSphere Authentication proxy to
avoid transmitting AD credentials over the network. Refer to the "enable-auth-proxy"
recommendation for more information.
Install and configure the Authentication proxy. From the vSphere web client, navigate to "Host
Profiles", select the host profile, select "Manage" -> "Edit Host profile". Expand "Security and
Services" -> "Security Settings" -> "Authentication Configuration". Select "Active Directory
configuration" and set the "Join Domain Method" to "Use vSphere Authentication Proxy to add the
host do domain" and provide the IP address of the authentication proxy.
In the vSphere client navigate to the host and select "Configuration" -> "Storage Adaptors" -> "iSCSI
Initiator Properties" -> "CHAP" -> "CHAP (Target Authenticates Host)". Verify "Use Chap" is selected
with a Name and a "Secret" configured.
Configure a reference ESXi host with the desired configuration and use the host to create a Host
Profile. Attach the host profile to other hosts with identical hardware configurations. Monitor hosts
compliance to the host profile from the vSphere Client. Note: a separate Host Profile is needed for
different hardware configurations.
From the DCUI 1. Log in directly to the ESXi host. 2. Open DCUI on the host. 3. Press F2 for Initial
Setup. 4. Toggle the Configure Lockdown Mode setting. From the vSphere web client, select the
host then select "Manage" -> "Security Profile". Scroll down to "Lockdown Mode" and click "Edit...".
Select the Enable Lockdown Mode checkbox.
From the vSphere client select "Administration -> vCenter Server Settings -> Advanced Settings".
Check of the "config.nfc.useSSL" key exist and if so verify it is set to "true". If the key does not exist,
add it to the list of keys setting the value to "true".
Step 1: Install and configure a dump collector (vSphere Netdump Collector recommended). Step 2:
From the ESXi Shell or vCLI enable remote dump collection for each host using the "esxcli system
coredump network set " command.
Step 1: Install/Enable a syslog host (vSphere Syslog Collector recommended). Step 2: From the
vSphere web client select the host and click "Manage" -> "Advanced Sytem Settings", and enter
"Syslog.global.logHost" in the filter. Set the "Syslog.global.logHost" to the hostname of your syslog
server. Note: when setting a remote log host it is also recommended to set the
"Syslog.global.logDirUnique" to true. You must configure the syslog settings for each host. The host
syslog parameters can also be configured the vCLI or PowerCLI, or using an API client.
Connect to each ESX/ESXi host with an internet browser, https://<hostname>/. View the details of
the SSL certificate, determine if it is issued by a trusted CA, either commercial or organizational. To
change SSL certificates refer to KB http://kb.vmware.com/kb/2034833
Create a limited-privileged service account for CIM and other 3rd party applications. This account
should access the system via vCenter, and needs to be provided only the "CIM Interaction" privilege.
This will enable the account to obtain a CIM ticket, which can then be used to perform both read and
write CIM operations on the target host If an account must connect to the host directly, then this
account must be granted the full "Administrator" role on the host. This is not recommended unless
required by the monitoring software being used.
Zoning and masking capabilities for each SAN switch and disk array are vendor specific, as are the
tools for managing LUN masking.
For day-to-day operations disable SSH on your ESXi hosts. In the event that SSH is enabled, even
temporarily, monitor the contents of the "/etc/ssh/keys-root/authorized_keys" to ensure no users
are allowed to access the host without proper authentication. To check for SSH keys added to the
authorized_keys file logon to the ESXi shell as root and verify the /etc/ssh/keys-root/authorized_keys
file is empty. If the file is not empty remove any keys found in the file.
From the vSphere client, select the host and select "Manage" -> "Advanced System Settings". Type
"DCUI.Acces" in the filter. Set the "DCUI.Access" attribute to a comma separated list the users who
are allowed to override lockdown mode. Notes: by default only the "root" user is a member of the
DCUI.Access list. It is not recommended to remove root from the DCUI.Access list as this will revoke
the root users admin privileges on the host.
Edit the "password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4"
entry in the /etc./pam.d/passwd file as outlined in the vSphere Security Guide, Chapter 7 Page 93.
Verify the expected settings are configured in the /etc/pam.d/passwd file.
From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify
the ESXiShellInteractiveTimeout to the desired value. Note: the ESXi Shell and SSH services must be
disabled in order to modify the setting from the DCUI. From the vSphere web client select the host
and click "Manage" -> "Advanced System Settings" and type ESXiShellInteractiveTimeOut in the filter.
Set the attribute to the desired value. Note: A value of 0 disables the ESXi ShellInteractiveTimeOut.
It is recommended to set the ESXiShellTimeOut together with ESXiShellInteractiveTimeOut.
From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify
the ESXiShellTimeout to the desired value. Note: the ESXi Shell and SSH services must be disabled in
order to modify the setting from the DCUI. From the vSphere web client select the host and click
"Manage" -> "Advanced System Settings" and type ESXiShellTimeOut in the filter. Set the attribute to
the desired value. Note: A value of 0 disables the ESXi ShellTimeOut. It is recommended to set the
ESXiShellInteractiveTimeOut together with ESXiShellTimeOut.
In the vSphere Client navigate to the host and select "Configuration" -> "Storage Adaptors" -> "iSCSI
Initiator Properties" -> "CHAP" -> "CHAP (Target Authenticates Host)". Verify that a different
authentication secret is configured for each ESXi host.
STEP 1: Connect to each ESX/ESXi host using the ESXi Shell or vCLI and execute the command "esxcli
software acceptance get" to verify the acceptance level is set to either "VMwareCertified" or
"VMwareAccepted". STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command
"esxcli software vib list" and verify the acceptance level for each VIB is set to "VMwareCertified" or
"VMwareAccepted".
STEP 1: Connect to each ESX/ESXi host using theESXi Shell or vCLI and execute the command "esxcli
software acceptance get" to verify the acceptance level is set to "VMware Certified". STEP 2:
Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib list" and
verify the acceptance level for each VIB is set to "VMware Certified".
STEP 1: Connect to each ESX/ESXi host using the ESXi Shell or vCLI and execute the command "esxcli
software acceptance get" to verify the acceptance level is at either "VMware Certified", "VMware
Supported", or "PartnerSupported". STEP 2: Connect to each ESX/ESXi host using the vCLI and
execute the command "esxcli software vib list" and verify the acceptance level for each VIB is either
"VMware Certified", "VMware Supported", or "Partner Supported"
From Active Directory monitor the membership of the group name that is defined by the advanced
host setting: "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" (default is ESX Admins. As with any
default group, consider changing this name to avoid possible exploits) and verify only authorized user
and group accounts are members of this group. If full admin access for the AD ESX admins group is
not desired you can disable this behavior using the advanced host setting:
"Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd "
ESXi Configuration files can be found by browsing to https://<hostname>/host (not available if MOB is
disabled). NOTE: not all the files listed are modifiable. The files can also be retrieved using the vCLI or
PowerCLI. Implement a procedure to track the files and their contents over time to ensure that they
are not improperly modified. Be sure not to monitor log files and other files whose content is
expected to change regularly due to system activity. Also, account for configuration file changes that
are due to deliberate administrative activity. It is recommended to keep reoccurring backups of a
host configuration. Note: Host Profiles may also be used to track configuration changes on the host;
however Host Profiles do not track all configuration changes
If a dvfilter-based network security appliance is not being used on the host, ensure that the following
kernel parameter has a blank value: /Net/DVFilterBindIpAddress. From the vSphere web client select
the host and click "Manage" -> "Advanced System Settings". Enter "Net.DVFilterBindIpAddress" in
the filter and verify "Net.DVFilterBindIpAddress" has an empty value. If an appliance is being used,
then make sure the value of this parameter is set to the proper IP address. Note: this must be done
for each ESXi host.
After downloading media use the MD5 sum value to verify the integrity of the download. Compare
the MD5 sum output with the value posted on the VMware website. Notes: each operating system
will have a different method/tool for checking MD5 sum values. For microsoft you can download an
add-on product as identified in http:/support.microsoft.com/kb/841290. For Mac OS use the "md5"
command. For Linux use the "md5sum" command.
Each ESXi host should be monitored for unsigned kernel modules. To list all the loaded kernel
modules from the ESXi Shell or vCLI run: "esxcli system module list". For each module verify the
signature by running "esxcli system module get -m <module>". Secure the host by disabling unsigned
modules and removing the offending VIBs from the host. Note: evacuate VMs and place the host
into maintenance mode before disabling kernel modules. Note there are known discrepancies with
unsigned kernel modules in ESXi 5.0u1 and 5.1, see http://kb.vmware.com/kb/2042473.
When deleting a VMDK file with sensitive data, shut down or stop the virtual machine, and then issue
the CLI command 'vmkfstools -writezeroes' on that file prior to deleting it from the datastore.
From the vSphere web client, select the vCenter Server and go to "Manage" -> "Advanced Settings".
Enter "VimPasswordExpirationInDays" in the filter. Set "VirtualCenter.VimPasswordExpirationInDays"
to comply with your requirements. Default is 30 days.
Configuration File Configuration Parameter Desired Value
N/A N/A N/A
N/A N/A Site Specific
/etc/ntp.conf N/A Site Specific
N/A Syslog.global.logDir Site Specific
/etc/vmware/snmp.xml N/A site-specific
N/A N/A N/A
N/A N/A Stopped
N/A N/A Stopped
N/A N/A Remove Service
N/A N/A Stopped
N/A N/A N/A
N/A N/A Site Specific
N/A Use Chap, Name, Secret Site Specific
N/A N/A N/A
N/A vimsvc/auth/lockdown_is_enabled Enabled
Windows =
C:\ProgramData\VMware\V
Mware
VirtualCenter\vpxd.cfg
VCSA = /etc/vmware-
vpx/vpxd.cfg config.nfc.useSSL True
N/A N/A N/A
N/A Syslog.global.logHost Site Specific
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
/etc/ssh/keys-
root/authorized_keys N/A N/A
N/A DCUI.Access
N/A or list of
authorized users
/etc/pam.d/passwd
password requisite
/lib/security/$ISA/pam_passwdqc.so Site specific
N/A UserVars.ESXiShellInteractiveTimeOut Site Specific
N/A UserVars.ESXiShellTimeOut Site Specific
Secret site-dependent
N/A N/A
VMwareCertified
VMwareAccepted
N/A N/A VMwareCertified
N/A N/A
VMwareCertified
VMwareAccepted
PartnerSupported
N/A N/A N/A
N/A N/A N/A
N/A Net.DVFilterBindIpAddress empty
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
On Windows:
C:\Documents and
Settings\All
Users\Application
Data\VMware\VMware
VirtualCenter\vpxd.cfg
VCSA: /etc/vmware-
vpx/vpxd.cfg
VirtualCenter.VimPasswordExpirationInD
ays Site Specific
Change Type
Is desired value the
default?
Update N/A
Modify NO
Modify NO
Modify
When booting from a local
disk YES. When booting from
USB/SD or when using Auto
Deploy NO.
Modify N/A
N/A NO
Modify NO
Modify YES
Remove NO
Modify YES
N/A N/A
Modify NO
modify NO
N/A NO
Modify NO
Add NO
Modify NO
Modify NO
Configuration NO
N/A N/A
N/A N/A
N/A YES
Modify NO
Modify YES
Modify NO
Modify NO
modify NO
Verify NO
Verify NO
Verify YES
N/A N/A
N/A N/A
Modify YES
N/A N/A
YES
N/A N/A
Modify N/A
vSphere API
N/A
51/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste
m.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.DateTimeSys
tem.html
51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.SnmpSystem
.html
N/A
m.html
m.html
N/A
m.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect
oryAuthentication.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect
oryAuthentication.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi
Hba.AuthenticationProperties.html
51/index.jsp?topic=%2Fcom.vmware.wssdk.apiref.doc%2Fvim.
profile.host.HostProfile.html
51/topic/com.vmware.wssdk.apiref.doc/vim.HostSystem.html
N/A
N/A
nager.html
N/A
51/topic/com.vmware.wssdk.apiref.doc/vim.host.LocalAccoun
tManager.html
N/A
N/A
nager.html
N/A
nager.html
nager.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi
Hba.AuthenticationProperties.html
51/topic/com.vmware.wssdk.apiref.doc/vim.host.ImageConfig
Manager.html
Manager.html
Manager.html
N/A
N/A
nager.html
N/A
N/A
51/topic/com.vmware.wssdk.apiref.doc/vim.VirtualDiskManag
er.html
nager.html
ESXi Shell Command Assessment
# esxcli software profile get / # esxcli software vib get
#List all services: ls /etc/init.d #get service status:
/etc/init.d/[SERVICE] status
N/A
# esxcli system syslog config get
# esxcli system snmp get
N/A
# chkconfig --list DCUI
# chkconfig --list ESXShell
vim-cmd proxysvc/service_list
# chkconfig --list SSH
TBD
N/A
# esxcli iscsi adapter auth chap get
N/A
# To check if Lockdown mode is enabled: vim-cmd -U dcui
vimsvc/auth/lockdown_is_enabled
N/A
esxcli system coredump network get
# esxcli system syslog config get
N/A
N/A
N/A
N/A
vim-cmd hostsvc/advopt/view DCUI.Access
N/A
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/UserVars/ESXiShellInteractiveTimeOut
/UserVars/ESXiShellTimeOut
# esxcli iscsi adapter auth chap get
# esxcli software acceptance get # esxcli software vib list
N/A
N/A
/Net/DVFilterBindIpAddress
N/A
# esxcli system modules get -m <module>
N/A
N/A
ESXi Shell Command Remediation
# esxcli software profile update / # esxcli
software vib update
# /etc/init.d/[SERVICE] STOP
N/A
# esxcli system syslog config set --logDir
# Configure Community String
esxcli system snmp set --communities
[COMMUNITY]
# Configure SNMP Target
esxcli system snmp set --targets
[TARGET]@[PORT]/[COMMUNITY]
# Enable SNMP
esxcli system snmp set --enable true
N/A
# chkconfig DCUI off
#stop ESXi Shell: /etc/init.d/ESXShell stop
#disable ESXi Shell: chkconfig ESXShell off
vim-cmd proxysvc/remove_service "/mob"
"httpsWithRedirect"
# /etc/init.d/ESXShell stop # chkconfig SSH
off
TBD
N/A
# esxcli iscsi adapter auth chap set
N/A
# To disable Lockdown mode: vim-cmd -U
dcui vimsvc/auth/lockdown_mode_exit
# To enable Lockdown mode: vim-cmd -U
dcui vimsvc/auth/lockdown_mode_enter
N/A
# Configure remote Dump Collector Server
esxcli system coredump network set -v
[VMK#] -i [DUMP_SERVER] -o [PORT]
# Enable remote Dump Collector
esxcli system coredump network set -e true
# esxcli system syslog config set loghost
# esxcli system syslog reload
N/A
N/A
N/A
N/A
vim-cmd hostsvc/advopt/update DCUI.Access
string [USERS]
N/A
# esxcli system settings advanced set -o
/UserVars/ESXiShellInteractiveTimeOut -i
/UserVars/ESXiShellTimeOut -i
# esxcli iscsi adapter auth chap set
# esxcli <conn_options> software acceptance
set --level
set --level
set --level
N/A
N/A
/Net/DVFilterBindIpAddress -d
N/A
# esxcli system modules set -e false -m
<module>
# vmkfstools -w <vmdk>
N/A
vCLI Command Assessment
# esxcli <conn_options> software profile get / # esxcli
<conn_options> software vib get
N/A
# vicfg-ntp <conn_options> --list
# esxcli <conn_options> system syslog config get
# esxcli <conn_options> system snmp get
N/A
N/A
N/A
N/A
N/A
vicfg-authconfig <conn_options> --authscheme AD --
currentdomain
# vicfg-authconfig <conn_options> --authscheme AD --
currentdomain
# esxcli <conn_options> iscsi adapter auth chap get
N/A
N/A
N/A
esxcli <conn_options> system coredump network get
# esxcli <conn_options> system syslog config get
N/A
N/A
N/A
N/A
N/A
N/A
/UserVars/ESXiShellInteractiveTimeOut
/UserVars/ESXiShellTimeOut
# esxcli <conn_options> iscsi adapter auth chap get
# esxcli <conn_options> software acceptance get # esxcli
software vib list
software vib list
software vib list
N/A
N/A
# esxcli <conn_options> --formatter=csv --format-
param=fields="Path,Int Value" system settings advanced list |
grep /Net/DVFilterBindIpAddress
N/A
# esxcli <conn_options> system modules get -m <module>
N/A
N/A
vCLI Command Remediation
# esxcli <conn_options> software profile update / # esxcli
<conn_options> software vib update
N/A
# vicfg-ntp <conn_options> --add <IP>
# esxcli <conn_options> system syslog config set --logDir
# Configure Community String
esxcli <conn_options> system snmp set --communities
[COMMUNITY]
# Configure SNMP Target
esxcli <conn_options> system snmp set --targets
[TARGET]@[PORT]/[COMMUNITY]
# Enable SNMP
esxcli <conn_options> system snmp set --enable true
N/A
N/A
N/A
N/A
N/A
vicfg-authconfig <conn_options> <ad_conn_options> --
authscheme AD --joindomain <domain_FQDN>
# vicfg-authconfig <conn_options> <ad_conn_options> --
authscheme AD --joindomain <domain_FQDN>
# esxcli iscsi <conn_options> adapter auth chap set
N/A
N/A
N/A
# Configure remote Dump Collector Server
esxcli <conn_options>system coredump network set -v
[VMK#] -i [DUMP_SERVER] -o [PORT]
# Enable remote Dump Collector
esxcli <conn_options> system coredump network set -e true
# esxcli <conn_options> system syslog config set loghost
# esxcli system syslog reload
N/A
N/A
N/A
N/A
N/A
N/A
# esxcli <conn_options> system settings advanced set -o
/UserVars/ESXiShellInteractiveTimeOut -i
/UserVars/ESXiShellTimeOut -i
# esxcli iscsi <conn_options> adapter auth chap set
# esxcli <conn_options> software acceptance set --level
N/A
N/A
/Net/DVFilterBindIpAddress -d
N/A
# esxcli <conn_options> system modules set -e false -m
<module>
# vmkfstools <conn_options> -w <vmdk>
N/A
PowerCLI Command Assessment
# VMware Update Manager PowerCLI Cmdlets can be used to
check this feature
# List all services for a host
Get-VMHost HOST1 | Get-VMHostService
# List the services which are enabled and have rules defined
for specific IP ranges to access the service
Get-VMHost HOST1 | Get-VMHostFirewallException | Where
{$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)}
# List the services which are enabled and do not have rules
defined for specific IP ranges to access the service
Get-VMHost HOST1 | Get-VMHostFirewallException | Where
{$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)}
# List the NTP Settings for all hosts
Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-
VMHostNtpServer}}
# List Syslog.global.logDir for each host
Get-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_
| Get-VMHostAdvancedConfiguration Syslog.global.logDir |
Select -ExpandProperty Values}}
# List the SNMP Configuration of a host (single host
connection required)
Get-VMHost | Get-VMHostSnmp
N/A
# List DCUI settings for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq
"DCUI" }
# Check if ESXi Shell is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"
} | Select VMHost, Key, Label, Policy, Running, Required
N/A
# Check if SSH is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-
SSH" } | Select VMHost, Key, Label, Policy, Running, Required
# Check each host and their domain membership status
Get-VMHost | Get-VMHostAuthentication | Select VmHost,
Domain, DomainMembershipStatus
# Check the host profile is using vSphere Authentication proxy
to add the host to the domain
Get-VMHost | Select Name, `
@{N="HostProfile";E={$_ | Get-VMHostProfile}}, `
@{N="JoinADEnabled";E={($_ | Get-
VmHostProfile).ExtensionData.Config.ApplyProfile.Authenticat
ion.ActiveDirectory.Enabled}}, `
@{N="JoinDomainMethod";E={(($_ | Get-
VMHostProfile).ExtensionData.Config.ApplyProfile.Authenticat
ion.ActiveDirectory | Select -ExpandProperty Policy | Where
{$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}
# Check each host and their domain membership status
Get-VMHost | Get-VMHostAuthentication | Select VmHost,
Domain, DomainMembershipStatus
# List Iscsi Initiator and CHAP Name if defined
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |
Select VMHost, Device, ChapType,
@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam
e}}
<TBD>
# To check if Lockdown mode is enabled
Get-VMHost | Select
Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDis
abled}}
# Check Network File Copy NFC uses SSL. OS Administrator
Privileges will be needed on your server for this to complete
$vCenter = "MyvCenterFQDN"
[XML]$file = Get-Content
"\\$vCenter\C$\ProgramData\VMware\VMware
VirtualCenter\vpxd.cfg"
if ($file.config.nfc.Usessl) { "SSL Setting is compliant" } Else {
"SSL Setting is not set or unreadable"}
<TBD>
# List Syslog.global.logHost for each host
Get-VMHost | Select Name,
@{N="Syslog.global.logHost";E={$_ | Get-
VMHostAdvancedConfiguration Syslog.global.logHost | Select -
ExpandProperty Values}}
function Test-WebServerSSL {
# Function original location: http://en-
us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-
4143-9eea-f521167d287c&ID=60
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline =
$true, Position = 0)]
[string]$URL,
[Parameter(Position = 1)]
[ValidateRange(1,65535)]
[int]$Port = 443,
[Net.WebProxy]$Proxy,
[int]$Timeout = 15000,
[switch]$UseUserContext
)
Add-Type @"
using System;
using System.Net;
using System.Security.Cryptography.X509Certificates;
namespace PKI {
namespace Web {
public class WebSSL {
public Uri OriginalURi;
# List all user accounts on the Host -Host Local connection
required-
Get-VMHostAccount
N/A
N/A
N/A
# List UserVars.ESXiShellInteractiveTimeOut for each host
@{N="UserVars.ESXiShellInteractiveTimeOut";E={$_ | Get-
VMHostAdvancedConfiguration
UserVars.ESXiShellInteractiveTimeOut | Select -
ExpandProperty Values}}
# List UserVars.ESXiShellTimeOut for each host
@{N="UserVars.ESXiShellTimeOut";E={$_ | Get-
VMHostAdvancedConfiguration UserVars.ESXiShellTimeOut |
# List Iscsi Initiator and CHAP Name if defined
Select VMHost, Device, ChapType,
@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam
e}}
# List the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$VMHost | Select Name,
@{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()
}}
}
# List only the vibs which are not at "VMwareCertified" or
"VMwareAccepted" acceptance level
$ESXCli.software.vib.list() | Where { ($_.AcceptanceLevel -ne
"VMwareCertified") -and ($_.AcceptanceLevel -ne
"VMwareAccepted") }
}
}}
}
# List only the vibs which are not at "VMwareCertified"
acceptance level
$ESXCli.software.vib.list() | Where { $_.AcceptanceLevel -ne
"VMwareCertified" }
}
}}
}
# List only the vibs which are not at "VMwareCertified" or
"VMwareAccepted" or "PartnerSupported" acceptance level
$ESXCli.software.vib.list() | Where { ($_.AcceptanceLevel -ne
"VMwareCertified") -and ($_.AcceptanceLevel -ne
"VMwareAccepted") -and ($_.AcceptanceLevel -ne
"PartnerSupported") }
}
N/A
N/A
# List Net.DVFilterBindIpAddress for each host
@{N="Net.DVFilterBindIpAddress";E={$_ | Get-
VMHostAdvancedConfiguration Net.DVFilterBindIpAddress |
# Check the SHA1 has of the download with the following
function
Function Get-SHA1 {
Param (
$Filename
)
begin {

[Reflection.Assembly]::LoadWithPartialName("System.Security
") | out-null
$sha1 = new-Object
System.Security.Cryptography.SHA1Managed
}
Process {
$file = [System.IO.File]::Open($filename, "open", "read")
$filehash = $sha1.ComputeHash($file) | Foreach {
write-host -NoNewLine $_.ToString("x2")
}
$file.Dispose()
}
}
Get-SHA1 -Filename "C:\Sources\ESX5.ISO"
# List the system modules and Signature Info for each host
$ESXCli.system.module.list() | Foreach {
$ESXCli.system.module.get($_.Name) | Select
@{N="VMHost";E={$VMHost}}, Module, License, Modulefile,
Version, SignedStatus, SignatureDigest, SignatureFingerPrint
}
}
# List the vCenter Password Expiration Value
Get-AdvancedSetting -Entity $defaultVIServer -Name
"VirtualCenter.VimPasswordExpirationInDays"
PowerCLI Command Remediation
# VMware Update Manager PowerCLI Cmdlets can be used to
check this feature
N/A
# Set the NTP Settings for all hosts
$NTPServers = "pool.ntp.org", "pool2.ntp.org"
Get-VMHost | Add-VmHostNtpServer $NTPServers
# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -
VMHost $_ -Name Syslog.global.logDir -Value "NewLocation" }
# Update the host SNMP Configuration (single host connection
required)
Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -
ReadOnlyCommunity 'secret'
# Set DCUI to start manually rather than automatic for all
hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq
"DCUI" } | Set-VMHostService -Policy Off
# Set ESXi Shell to start manually rather than automatic for all
hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"
} | Set-VMHostService -Policy Off
N/A
# Set SSH to start manually rather than automatic for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-
SSH" } | Set-VMHostService -Policy Off
# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-
VMHostAuthentication -Domain domain.local -User
Administrator -Password Passw0rd -JoinDomain
# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-
VMHostAuthentication -Domain domain.local -User
Administrator -Password Passw0rd -JoinDomain
# Set the Chap settings for the Iscsi Adapter
Set-VMHostHba # Use desired parameters here
<TBD>
# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }
N/A
<TBD>
# Set Syslog.global.logHost for each host
VMHost $_ -Name Syslog.global.logHost -Value "NewLocation"
}
N/A
# Create a new host user account -Host Local connection
required-
New-VMHostAccount -ID ServiceUser -Password pass -
UserAccount
N/A
N/A
N/A
# Set Remove UserVars.ESXiShellInteractiveTimeOut to 900 on
all hosts
VMHost $_ -Name UserVars.ESXiShellInteractiveTimeOut -
Value 900 }
# Set Remove UserVars.ESXiShellTimeOut to 900 on all hosts
VMHost $_ -Name UserVars.ESXiShellTimeOut -Value 900 }
# Set the Chap settings for the Iscsi Adapter
Set-VMHostHba # Use desired parameters here
# Set the Software AcceptanceLevel for each host
$ESXCli.software.acceptance.Set("VMwareCertified")
}
}
}
N/A
N/A
# Set Remove Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-
VMHostAdvancedConfiguration -VMHost $_ -Name
Net.DVFilterBindIpAddress -Value "" }
N/A
# To disable a module:
$ESXCli = Get-EsxCli -VMHost MyHost
$ESXCli.system.module.set($false, $false, "MyModuleName")
# Set the vCenter Password Expiration Value to 10
Get-AdvancedSetting -Entity $defaultVIServer -Name
"VirtualCenter.VimPasswordExpirationInDays" | Set-
AdvancedSetting -Value 10
Negative Functional Impact
Only systems in the IP whitelist/ACL will be able to
connect to services on the ESXi server
Disabling the DCUI can create a potential "lock out"
situation should the host become isolated from
vCenter Server. To recover from a "lock out" scenario
requires re-installing ESXi. Consider leaving DCUI
enabled and instead enable lockdown mode and limit
the users allowed to access the DCUI using the
DCUI.Access list.
The MOB will no longer be available for diagnostics.
Some 3rd party tools use this interface to gather
information. Testing should be done after disabling
the MOB to verify 3rd party applications are still
functioning as expected. To re-enable the MOB: ~ #
vim-cmd proxysvc/add_np_service "/mob"
httpsWithRedirect /var/run/vmware/proxy-mob
There are some operations, such as backup and
troubleshooting, that require direct access to the host.
In these cases Lockdown Mode can be disabled on a
temporary basis for specific hosts as needed, and then
re-enabled when the task is completed. Note:
Lockdown mode does not apply to users listed in the
DCUI.Access list, which by default includes the root
user.
Using SSL may reduce performance of actions
involving NFC, such as VM clone or migration. It has
also not been extensively tested and may cause HA
and other operations to fail in certain circumstances.
Disabling the SSH "authorized_keys" access may limit
your ability to remotely run commands on a host
without providing a valid login (e.g. prevent the ability
to run unattended remote scripting).
Third party VIBs tested by VMware partners are not
allowed on the host. This could include some device
drivers, CIM modules, and other add-on software.
Host customization using custom VIBs is not allowed.
No VMware partner VIBs are allowed on the host, to
include non-VMware written device drivers, CIM
modules, and other third party software. Host
customization using custom VIBs is not allowed.
Host customization using custom VIBs is not allowed.
51/topic/com.vmware.vcli.examples.doc/cli_manage_
hosts.4.4.html
This will prevent a dvfilter-based network security
appliance from functioning
Reference Able to set using Host Profile?
51/topic/com.vmware.vsphere.update_manager.doc/GUI
D-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.html NO
51/topic/com.vmware.vsphere.security.doc/GUID-
DD4322FF-3DC4-4716-8819-6688938F99D7.html YES
51/topic/com.vmware.vcli.examples.doc/cli_manage_net
works.11.9.html YES
51/topic/com.vmware.vsphere.install.doc/GUID-
9F67DB52-F469-451F-B6C8-DAE8D95976E7.html
http://kb.vmware.com/kb/1033696 YES
51/topic/com.vmware.vsphere.monitoring.doc/GUID-
8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.html YES
670B9B8C-3810-4790-AC83-57142A9FE16F.html YES
6779F098-48FE-4E22-B116-A8353D19FF56.html YES
0EF83EA7-277C-400B-B697-04BDC9173EA3.html NO
12E27BF3-3769-4665-8769-DA76C2BC9FFE.html YES
A61A8FA4-A4AF-475C-860E-3FD8947F0D0B.html
http://kb.vmware.com/kb/1025569. YES
084B74BD-40A5-4A4B-A82C-0C9912D580DC.html YES
51/topic/com.vmware.vsphere.storage.doc/GUID-
AC65D747-728F-4109-96DD-49B433E2F266.html NO
51/topic/com.vmware.vsphere.hostprofiles.doc/GUID-
78BB234A-D735-4356-9CCF-19DD55DB8060.html NO
88B24613-E8F9-40D2-B838-225F5FF480FF.html
http://kb.vmware.com/kb/1008077 NO
http://kb.vmware.com/kb/1032051
51/topic/com.vmware.vsphere.install.doc/GUID-471EFE67-
9035-473E-8217-6B67E493A518.html YES
A261E6D8-03E4-48ED-ADB6-473C2DAAB7AD.html
51/topic/com.vmware.cimsdk.smashpg.doc/03_CIM_SMA
SH_PG_Use_Cases.5.1.html NO
6029358F-8EE8-4143-9BB0-16ABB3CA0FE3.html NO
392ADDE9-FD3B-49A2-BF64-4ACBB60EB149.html NO
D92BB375-9F94-449E-838E-51086C43CF80.html YES
F48903DA-8A66-47C7-9796-CD12339B2164.html NO
A1D310D7-F00B-4827-9469-EC2C318A0C30.html
862CA8EF-C8CE-4322-864E-86D0803015A5.html
AC65D747-728F-4109-96DD-49B433E2F266.html NO
51/topic/com.vmware.vsphere.install.doc/GUID-56600593-
EC2E-4125-B1A0-065BDD16CF2D.html NO
51/topic/com.vmware.wssdk.apiref.doc/vim.host.Authent
icationManager.html NO
51/topic/com.vmware.vsphere.hostprofiles.doc/GUID-
78BB234A-D735-4356-9CCF-19DD55DB8060.html NO
51/topic/com.vmware.vsphere.ext_solutions.doc/GUID-
6013E15D-92CE-4970-953C-ACCB36ADA8AD.html NO
E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html
050C0FEE-2C75-4356-B9E0-CC802333FF41.html NO
96210743-0C17-4AE9-89FC-76778EC9D06E.html NO
ID Product Version Component
disable-dvportgroup-autoexpand vSphere 5.1 vNetwork
document-pvlans vSphere 5.1 vNetwork
document-vlans vSphere 5.1 vNetwork
document-vlans-vds vSphere 5.1 vNetwork
enable-bpdu-filter vSphere 5.1 vNetwork
enable-portfast vSphere 5.1 vNetwork
isolate-mgmt-network-airgap vSphere 5.1 vNetwork
isolate-mgmt-network-vlan vSphere 5.1 vNetwork
isolate-storage-network-airgap vSphere 5.1 vNetwork
isolate-storage-network-vlan vSphere 5.1 vNetwork
isolate-vmotion-network-airgap vSphere 5.1 vNetwork
isolate-vmotion-network-vlan vSphere 5.1 vNetwork
label-portgroups vSphere 5.1 vNetwork
label-vswitches vSphere 5.1 vNetwork
limit-administrator-scope vSphere 5.1 vNetwork
limit-network-healthcheck vSphere 5.1 vNetwork
no-native-vlan-1 vSphere 5.1 vNetwork
no-reserved-vlans vSphere 5.1 vNetwork
no-unused-dvports vSphere 5.1 vNetwork
no-vgt-vlan-4095 vSphere 5.1 vNetwork
reject-forged-transmit vSphere 5.1 vNetwork
reject-forged-transmit-dvportgroup vSphere 5.1 vNetwork
reject-mac-change-dvportgroup vSphere 5.1 vNetwork
reject-mac-changes vSphere 5.1 vNetwork
reject-promiscuous-mode vSphere 5.1 vNetwork
reject-promiscuous-mode-dvportgroup vSphere 5.1 vNetwork
restrict-mgmt-network-access-gateway vSphere 5.1 vNetwork
restrict-mgmt-network-access-jumpbox vSphere 5.1 vNetwork
restrict-netflow-usage vSphere 5.1 vNetwork
restrict-port-level-overrides vSphere 5.1 vNetwork
restrict-portmirror-usage vSphere 5.1 vNetwork
set-non-negotiate vSphere 5.1 vNetwork
upstream-bpdu-stp vSphere 5.1 vNetwork
verify-vlan-id vSphere 5.1 vNetwork
verify-vlan-trunk vSphere 5.1 vNetwork
Subcomponent Title
VDS
Verify that the autoexpand option for
VDS dvPortgroups is disabled
VDS
Ensure that all dvSwitches' Private
VLAN ID's are fully documented
vSwitch
Ensure that all vSwitch and VLANS ID's
are fully documented
VDS
Ensure that all dvPortgroup VLAN ID's
are fully documented
Physical
Enable BPDU filter on the ESXi host to
prevent being locked out of physical
switch ports with Portfast and BPDU
Guard enabled
Physical
Ensure that physical switch ports are
configured with Portfast if spanning
tree is enabled.
Architecture
Ensure that vSphere management
traffic is on a restricted network.
Architecture
Ensure that vSphere management
traffic is on a restricted network.
Architecture
Ensure that IP-based storage traffic is
isolated.
Architecture
Ensure that IP-based storage traffic is
isolated.
Architecture Ensure that vMotion traffic is isolated.
Architecture Ensure that vMotion traffic is isolated.
vSwitch
Ensure that port groups are configured
with a clear network label.
vSwitch
Ensure that all virtual switches have a
clear network label.
vSwitch
Ensure that only authorized
administrators have access to virtual
networking components.
VDS
Disable VDS network healthcheck if you
are not actively using it
VLAN
Ensure that port groups are not
configured to the value of the native
VLAN.
VLAN
configured to VLAN values reserved by
upstream physical switches
VDS
Ensure that there are no unused ports
on a distributed virtual port group.
VLAN
configured to VLAN 4095 except for
Virtual Guest Tagging (VGT).
vSwitch
Ensure that the Forged Transmits
policy is set to reject.
VDS
Ensure that the Forged Transmits
VDS
Ensure that the MAC Address Change
vSwitch
Ensure that the MAC Address Change
vSwitch
Ensure that the Promiscuous Mode
VDS
Ensure that the Promiscuous Mode
Architecture
Strictly control access to management
network.
Architecture
Strictly control access to management
network.
VDS
Ensure that VDS Netflow traffic is only
being sent to authorized collector IP's.
VDS
Restrict port-level configuration
overrides on VDS
VDS
Ensure that VDS Port Mirror traffic is
only being sent to authorized collector
ports or VLAN's.
Physical
Ensure that the non-negotiate option
is configured for trunk links between
external physical switches and virtual
switches in VLAN tagging (VST) mode.
Physical
Verify that for virtual machines that
route or bridge traffic, spanning tree
protocol is enabled and BPDU guard
and Portfast are disabled on the
upstream physical switch port.
VLAN
Ensure that all virtual switch VLAN's are
fully documented and have all required
and only required VLAN's.
Physical
Verify that VLAN trunk links are
connected only to physical switch ports
that function as trunk links.
Vulnerability Discussion
If the "no-unused-dvports" guideline is followed, there should be only the amount of ports on a VDS
that are actually needed. The Autoexpand feature on VDS dvPortgroups can override that limit. The
feature allows dvPortgroups to automatically add 10 virtual distributed switch ports to a dvPortgroup
that has run out of available ports. The risk is that maliciously or inadvertently, a virtual machine that
is not supposed to be part of that portgroup is able to affect confidentiality, integrity or authenticity
of data of other virtual machines on that portgroup. To reduce the risk of inappropriate dvPortgroup
access, the autoexpand option on VDS should be disabled. By default the option is disabled, but
regular monitoring should be implemented to verify this has not been changed.
dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN ID's. These need to
correspond to the ID's on external PVLAN-aware upstream switches if any. If VLAN ID's are not
tracked completely, mistaken re-use of ID's could allow for traffic to be allowed between
inappropriate physical and virtual machines. Similarly, wrong or missing PVLAN ID's may lead to traffic
not passing between appropriate physical and virtual machines.
If you are using VLAN tagging on a vSwitch, these need to correspond to the ID's on external VLAN-
aware upstream switches if any. If VLAN ID's are not tracked completely, mistaken re-use of ID's could
allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong
or missing VLAN ID's may lead to traffic not passing between appropriate physical and virtual
machines.
If you are using VLAN tagging on a dvPortgroup these need to correspond to the ID's on external
VLAN-aware upstream switches if any. If VLAN ID's are not tracked completely, mistaken re-use of ID's
could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly,
wrong or missing VLAN ID's may lead to traffic not passing between appropriate physical and virtual
machines.
BPDU Guard and Portfast are commonly enabled on the physical switch the ESXi host is directly
connected to reduce the STP convergence delay. If a BPDU packet is sent from a virtual machine on
the ESXi host to the physical switch so configured, a cascading lockout of all the uplink interfaces from
the ESXi host can occur. To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host
to drop any BPDU packets being sent to the physical switch. The caveat is that certain SSL VPN which
use Windows bridging capability can legitimately generate BPDU packets. The administrator should
verify that there are no legitimate BPDU packets generated by virtual machines on the ESXi host prior
to enabling BPDU Filter. If BPDU Filter is enabled in this situation, enabling Reject Forged Transmits
on the virtual switch port group adds protection against Spanning Tree loops.
Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports
must have portfast configured if spanning tree is enabled to avoid loops within the physical switch
network. If these are not set, potential performance and connectivity issues might arise.
The vSphere management network provides access to the vSphere management interface of each
vSphere component. Services running on the management interface provide an opportunity for an
attacker to gain privileged access to virtual machines data running in vSphere. Remote attacks would
prioritize getting access to this network. Examples of components that should be on an isolated
management network are vCenter Server, mangement consoles of VMware solutions (web client,
VUM, SSO, AutoDeploy, etc), management consoles of hardware and software components such as
storage and network. Also, management consoles of key infrastructure services like syslog, NTP, AD
and other legitimate 3rd party products. This is not meant to be an exhaustive list.
The vSphere management network provides access to the vSphere management interface on each
component. Services running on the management interface provide an opportunity for an attacker to
gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to
this network.
Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-
based storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic
to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed
by anyone with access to this network. To restrict unauthorized users from viewing the IP-based
storage traffic, the IP-based storage network should be logically separated from the production
traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the
VMkernel management and service console network will limit unauthorized users from viewing the
Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-
based storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic
to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed
by anyone with access to this network. To restrict unauthorized users from viewing the IP-based
storage traffic, the IP-based storage network should be logically separated from the production
traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the
VMkernel management and service console network will limit unauthorized users from viewing the
The security issue with vMotion migrations is that information is transmitted in plain text, and anyone
with access to the network over which this information flows can view it. Potential attackers can
intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially
stage a MiTM attack in which the contents are modified during migration. Ensure that vMotion traffic
is separate from production traffic on an isolated network. This network should be nonroutable (no
layer-3 router spanning this and other networks), which will prevent any outside access to the
The security issue with vMotion migrations is that information is transmitted in plain text, and anyone
with access to the network over which this information flows can view it. Potential attackers can
intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially
stage a MiTM attack in which the contents are modified during migration. Ensure that vMotion traffic
is separate from production traffic on an isolated network. This network should be nonroutable (no
layer-3 router spanning this and other networks), which will prevent any outside access to the
A network label identifies each port group with a name. These names are important because they
serve as a functional descriptor for the port group. Without these descriptions, identifying port
groups and their functions becomes difficult as the network becomes more complex.
Virtual switches within the ESXi Server require a field for the name of the switch. This label is
important because it serves as a functional descriptor for the switch, just as physical switches require
a host name. Labeling virtual switches will indicate the function or the IP subnet of the virtual switch.
For instance, labeling the virtual switch as internal or some variation will indicate that the virtual
switch is only for internal networking between a virtual machines private virtual switch with no
physical network adaptors bound to it.
This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key
security concepts of separation of duties and least privilege. It is important to leverage the role-based
access controls within vSphere to ensure that only authorized administrators have access to the
different virtual networking components. For example, VM administrators should have access only to
port groups in which their VMs reside. Network administrators should have permissions to all virtual
networking components but not have access to VMs. These controls will depend very much on the
organization's policy on separation of duties, least privilege, and the responsibilities of the
administrators within the organization.
Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain
information on host#, vds# port#, which an attacker would find useful. It is recommended that
network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.
ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have
a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up
as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco
physical switch will be untagged, because this is considered as the native VLAN. However, frames
from ESXi specified as VLAN 1 will be tagged with a 1; therefore, traffic from ESXi that is destined
for the native VLAN will not be correctly routed (because it is tagged with a 1 instead of being
untagged), and traffic from the physical switch coming from the native VLAN will not be visible
(because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from
those VMs will not be visible to the native VLAN on the switch, because the switch is expecting
Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic
configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 10011024
and 4094, while Nexus switches typically reserve 39684047 and 4094. Check with the
documentation for your specific switch. Using a reserved VLAN might result in a denial of service on
The number of ports available on a vdSwitch distributed port group can be adjusted to exactly match
the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the
number of ports to just what is needed limits the potential for an administrator, either accidentally or
maliciously, to move a virtual machine to an unauthorized network. This is especially relevant if the
management network is on a dvPortgroup, because it could help prevent someone from putting a
rogue virtual machine on this network.
When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all
network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal
with them. VLAN 4095 should be used only if the guest has been specifically configured to manage
VLAN tags itself. If VGT is enabled inappropriately, it might cause denial of service or allow a guest VM
to interact with traffic on an unauthorized VLAN.
If the virtual machine operating system changes the MAC address, the operating system can send
frames with an impersonated source MAC address at any time. This allows an operating system to
stage malicious attacks on the devices in a network by impersonating a network adaptor authorized
by the receiving network. Forged transmissions should be set to accept by default. This means the
virtual switch does not compare the source and effective MAC addresses. To protect against MAC
address impersonation, all virtual switches should have forged transmissions set to reject.
If the virtual machine operating system changes the MAC address, the operating system can send
frames with an impersonated source MAC address at any time. This allows an operating system to
stage malicious attacks on the devices in a network by impersonating a network adaptor authorized
by the receiving network. Forged transmissions should be set to accept by default. This means the
dvPortgroup does not compare the source and effective MAC addresses. To protect against MAC
address impersonation, all virtual switches should have forged transmissions set to reject.
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices
in a network by impersonating a network adaptor authorized by the receiving network. This will
prevent VMs from changing their effective MAC address. It will affect applications that require this
functionality. An example of an application like this is Microsoft Clustering, which requires systems to
effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also
affect applications that require a specific MAC address for licensing. An exception should be made for
the dvPortgroups that these applications are connected to.
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices
in a network by impersonating a network adaptor authorized by the receiving network. This will
prevent VMs from changing their effective MAC address. It will affect applications that require this
functionality. An example of an application like this is Microsoft Clustering, which requires systems to
effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also
affect applications that require a specific MAC address for licensing. An exception should be made for
the port groups that these applications are connected to.
When promiscuous mode is enabled for a virtual switch all virtual machines connected to the
dvPortgroup have the potential of reading all packets across that network, meaning only the virtual
machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI
Server, and this is the recommended setting. However, there might be a legitimate reason to enable
it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to
see all packets on a vSwitch. An exception should be made for the dvPortgroups that these
applications are connected to, in order to allow for full-time visibility to the traffic on that
dvPortgroup.
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the
dvPortgroup have the potential of reading all packets across that network, meaning only the virtual
machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI
Server, and this is the recommended setting. However, there might be a legitimate reason to enable
it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to
see all packets on a vSwitch. An exception should be made for the dvPortgroups that these
applications are connected to, in order to allow for full-time visibility to the traffic on that
dvPortgroup.
The management network should be protected at the security level of the most secure virtual
machine running on a host/cluster. If an attacker gains access to the management network, it
provides the staging ground for further attack. No matter how the management network is restricted,
there will always be a need for administrators to access this network to configure VMware vCenter
Server and the VMware ESX/ESXi hosts. Instead of allowing client systems on this network, there are
ways to enable access to management functionality in a strictly controlled manner.
The management network should be protected at the security level of the most secure virtual
machine running on a host/cluster. If an attacker gains access to the management network, it
provides the staging ground for further attack. No matter how the management network is restricted,
there will always be a need for administrators to access this network to configure VMware vCenter
Server and the VMware ESX/ESXi hosts. Instead of allowing client systems on this network, there are
ways to enable access to management functionality in a strictly controlled manner.
The vSphere VDS can export Netflow information about traffic crossing the VDS. Netflow exports are
not encrypted and can contain information about the virtual network making it easier for a MITM
attack to be executed successfully. If Netflow export is required, verify that all VDS Netflow target
IP's are correct.
Port-level configuration over-rides are disabled by default. Once enabled, this allows for different
security settings to be set from what is established at the Port-Group level. There are cases where
particular VM's require unique configurations, but this should be monitored so it is only used when
authorized. If over-rides are not monitored, anyone who gains access to a VM with a less secure VDS
configuration could surreptiously exploit that broader access.
The vSphere VDS can mirror traffic from one port to another in order to allow for packet capture
devices to collect specific traffic flows. Port mirroring will send a copy of all traffic specified in un-
encrypted format. This mirrored traffic contains the full data in the packets captured and can result in
total compromise of that data if misdirected. If Port Mirroring is required, verify that all Port Mirror
Destination VLAN, Port and Uplink ID's are correct.
In order to communicate with virtual switches in VST mode, external switch ports must be configured
as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be
static and unconditional. The auto or desirable physical switch settings do not work with the ESXi
Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate
and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk
link between the ESXi Server and the physical switch. The difference between non-negotiate and on
options is that on mode still sends out DTP frames, whereas the non-negotiate option does not. The
non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for
virtual switches in VST mode.
In the scenario where the ESXi host has a guest VM that is configured to perform bridging function,
the VM will generate BPDU frames and send out to the VDS. The VDS then forwards the BPDU frames
through the network adapter to the physical switch port. When the switch port configured with
BPDU guard receives the BPDU frame, the switch disables the port and the VM loses connectivity.
To avoid this network failure scenario while running software-bridging function on an ESXI host,
customers should disable the portfast and BPDU guard configuration on the port and run the
spanning tree protocol.
When defining a physical switch port for trunk mode, care must be taken to ensure that only specified
VLANs are configured. It is considered best practice to restrict only those VLANs required on the VLAN
trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a
physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially
enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized
VLAN.
When connecting a virtual switch to a VLAN trunk port, you must be careful to properly configure
both the virtual switch and the physical switch at the uplink port. If the physical switch is not properly
configured, frames with the VLAN 802.1q header would be forwarded to a switch not expecting their
arrival. The vSphere administrator should always ensure that virtual switch uplinks, acting as VLAN
trunk links, are connected only to physical switch ports that function as trunk links. Misconfiguration
of the physical switch ports might lead to undesirable performance, including frames being dropped
or misdirected.
Profile Control Type
1,2 Configuration
1,2,3 Operational
1,2,3 Operational
1,2,3 Operational
1,2,3 Configuration
1,2,3 Operational
1 Configuration
2,3 Configuration
1 Configuration
2,3 Configuration
1 Configuration
2,3 Configuration
1,2,3 Operational
1,2,3 Operational
1,2,3 Operational
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1 Configuration
2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Operational
1,2,3 Operational
1,2,3 Operational
1,2,3 Operational
Connect to the vCenter Server using the Web Client.Verify that in the Networking > (vDS
name) > (dvPortgroup name) > Manage > Edit Settings > General > "Port allocation" is
set to "Fixed" and the "Number of Ports" is only the amount required for legitimate
virtual machine connections to that dvPortgroup.
From the vSphere Client log into vCS. Home > Inventory > Networking. Select dvSwitch
and Edit Settings. Or from the vSphere Web client go to Networking > (vDS name) >
(dvPortgroup name) > Manage > Edit Settings > VLAN. Verify and record PVLAN labels
and ID's.
Verify by using the vSphere Client to connect to the vCenter Server and as administrator:
1. Go to "Home > Inventory > Hosts and Clusters". 2. Select each ESXi host with virtual
switches connected to active VM's requiring securing. 3. Go to "Configuration > Network
> vSwitch(?) > Properties > Ports > [?Portgroup Name?] > VLAN ID" 4. Verify and record
VLAN ID's in a tracking system approved by your organization or following industry best
practices.
From the vSphere Client log into vCS. Home > Inventory > Networking. Select dvSwitch
and dvPortgroup and "Edit Settings > Policies > VLAN > VLAN ID". Or from the vSphere
Web client go to Networking > (vDS name) > (dvPortgroup name) > Manage > Edit
Settings > VLAN. Verify and record VLAN Names and ID's.
Verify that there are no virtual machines required to send BPDU on the ESXi host. This
would be virtual machines with bridging enabled, such as virtual network devices and
virtual machines with bridging VPN SSL software installed. From the vSphere Client or
vSphere Web Client, select the ESXi host in inventory and in Advanced Settings set the
NetBlockGuestBPDU value to 1. Detailed steps and an explanation can be found in the
reference link provided.
Log in to the physical switch and ensure that spanning tree protocol is disabled and/or
portfast is configured for all physical ports connected to ESXi hosts.
The vSphere management port group should be on a management-only vSphere
standard switch (VSS) or vSphere Distributed Switch (VDS). Doing so avoids dependency
on VLANs for isolation, which might be appropriate for certain environments. Check that
the management-only VSS or DVS does not contain any non-management port groups.
The vSphere management port group should be in a dedicated VLAN on a common
vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as
the vSphere management port groups VLAN is not used by production virtual machines.
Check that the network segment is not routed, except possibly to networks where other
management-related entities are found.(Example: vSphere Replication) In particular,
make sure that production virtual machine traffic cannot be routed to this network.
The vSphere storage type port groups should each be on their own vSphere standard
switch (VSS) or vSphere Distributed Switch (VDS). Doing so avoids dependency on VLANs
for isolation, which might be appropriate for certain environments. Check that the
storage-only VSS or DVS does not contain any non-storage port groups. Check that the
physical network is not accessed by any other non-storage entity. Check that the storage
port group vSwitch does not contain any non-storage port groups. Check that the
physical network is not accessed by any other non-storage entity.
Storage port groups should be in a dedicated VLAN on a common vSwitch. The vSwitch
can be shared with production (virtual machine) traffic, as long as the storage port
groups VLAN is not used by production virtual machines. Check for usage of the VLAN ID
on non-storage port groups. Check that the VLAN is isolated and not routed in the
physical network.
The vMotion port group should be on a vMotion-only vSphere Standard Switch (VSS) or
Distributed Switch (VDS). Doing so avoids dependency on VLANs for isolation, which
might be appropriate for certain environments. Check that the vMotion port group
vSwitch does not contain any non-vMotion port groups. Check that the physical network
is not accessed by any other non-vMotion entity.
The vMotion port group should be in a dedicated VLAN on a common vSwitch. The
vSwitch can be shared with production (virtual machine) traffic, as long as the vMotion
port groups VLAN is not used by production virtual machines. Check for usage of the
VLAN ID on non-vMotion port groups. Check that the VLAN is isolated and not routed in
the physical network.
1. From the vSphere Client, check the names of the different port groups. To check the
port group names in the vSphere client, connect to the vCenter server and navigate to
Home > Inventory > Networking . You will be able to view all the different port groups and
determine if the port group names are clearly labeled or might be renamed with a
meaningful name.
With the vSphere Client, connect to the vCenter server and navigate to Home > Inventory
> Networking . You will be able to view all the different vSwitches and dvSwitches in that
vCenter and determine if the switches are clearly labeled.
Ensure that vSphere permissions to specific port groups are granted only to those
individuals who need it. 1. Log into the vCenter Server using the vSphere Client as a user
with full Administrator Role rights to the Inventory object you are checking. 2. Select
"[Inventory Object] > Permissions". Verify that the users assigned to this Inventory object
have the appropriate Role.
Using the vSphere Web Client, select each VDS and go to Manage > Settings > Health
check". Verify that VLAN and MTU Check and Teaming and Failover Check are both
disasbled. Limit the use of this to when actively troubleshooting VLAN or MTU issues on a
VDS.
If the default value of 1 for the native VLAN is being used, the ESXi Server virtual switch
port groups should be configured with any value between 2 and 4094. Otherwise, ensure
that the port group is not configured to use whatever value is set for the native VLAN.
VLAN ID setting on all port groups should not be set to reserved values of the physical
switch.
Connect to the vCenter Server with vSphere Client ( Home > Inventory > Networking
view, find all dvSwitch es) or the Web Client (Networking > vDS name > dvPortgroup
name > Manage > Edit Settings > General)and verify that the number of ports available
total is only the amount required for legitimate virtual machine connections to that
dvPortgroup.
VLAN ID setting on all port groups should not be set to 4095 unless VGT is required.
1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active
virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration
> Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4.
"Forged Transmits" = "Reject"
Verify by using the vSphere Web Client to connect to the vCenter Server and as
administrator: 1. Go to Home > Networking. 2. Select each VDS and edit each
dvPortgroup connected to active VM's requiring securing. 3. Edit Settings for each
PortGroup under Security. 4. Set the Forged transmits value to "Reject"
1. Go to "Home > Inventory > Networking". 2. Select each dvPortgroup connected to
active VM's requiring securing. 3. Go to tab "Summary > Edit Settings > Policies >
Security". 4. "Mac Address Changes" = "Reject"
> Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4.
"Mac Address Changes" = "Reject"
> Network > vSwitch name > Properties > Ports > vSwitch > Default Policies > Security" 4.
"Promiscuous Mode" = "Reject"
1. Go to "Home > Inventory > Networking". 2. Select each dvPortgroup connected to
active VM's requiring securing. 3. Go to tab "Summary > Edit Settings > Policies >
Security". 4. "Promiscuous Mode" = "Reject"
Configure a controlled gateway or other controlled method to access the management
network. For example, require that administrators connect to it via a VPN, and allow
access only by trusted administrators.
Configure jump boxes that run vSphere Client and other management clients (e.g.
VSphere Management Assistant). There are different industry-accepted ways to
configure a jump box. The particular method should be chosen based upon a local risk
assessment.
From the Web or vSphere Clients, verify that Netflow IP destinations are correct. Edit the
VDS properties and in the Netflow tab, verify the Collector Settings > IP Address and Port.
From the Web or vSphere Clients, verify that Port Mirror destination interfaces are
correct. Edit the VDS properties and in the Port Mirror tab, verify the Destination VLAN,
Port or Uplink ID's.
From the Web or vSphere Clients, verify that Port Mirror destination interfaces are
correct. Edit the VDS properties and in the Port Mirror tab, verify the Destination VLAN,
Port or Uplink ID's.
Log in to the physical switch and ensure that DTP is not enabled on the physical switch
ports connected to the ESXi Host.
Routinely check that for virtual machines that perform bridging or routing, the first
upstream physical switch port is configured with BPDU Guard and Portfast disabled and
Spanning Tree Protocol enabled.
Both standard and distributed vSwitch configurations can be viewed in the vSphere
Client. For vSwitch: Home > Inventory > Hosts and Clusters , then select an ESXi host in
Inventory panel on left. In the Configuration tab, Hardware window, under Networking ,
select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN
ID's used. For dvSwitches, go to Home > Inventory > Networking and for each dvSwitch in
the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings > Policies
> VLAN and verify and record the VLAN ID's. From the command-line,
For a standard vSwitch, "esxcfg-vswitch -l" will list all port groups and their VLAN
association. Compare this list with the physical switch configuration.
Routinely check physical switch ports to ensure that they are properly configured as
trunk ports if connected to virtual switch VLAN trunking ports.
Configuration File Configuration Parameter Desired Value
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
Net.BlockGuestBPDU 1
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
Change Type Is desired value the default?
N/A N/A
N/A N/A
N/A N/A
N/A N/A
no
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
vSphere API ESXi Shell Command Assessment
51/topic/com.vmware.wssdk.apiref.doc/vim.dvs.
DistributedVirtualPortgroup.html
51/topic/com.vmware.wssdk.apiref.doc/vim.alar
m.AlarmManager.html N/A
VmwareDistributedVirtualSwitch.ConfigInfo.html N/A
# esxcli network vswitch standard
portgroup list
VmwareDistributedVirtualSwitch.VlanSpec.html N/A
51/topic/com.vmware.wssdk.apiref.doc/vim.opti
on.OptionManager.html
esxcli system settings advanced list -o
/Net/BlockGuestBPDU
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
51/topic/com.vmware.wssdk.apiref.doc/vim.host
.PortGroup.Specification.html
portgroup list
.PortGroup.Specification.html # esxcli network vswitch standard list
51/topic/com.vmware.wssdk.apiref.doc/vim.Aut
horizationManager.html N/A
51/index.jsp?topic=%2Fcom.vmware.wssdk.apire
f.doc%2Fvim.DistributedVirtualSwitch.html N/A
portgroup list
portgroup list
DistributedVirtualPortgroup.html N/A
portgroup list
.NetworkPolicy.SecurityPolicy.html
# esxcli network vswitch standard policy
security get -v [VSWITCH]
VmwareDistributedVirtualSwitch.SecurityPolicy.h
tml N/A
tml N/A
tml N/A
N/A N/A
N/A N/A
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.wssdk.apiref.doc%2Fvim.DistributedVirtualSwitch.html N/A
N/A N/A
N/A N/A
portgroup list
N/A N/A
ESXi Shell Command
Remediation vCLI Command Assessment
N/A N/A
N/A N/A
N/A
# esxcli <conn_options> network
vswitch standard portgroup list
N/A N/A
esxcli system settings advanced set -o
/Net/BlockGuestBPDU -i 0
esxcli <conn_options> system
settings advanced list -o
/Net/BlockGuestBPDU
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A
N/A
vswitch standard list
N/A N/A
N/A N/A
N/A
N/A
N/A N/A
N/A
policy security set -v vSwitch2 -f false
vswitch standard policy security
get -v [VSWITCH]
N/A N/A
N/A N/A
policy security set -v vSwitch2 -m false
get -v [VSWITCH]
policy security set -v vSwitch2 -p false
get -v [VSWITCH]
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A
N/A N/A
vCLI Command Remediation PowerCLI Command Assessment
N/A
# Check if auto expand is enabled on vDS
Get-VirtualPortGroup -Distributed | Select Name,
@{N="AutoExpand";E={$_.ExtensionData.Config.AutoExpa
nd}}
N/A
# List all dvSwitches and their Portgroups, VLAN Type and
Ids
Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) {
Switch
((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).Get
Type()).Name) {
VmwareDistributedVirtualSwitchPvlanSpec {
$Type = "Private VLAN"
$VLAN =
$dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanI
D
}
VmwareDistributedVirtualSwitchTrunkVlanSpec {
$Type = "VLAN Trunk"
$VLAN =
($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID
| Select Start, End)
}
VmwareDistributedVirtualSwitchVlanIdSpec {
$Type = "VLAN"
$VLAN =
$dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID
}
default {
$Type =
(($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetT
N/A
# List all vSwitches, their Portgroups and VLAN Ids
Get-VirtualPortGroup -Standard | Select virtualSwitch,
Name, VlanID
N/A
# List all dvSwitches and their Portgroups, VLAN Type and
Ids
Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) {
Switch
((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).Get
Type()).Name) {
VmwareDistributedVirtualSwitchPvlanSpec {
$Type = "Private VLAN"
$VLAN =
$dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanI
D
}
VmwareDistributedVirtualSwitchTrunkVlanSpec {
$Type = "VLAN Trunk"
$VLAN =
($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID
| Select Start, End)
}
VmwareDistributedVirtualSwitchVlanIdSpec {
$Type = "VLAN"
$VLAN =
$dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID
}
default {
$Type =
(($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetT
esxcli <conn_options> system
settings advanced set -o
/Net/BlockGuestBPDU -i 0
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
# List all Portgroups
Get-VirtualPortGroup
N/A
# List all vSwitches
Get-VirtualSwitch
N/A
N/A
N/A
Name, VlanID
N/A
Name, VlanID
N/A
# Check for the number of free ports on all VDS
PortGroups
Function Get-FreeVDSPort {
Param (
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
$VDSPG
)
Process {
$nicTypes =
"VirtualE1000","VirtualE1000e","VirtualPCNet32","VirtualV
mxnet","VirtualVmxnet2","VirtualVmxnet3"
$ports = @{}
$VDSPG.ExtensionData.PortKeys | Foreach {
$ports.Add($_,$VDSPG.Name)
}

$VDSPG.ExtensionData.Vm | Foreach {
$VMView = Get-View $_
$nic = $VMView.Config.Hardware.Device | where
{$nicTypes -contains $_.GetType().Name -and
$_.Backing.GetType().Name -match "Distributed"}
$nic | where {$_.Backing.Port.PortKey} | Foreach
{$ports.Remove($_.Backing.Port.PortKey)}
}
N/A
Name, VlanID
# esxcli <conn_options> vswitch
standard policy security set -v
vSwitch2 -f false
# List all vSwitches and their Security Settings
Get-VirtualSwitch -Standard | Select VMHost, Name, `
@{N="MacChanges";E={if
($_.ExtensionData.Spec.Policy.Security.MacChanges) {
"Accept" } Else { "Reject"} }}, `
@{N="PromiscuousMode";E={if
($_.ExtensionData.Spec.Policy.Security.PromiscuousMode)
{ "Accept" } Else { "Reject"} }}, `
@{N="ForgedTransmits";E={if
($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) {
"Accept" } Else { "Reject"} }}
N/A
# List all dvPortGroups and their Security Settings
Get-VirtualPortGroup -Distributed | Select Name, `
($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.
MacChanges.Value) { "Accept" } Else { "Reject"} }}, `
AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, `
ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}
N/A
vSwitch2 -m false
vSwitch2 -p false
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Name, VlanID
N/A
PowerCLI Command Remediation
Negative Functional Impact
At least one additional physical network adaptor must
be dedicated to management (more if network adaptor
teaming is used). This might greatly increase the cost of
the physical networking infrastructure required. In
resource-constrained environments (such as blades),
this might not be possible to achieve.
The VDS or dvPortgroup on the VDS will not have any
extra available port capacity.
This will prevent VMs from changing their effective
MAC address. This will affect applications that require
this functionality. An example of an application like this
is Microsoft Clustering, which requires systems to
effectively share a MAC address. This will also affect
how a layer 2 bridge will operate. This will also affect
applications that require a specific MAC address for
licensing. An exception should be made for the port
groups that these applications are connected to.
MAC address. This will affect applications that require
this functionality. An example of an application like this
is Microsoft Clustering, which requires systems to
licensing. An exception should be made for the
dvPortgroups that these applications are connected to.
MAC address. It will affect applications that require this
functionality. An example of an application like this is
Microsoft Clustering, which requires systems to
licensing. An exception should be made for the
dvPortgroups that these applications are connected to.
MAC address. It will affect applications that require this
functionality. An example of an application like this is
Microsoft Clustering, which requires systems to
licensing. An exception should be made for the port
groups that these applications are connected to.
Security devices that require the ability to see all
packets on a vSwitch will not operate properly if the
Promiscuous Mode parameter is set to Reject.
Security devices that require the ability to see all
packets on a vSwitch will not operate properly if the
Promiscuous Mode parameter is set to Reject.
http://kb.vmware.com/kb/1022312 N/A
http://kb.vmware.com/KB/1010691 N/A
N/A
N/A

http://kb.vmware.com/selfservice/microsites/search.
do?language=en_US&cmd=displayKC&externalId=201
7193
http://kb.vmware.com/selfservice/microsites/microsi
te.do?cmd=displayKCPopup&docType=kc&externalId
=2047822 N/A
N/A
N/A
vSphere Replication reference:
9562 N/A
N/A
N/A
N/A
N/A
N/A
http://kb.vmware.com/kb/1020757 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
4074 N/A
http://www.vmware.com/files/pdf/techpaper/Whats-
New-VMware-vSphere-51-Network-Technical-
Whitepaper.pdf N/A
http://kb.vmware.com/KB/1008127 N/A
N/A
apply-os-patches vSphere 5.1 vCenter Host
block-unused-ports vSphere 5.1 vCenter Communication
change-default-password vSphere 5.1 vCenter VCSA
check-privilege-reassignment vSphere 5.1 vCenter Access
config-ntp vSphere 5.1 vCenter Communication
disable-datastore-web vSphere 5.1 vCenter Communication
disable-mob vSphere 5.1 vCenter Communication
install-with-service-account vSphere 5.1 vCenter Host
limit-user-login vSphere 5.1 vCenter Host
monitor-admin-assignment vSphere 5.1 vCenter Access
monitor-certificate-access vSphere 5.1 vCenter Host
no-self-signed-certs vSphere 5.1 vCenter Communication
remove-expired-certificates vSphere 5.1 vCenter Host
remove-failed-install-logs vSphere 5.1 vCenter Host
remove-revoked-certificates vSphere 5.1 vCenter Host
restrict-admin-privilege vSphere 5.1 vCenter Access
restrict-admin-role vSphere 5.1 vCenter Access
restrict-certificate-access vSphere 5.1 vCenter Host
restrict-datastore-web vSphere 5.1 vCenter Communication
restrict-guest-control vSphere 5.1 vCenter Access
restrict-Linux-clients vSphere 5.1 vCenter Client
restrict-network-access vSphere 5.1 vCenter Communication
restrict-vcs-db-user vSphere 5.1 vCenter Database
secure-vcenter-os vSphere 5.1 vCenter Host
secure-vco-file-access vSphere 5.1 vCenter VCO
thick-client-timeout vSphere 5.1 vCenter Client
use-supported-system vSphere 5.1 vCenter Host
verify-client-plugins vSphere 5.1 vCenter Client
Verify-RDP-encryption vSphere 5.1 vCenter Host
verify-ssl-certificates vSphere 5.1 vCenter Client
Title Vulnerability Discussion Profile
Keep vCenter Server system
properly patched.
By staying up to date on Windows patches,
vulnerabilities in the OS can be mitigated. If
an attacker can obtain access and elevate
privileges on the vCenter Server system,
they can then take over the entire vSphere
deployment. 1,2,3
Block access to ports not being
used by vCenter.
Blocking unneeded ports can militate
against general attacks on the Windows
system. A local firewall on the Windows
system of vCenter, or a network firewall,
can be used to block access to ports not 1,2
Change default VCSA
password
During installation of the VCSA, the default
password is not changed. This must be done
manually 1,2,3
Check for privilege re-
assignment after vCenter
Server restarts.
During a restart of vCenter Server, if the
user or user group that is assigned
Administrator Role on the root folder could
not be verified as a valid user/group during
the restart, the user/group's permission as 1,2
Configure NTP time
synchronization
By ensuring that all systems use the same
relative time source (including the relevant
localization offset), and that the relative
time source can be correlated to an agreed-
upon time standard (such as Coordinated 1,2,3
Disable datastore Web
browser.
The datastore Web browser enables you to
view all the datastores associated with the
vSphere deployment, including all folders
and files contained in them, such as VM
files. This is governed by the users 1
Disable managed object
browser.
The managed object browser provides a
way to explore the object model used by
the vCenter to manage the vSphere
environment; it enables configurations to be
changed as well. This interface is used 1,2
Install vCenter Server using a
service account instead of a
built-in Windows account.
You can use the Microsoft Windows built-in
system account or a domain user account to
run vCenter Server. The Microsoft Windows
built-in system account has more
permissions and rights on the server than 1,2
Avoid unneeded user login to
vCenter Server system.
After someone has logged in to the vCenter
Server system, it becomes more difficult to
prevent what they can do. In general,
logging in to the vCenter Server system
should be limited to very privileged 1,2,3
Monitor that vCenter Server
administrative users have the
correct Roles assigned.
Monitor that administrative users are only
assigned privileges they require. Least
Privilege requires that these privileges
should only be assigned if needed, to reduce
risk of confidentiality, availability or integrity 1,2
Monitor access to SSL
certificates.
The directory that contains the SSL
certificates only needs to be accessed by the
service account user on a regular basis.
Occasionally, the vCenter Server system
administrator might need to access it for 1,2
Do not use default self-signed
certificates.
Self-signed certificates are automatically
generated by vCenter Server during the
installation process, are not signed by a
commercial CA, and might not provide
strong security. Replace default self-signed 1,2,3
Remove expired certificates
from vCenter Server.
If expired certificates are not removed from
the vCenter Server, the
user can be subject to a MiTM attack, which
potentially might enable
compromise through impersonation with 1,2,3
Clean up log files after failed
installations of vCenter Server
In certain cases, if the vCenter installation
fails, a log file (with a name of the form
hs_err_pidXXXX) is created that contains
the database password in plain text. An
attacker who breaks into the vCenter Server 1,2,3
Remove revoked certificates
from vCenter Server.
If revoked certificates are not removed from
the vCenter Server, the
user can be subject to a MiTM attack, which
potentially might enable
compromise through impersonation with 1,2,3
Secure the vSphere
Administrator role and assign
it to specific users.
By default, vCenter Server grants full
administrative rights to the local
administrators account, which can be
accessed by domain administrators.
Separation of duties dictates that full 3
Secure the vSphere
Administrator role and assign
it to specific users.
By default, vCenter Server grants full
administrative rights to the local
administrators account, which can be
accessed by domain administrators.
Separation of duties dictates that full 1,2
Restrict access to SSL
certificates.
The SSL certificate can be used to
impersonate vCenter and decrypt the
vCenter database password. By default, only
the service user account and the vCenter
Server administrators can access the 1
Restrict datastore browser.
The datastore browser functionality either
through the Web browser or via the
vSphere Client and the vSphere Web Client
allows users with proper
permissionsview/upload/download access 2,3
Restrict unauthorized vSphere
users from being able to
execute commands within the
guest virtual machine.
By default, vCenter Server "Administrator"
role allows users to interact with files and
programs inside a virtual machine's guest
operating system, which can lessen Guest
data confidentiality, availability or integrity. 1,2
Restrict the use of Linux-based
clients.
Although SSL-based encryption is used to
protect communication between client
components and vCenter Server or ESXi, the
Linux versions of these components do not
perform certificate validation. Even if you 1,2
Restrict network access to
vCenter Server system.
Restrict access to only those essential
components required to communicate with
vCenter. Blocking access by unnecessary
systems reduces the potential for general
attacks on the operating system. Restricting 1,2
Use least privileges for the
vCenter Server database user.
vCenter requires only certain specific
privileges on the database. Furthermore,
certain privileges are required only for
installation and upgrade, and can be
removed during normal operation. These 1,2,3
Provide Windows system
protection on the vCenter
Server host.
By providing OS-level protection,
vulnerabilities in the OS can be mitigated.
This protection includes antivirus,
antimalware, and similar measures. If an
attacker can obtain access and elevate 1,2,3
Restrict read access to VCO
files with authentication data
to administrators
vCenter Orchestrator installation directories
on the vCenter Server contain
authentication information for plugins. If
compromised, these can be used in a
spoofing attack getting access to the plug-in 1,2,3
Set a timeout for thick-client
login without activity.
You can set an inactivity timeout for the
vSphere Client (Thick client). This client-side
setting can be changed by the user, so this
must be set by default and re-audited for.
Closing sessions automatically reduces the 1,2,3
Maintain supported operating
system, database, and
hardware for vCenter.
vCenter Server resides on a Windows-based
operating system and therefore requires a
supported version of Windows. If vCenter is
not running on a supported OS, it might not
run properly. An attacker might be able to 1,2,3
Verify vSphere Client plugins
vCenter Server includes a vSphere Client
extensibility framework, which provides the
ability to extend the vSphere Client with
menu selections or toolbar icons that
provide access to vCenter Server add-on 1,2,3
Verify RDP encryption levels
When using RDP to connect to a Windows
host, there are a number of different
encryption levels that can be used. The
default settings of "Client Compatible" may
not be strong enough. 1,2,3
Always verify SSL certificates.
Without certificate verification, the user can
be subject to a MiTM attack, which
potentially might enable compromise
through impersonation with the users
credentials to the vCenter Server system. 1,2,3
Control Type
Operational
Configuration
Configuration
Operational
Parameter
Parameter
Parameter
Configuration
Operational
Operational
Operational
Configuration
Operational
Operational
Operational
Operational
Operational
Configuration
Parameter
Operational
Operational
Operational
Configuration
Operational
Configuration
Parameter
Configuration
Operational
Operational
Operational
Employ a system to keep the vCenter Server system up to date with patches in accordance
with industry-standard guidelines, or internal guidelines where appropriate.
Verify that unused network protocol/port pairs are blocked to/from the vCenter Server. A
list of ports used by vCenter can be found in this VMware Knowledge Base article:
http://kb.vmware.com/kb/1012382. Make sure not to block any ports for functionality that
is actually in use in your environment.
Log into the vCenter Server Appliance admin page and change the password for the root
account
Any time that vCenter Server restarts, the log file should be scanned to ensure that no
privileges were re-assigned. For the location of vCenter Server log files, please see this KB:
http://kb.vmware.com/kb/1021804. In the Windows Application log, look for an entry like:
Log Name: Application
Source: VMware VirtualCenter Server
On each Windows computer in the infrastructure, ensure that NTP settings are correct and
in accordance with industry-standard guidelines, or internal guidelines where appropriate.
To verify the datastore browser is disabled, edit the vpxd.cfg file and ensure that the
following element is set: <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess>
This should be the only occurrence of this element, and it should be within the
<vpxd>...</vpxd> element in vpxd.cfg. Also verify there was a restart of the vCenter Service
to make the config file change apply. This may restart other related VMware services.
Verify the managed object browser is disabled by viewing/editing the vpxd.cfg file, and
checking that the following element is set:
<enableDebugBrowse>false</enableDebugBrowse> . This should be the only occurrence of
this element, and it should be within the <vpxd> ...
</vpxd>
Verify that vCenter Server was installed using a special-purpose user account on the
Windows host with only a local administrator role. This account should have "Act as part of
the operating system" privilege, and write access to the local file system
Verify that policies are in place and enforced to restrict login to the vCenter System only to
those personnel who have legitimate tasks to perform in it. Ensure that they log in only
when necessary, and audit these events.
Monitor that Roles are created in vCenter with required granularity of privilege for your
organization's administrator types, and that these roles are assigned to the correct users. 1.
Log into the vCenter Server System using the vSphere Client as a vCenter Server System
Administrator. 2. Go to "Home > Administration > Roles" and verify that a Role exists for
each of the administrator privilege sets your organization requires and allows. 3. Right click
Use event log monitoring to alert on nonservice account access to certificates directory.
Ensure that any certificates presented by the host can be verified by a trusted certification
authority.
Verify you have removed expired certificates from your vCenter Server.
If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid.".
should be deleted securely before putting the host into production.
Verify you have removed revoked certificates from your vCenter Server.
Observe the assigned permissions in vSphere. Make sure that Administrator or any other
account or group does not have any privileges except users created as follows: 1. Create an
ordinary user account that will be used to manage vCenter (example vi-admin). 2. Make sure
the user does not belong to any local groups, such as administrator. 3. On the top-level
hosts and clusters context, log onto vCenter as the Windows administrator; then grant the
Observe the assigned permissions in vSphere. Make sure that Administrator or any other
account or group does not have any privileges except users created as follows: 1. Create an
ordinary user account that will be used to manage vCenter (example vi-admin). 2. Make sure
the user does not belong to any local groups, such as administrator. 3. On the top-level
hosts and clusters context, log onto vCenter as the Windows administrator; then grant the
Check that the Windows file permission on the SSL certificate directory files are set so that
only the vCenter service account and authorized vCenter Server Administrators can access
them. Verify that the directory and all files within are only accessible to the service user
(System) and authorized vCenter Server administrators. The location by default for vCenter
this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service
Log into the vSphere Web Client as a user with rights to view user privileges. For each
vCenter Object, in the Manage > Permissions tab verify that the Datastore > Browse
datastore permission is not checked.
Verify that there is a Role that will be used to manage vCenter without the Guest Access
Control (example "Administrator No Guest Access"), and that this role is assigned to
administrators who should not have Guest file and program interaction privileges. 1. Log
into the vCenter Server System using the vSphere Client as a vCenter Server System
Administrator. 2. Go to "Home > Administration > Roles" and verify that a Role exists for
Verify that the operating system of the client you are connecting to vCenter or ESXi host
with is not Linux.
You should protect the vCenter Server by enabling the firewall on the Windows server that
vCenter components are running on, or by using a network firewall to restrict traffic to those
servers. This protection should include IP/Port-based access restrictions, so that only
necessary components can communicate with the vCenter Server system on required ports.
Verify that only the privileges needed for your current vCenter state, on either Oracle and
Microsoft SQL Server, are assigned. These privileges are listed in the vSphere Upgrade Guide,
Upgrading to vCenter Server 5.1 chapter, Prerequisites for All vCenter Server Databases
section. This document can be found here: http://pubs.vmware.com/vsphere-
51/topic/com.vmware.vsphere.upgrade.doc/GUID-093777CF-BB5A-4D23-A41D-
Verify that Windows system protection is applied, such as antivirus, in accordance with
industry-standard guidelines, or internal guidelines where appropriate. Verify protections
applied do not interfere with vCenter Server function.
Log into the vCenter Server host with administrator access and remove access for non-
administrators to the vCenter Orchestrator files with authentication information.
1) Login to vCenter Server OS
On each Windows computer with the vSphere Client installed either: 1. Verify that a
timeout is set to the requirement of your organization or industry best practices. The login
idle timeout is a parameter that can be set in the vpxClient.exe.config. Add the following
entry right above </cmdlineFallback>, where X is the number of minutes for the timeout
value and save then save the file.
Verify that vCenter Server is running on supported OS, hardware and database.
Make sure that the vSphere Client installation used by administrators includes only
authorized extensions from trusted sources. You can check to see which plug-ins are actually
installed for a given vSphere Client by going to the menu item Plug-ins > Manage Plug-ins
and clicking the Installed Plug-ins tab.
On each Windows computer in the infrastructure, ensure that Remote Desktop Host
Configuration settings are set to ensure the highest level of encryption in accordance with
industry-standard guidelines, or internal guidelines where appropriate.
Instruct any user of vSphere Clients to never ignore certificate verification warnings.
Configuration File Configuration Parameter Desired Value Change Type
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A Site Specific Modify
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A
N/A N/A N/A N/A
Is desired value the default? vSphere API ESXi Shell Command Assessment
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
No N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
No
N/A N/A N/A
ESXi Shell Command Remediation vCLI Command Assessment
N/A N/A
N/A N/A
N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
vCLI Comment Remediation PowerCLI Command Assessment
N/A
# List All Patches for your vCenter Server,
Administrator Privileges will be needed on your
# vCenter server for this to complete
Get-WmiObject -ComputerName
$DefaultVIServer Win32_QuickFixEngineering |
select Description, Hotfixid
N/A
N/A
# List all vCenter Application log entries for
VMware VirtualCenter. OS Administrator
Privileges will be needed on your server for this
to complete.
Get-EventLog -ComputerName MyvCenter -
N/A N/A
N/A
N/A
N/A
N/A
N/A
# List all Roles and Accounts with access to the
root Datacenters folder
Get-Folder Datacenters | Get-VIPrivilege
N/A
N/A
us.sysadmins.lv/Lists/Posts/Post.aspx?List=332
991f0-bfed-4143-9eea-f521167d287c&ID=60
[CmdletBinding()]
N/A N/A
N/A
N/A N/A
N/A
N/A
N/A
N/A
N/A
# List the existing roles
Get-VIRole
N/A
N/A
N/A
N/A
N/A
N/A
# List the version of vCenter OS and Service
Pack. OS Administrator Privileges will be
needed on your server for this to complete
Get-WmiObject Win32_OperatingSystem -
computer $DefaultVIServer | select CSName,
N/A
# List Plugins Installed
$ServiceInstance = get-view ServiceInstance
$EM = Get-View
$ServiceInstance.Content.ExtensionManager
$EM.ExtensionList | Select
N/A
991f0-bfed-4143-9eea-f521167d287c&ID=60
[CmdletBinding()]
PowerCLI Command Remediation Negative Functional Impact
Any blocked ports will have to be unblocked for
functionality relying on them to work.
N/A
You will no longer be able to browse and view
datastore files using a Web browser connected
to vCenter Server via either HTTP or HTTPS.
Products depending on these services will be
negatively impacted. Check with your 3rd party
The managed object browser will no longer be
available for diagnostics.
N/A
Supportability limitations: Will prevent a
complete support log from being collected
when the vc-support script is issued. Will
prevent the administrator from being able to
change the vCenter database password
Only systems in the IP whitelist/ACL will be able
to connect to vCenter Server.
Thick client will be logged out of by the client at
the specified time and the user will have to
login again.
Reference
51/index.jsp?topic=%2Fcom.vmware.vsphere.vcenterhost.doc
%2FGUID-1BB3D56C-F72A-4330-BA06-8F4505005A3B.html
Microsoft documentation for the version of Windows Server
OS that you are using.
http://www.vmware.com/resources/techresources/10124
51/topic/com.vmware.vsphere.security.doc/GUID-1F8C8AAC-
3DB5-43F3-B8CE-925B7E6F58AA.html
51/topic/com.vmware.vsphere.upgrade.doc/GUID-093777CF-
BB5A-4D23-A41D-5B791789E33C.html
http://kb.vmware.com/selfservice/microsites/search.do?langu
age=en_US&cmd=displayKC&externalId=2021259
For vCenter Server OS compatibility, see the Host OS Guide:
https://www.vmware.com/resources/compatibility/search.ph
p?deviceCategory=software&testConfig=17. For hardware
requirements, see the ESXi and vCenter Server Installation
Guidepaper: http://pubs.vmware.com/vsphere-
Microsoft documentation for the version of Windows Server
OS that you are using.
Able to set using Host Profile?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
audit-vum-login vSphere 5.1 vCenter VUM
isolate-vum-airgap vSphere 5.1 vCenter VUM
isolate-vum-proxy vSphere 5.1 vCenter VUM
isolate-vum-webserver vSphere 5.1 vCenter VUM
limit-vum-users vSphere 5.1 vCenter VUM
no-vum-self-management vSphere 5.1 vCenter VUM
no-vum-self-signed-certs vSphere 5.1 vCenter VUM
patch-vum-os vSphere 5.1 vCenter VUM
restrict-vum-db-user vSphere 5.1 vCenter VUM
secure-vum-os vSphere 5.1 vCenter VUM
Title Vulnerability Discussion Profile
Audit user login to Update
Manager system.
After someone has logged in to the Update Manager
system, it becomes more difficult to prevent what they
can do. In general, logging in to the Update Manager
system should be limited to very privileged
administrators, and then only for the purpose of
administering Update Manager or the host OS. Anyone
logged in to the Update Manager can potentially cause
harm, either intentionally or unintentionally, by altering
settings and modifying processes. 1,2,3
Limit the connectivity
between Update Manager
and public patch
repositories.
In a typical deployment, Update Manager connects to
public patch repositories on the Internet to download
patches. This connection should be limited as much as
possible to prevent access from the outside to the
Update Manager system. Any channel to the Internet 1
and public patch
repositories.
and public patch
repositories.
Limit user login to Update
Manager system.
After someone has logged in to the Update Manager
system, it becomes more difficult to prevent what they
can do. In general, logging in to the Update Manager
system should be limited to very privileged
administrators, and then only for the purpose of 1,2,3
Do not configure Update
Manager to manage its own
VM or the VM of its vCenter
Server.
Although you can install both Update Manager and
vCenter Server on VMs and place them on the same ESXi
host, you should not configure Update Manager to
manage the updates on those VMs. Upon scanning and
remediation, the virtual machine on which Update 1,2,3
Do not use default self-
signed certificates.
Self-signed certificates are automatically generated by
Update Manager during the installation process, are not
signed by a commercial CA, and might not provide strong
security. Replace default self-signed certificates with
those from a trusted certification authority, either a 1,2,3
Keep Update Manager
system properly patched.
By staying up to date on Windows patches, vulnerabilities
in the OS can be mitigated. If an attacker can obtain
access and elevate privileges on the Update Manager
system, it can compromise the patching process. 1,2,3
Use least privileges for the
Update Manager database
user.
Update Manager requires certain privileges on its
database user in order to install, and the installer
automatically checks for these. These are documented in
the VMware Update Manager Administration Guide.
However, after installation, only a small number of 1,2,3
Provide Windows system
protection on the Update
Manager system.
By providing OS-level protection, vulnerabilities in the OS
can be mitigated. This protection includes antivirus,
antimalware, and similar measures. If an attacker can
obtain access and elevate privileges on the vCenter
Server system, they can then take over the entire vSphere 1,2,3
Control Type Assessment Procedure Configuration File
Operational
Ensure that they log in only when necessary by
auditing these events. N/A
Configuration
Verify Update Manager is configured to use
the Download Service. Verify that there are
enforced policies in place to use physical
media to transfer update files to the Update
Manager server (air-gap model). Ensure that N/A
Configuration
Verify that there is a Web proxy between
Update Manager and the Internet. Check the
proxy settings for Update Manager to make
sure they are correct. Proxy settings are given
in the "Installing and Administering VMware N/A
Configuration
Verify Update Manager is configured to use
the Download Service, and configure a Web
server to transfer the files to the Update
Manager server (semi-air-gap model). Ensure
that the Download Service is functioning and N/A
Operational
Restrict login to the Update Manager to only
those personnel who have legitimate tasks to
perform with it. N/A
Configuration
Verify that Update Manager does not manage
the patching of the VM on which it runs, nor
the VM on which the associated vCenter
Server runs. N/A
Configuration
Verify that self-signed certificates on Update
Manager have been changed to certificates
from a trusted certification authority. N/A
Operational
Verify the Update Manager system is up to
date with patches in accordance with industry-
standard guidelines, or internal guidelines
where appropriate. N/A
Configuration
Verify that only the following permissions are
allowed to the VUM DB user after installation.
For Oracle: After installation, only the
following permissions are needed for normal
operation: create session, create any table, N/A
Operational
Verify that Windows system protection is
applied, such as antivirus, in accordance with
industry-standard guidelines, or internal
guidelines where appropriate. Verify
protections applied do not interfere with N/A
Configuration Parameter Desired Value Change Type
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
Is desired value the default? vSphere API ESXi Shell Command Assessment
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
N/A N/A
N/A
ESXi Shell Command Remediation vCLI Command Assessment
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
vCLI Comment Remediation
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
PowerCLI Command Assessment
51/topic/com.vmware.vsphere.update_manager.doc/GUID-975192DB-B2A7-
485A-9D11-0D9CD29F1D7F.html
# List All Patches for your VUM Server, Administrator Privileges will be needed
on your
# VUMserver for this to complete
Get-WmiObject -ComputerName "VUMServerName"
Win32_QuickFixEngineering | select Description, Hotfixid
PowerCLI Command Remediation Negative Functional Impact
N/A
51/topic/com.vmware.vsphere.update_manager.doc/
GUID-1F5292F1-904D-4607-871A-
AE426EF9BD3F.html N/A
GUID-975192DB-B2A7-485A-9D11-
0D9CD29F1D7F.html N/A
GUID-47CDC301-C46F-4191-AB99-
D2859F3BA54B.html N/A
N/A
N/A
N/A
N/A
N/A
N/A
check-SSO-Password-expiration vSphere 5.1 vCenter SSO
check-SSO-Password-policy vSphere 5.1 vCenter SSO
config-ntp vSphere 5.1 vCenter SSO
no-SSO-self-signed-certs vSphere 5.1 vCenter SSO
restrict-sso-db-user vSphere 5.1 vCenter SSO
SSO-DB-password-recorded vSphere 5.1 vCenter SSO
Title
Check SSO passwords for expiration
Ensure SSO Password policy conforms to local policy
Configure NTP time synchronization
Do not use default self-signed certificates.
Use least privileges for the SSO database user.
Ensure the SSO DB password is recorded and secured
Vulnerability Discussion
The default SSO password policy has a password lifetime of 365 days. After 365 days, the password is
expired and the ability to log is compromised. The applies to ALL SSO accounts, both Administrative
and User. (there is not separate policy for both groups). Ensure the admin accounts are not about to
The default SSO password policy has a password lifetime of 365 days. After 365 days, the password is
expired and the ability to log is compromised. The applies to ALL SSO accounts, both Administrative
and User. (there is not separate policy for both groups). Ensure the policies in SSO match local policies
for password management and complexity
By ensuring that all systems use the same relative time source (including the relevant localization
offset), and that the relative time source can be correlated to an agreed-upon time standard (such as
Coordinated Universal TimeUTC), you can make it simpler to track and correlate an intruders
actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect
and correlate log files to detect attacks, and can make auditing inaccurate. In addition incorrect time
Self-signed certificates are automatically generated by SSO during the installation process, are not
signed by a commercial CA, and might not provide strong security. Replace default self-signed
certificates with those from a trusted certification authority, either a commercial CA or an
organizational CA. The use of default certificates leaves the SSL connection open to MiTM attacks.
Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM
SSO requires certain privileges on its database user in order to install, and the installer automatically
checks for these. These are documented in the VMware Update Manager Administration Guide.
However, after installation, only a small number of privileges are required for operation. The
privileges on the SSO database user can be reduced during normal operation. These privileges should
be added again if an upgrade or uninstall must be performed. Least privileges mitigates attacks if the
SSO database account is compromised. There is currently no way to restrict AD users from logging in,
even if they can't do anything.
If the SSO DB password is not recorded during installation, the ability to recover the SSO database is
compromised.
Profile Control Type
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Parameter
1,2,3 Configuration
1,2,3 Configuration
1,2,3 Configuration
Assessment Procedure Configuration File
There's no current method for notification of password expiration. Record
the date for expiration and reset the password before that date. N/A
Log into vCenter as an SSO administrator (default user is admin@System-
Domain) and select Configuration. There you can edit the password and
lockout policies N/A
If using a separate SSO server, ensure that NTP settings are correct and in
accordance with industry-standard guidelines, or internal guidelines where
appropriate. N/A
Verify that self-signed certificates on SSO have been changed to certificates
from a trusted certification authority. N/A
Verify that only the following permissions are allowed to the SSO DB user
after installation. For Oracle: After installation, only the following
permissions are needed for normal operation: create session, create any
table, drop any table . For SQL Server: After installation, the dba_owner role
or sysadmin role can be removed from the MSDB database (it is still required,
however, for the SSO database). Please check the latest VMware SSO
Administration Guide for any updates to these configurations. N/A
Ensure the SSO databae password is recorded and stored in a secure location. N/A
Configuration Parameter Desired Value Change Type Is desired value the default?
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A Site Specific Modify No
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
vSphere API ESXi Shell Command Assessment ESXi Shell Command Remediation
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
vCLI Command Assessment vCLI Comment Remediation
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
PowerCLI Command Assessment PowerCLI Command Remediation
N/A N/A
Negative Functional Impact Reference Able to set using Host Profile?
N/A
N/A
Microsoft
documentati
on for the
version of
Windows N/A
N/A
N/A
N/A
ID Product Version Component Subcomponent Title
verify-ssl-certificates vSphere 5.1 vCenter Web Client
Always
verify SSL
certificates.
web-client-timeout vSphere 5.1 vCenter Client
Set a
timeout for
web-client
login
without
activity.
Vulnerability Discussion Profile
Without certificate verification, the user can be subject to a MiTM attack,
which potentially might enable compromise through impersonation with the
users credentials to the vCenter Server system. When connecting to vCenter
Server using vSphere Client, the client checks to see if the certificate being
presented can be verified by a trusted third party. If it cannot be, the user is
presented with a warning and the option to ignore this check. This warning
should not be ignored; if an administrator is presented with this warning, they 1,2,3
You can set an inactivity timeout for the vSphere Client (web client). This
server-side setting can be changed by the admin. Closing sessions
automatically reduces the potential for unauthorized access to vCenter,
minimizing risk. 1,2,3
Control Type Assessment Procedure Configuration File
Operational
Instruct any user of vSphere
Clients to never ignore certificate
verification warnings. N/A
Parameter
On the computer where the
vSphere Web Client is installed,
locate the webclient.properties
file.
The location of this file depends
on the operating system on
which the vSphere Web Client is
installed. Consult the Vmware webclient.properties
N/A N/A N/A N/A
session.timeout N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A
N/A N/A
991f0-bfed-4143-9eea-f521167d287c&ID=60
[CmdletBinding()]
param(
[Parameter(Mandatory = $true,
Negative Functional Impact Reference
Web client will be logged out of
by the client at the specified time
and the user will have to login
again.
51/topic/com.vmware.vsphere.vcenter
host.doc/GUID-975412DE-CDCB-49A1-
8E2A-0965325D33A5.html
N/A
N/A
change-default-password vSphere 5.1 VCSA Access
config-ntp vSphere 5.1 VCSA Communication
restrict-network-access vSphere 5.1 VCSA Communication
Title Vulnerability Discussion
Change default VCSA password
During installation of the VCSA, the default password is not
changed. This must be done manually
Configure NTP time
synchronization
By ensuring that all systems use the same relative time source
(including the relevant localization offset), and that the relative
time source can be correlated to an agreed-upon time standard
(such as Coordinated Universal TimeUTC), you can make it
simpler to track and correlate an intruders actions when
reviewing the relevant log files. Incorrect time settings can
make it difficult to inspect and correlate log files to detect
attacks, and can make auditing inaccurate. In addition incorrect
time settings can introduce login issues with SSO as all SSO
component rely on coordinated time.
Restrict network access to
vCenter Server Appliance system.
Restrict access to only those essential components required to
communicate with vCenter. Blocking access by unnecessary
systems reduces the potential for general attacks on the
operating system. Restricting access to only those essential
components required to communicate with vCenter, minimizes
risk.
Profile Control Type Assessment Procedure Configuration File
1,2,3 Configuration
Log into the vCenter Server Appliance admin
page and change the password for the root
account N/A
1,2,3 Parameter
Set NTP settings according to the Vmware
documentation N/A
1,2 Operational
You should protect the vCenter Server
Appliance by incorporating the settings called
out in the KB article referenced. The result will
be firewall settings that are compliant with
the DISA STIG. N/A
N/A N/A N/A N/A
N/A Site Specific Modify No
N/A N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A
N/A N/A
N/A N/A
Negative Functional Impact Reference
http://pubs.vmware.com/vsp
here-
51/index.jsp?topic=%2Fcom.v
mware.vsphere.vcenterhost.
doc%2FGUID-1BB3D56C-
F72A-4330-BA06-
8F4505005A3B.html
http://pubs.vmware.com/vsp
here-
51/topic/com.vmware.vspher
e.install.doc/GUID-FE79F045-
BEB0-4FE5-B19D-
4F4B3BE4663D.html
Only systems in the IP whitelist/ACL will
be able to connect to vCenter Server.
47585
N/A
N/A
N/A

Hardeningguide Vsphere5 1 Ga Release Public

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Hardeningguide Vsphere5 1 Ga Release Public

Diunggah oleh

Hak Cipta:

Format Tersedia

Virtual Machines

Anda mungkin juga menyukai