Scribd
Upload
87 views50 pages

Vsphere Security Configuration and Hardening Guide

Vsphere

Uploaded by

sandhumohit255
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views50 pages

Vsphere Security Configuration and Hardening Guide

Vsphere

Uploaded by

sandhumohit255
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

HANDS-ON LABS MANUAL - 2024

HOL-2536-01-VCF-L

Getting Started with


vSphere Security
Configuration and
Hardening Guide
HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Table of contents
Lab Overview - HOL-2536-01-VCF-L - Getting Started with vSphere Security

Configuration and Hardening Guide 3

Lab Guidance ...................................................................................3

Lab Description.................................................................................5

Module 1 - vSphere 8 Security Technical Implementation Guide – Manual Process

(30 minutes) Intermediate 6

Introduction..................................................................................... 6

vSphere 8 Security Configuration and Hardening Guide Overview ...... 9

System Design ................................................................................. 9

Hardware Configuration ................................................................. 30

Security Controls............................................................................ 40

Conclusion......................................................................................45

Appendix 46

Hands-on Labs Interface (Ubuntu Main Console) ..............................46

HANDS-ON LABS MANUAL | 2


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Lab Overview - HOL-2536-01-VCF-L - Getting Started with vSphere Security Configuration and
Hardening Guide

Lab Guidance [2]

Welcome to vSphere 8 Security Configuration and Hardening Guide Lightning Lab!

We have developed Lightning Labs to help you learn about VMware products in small segments of time. In this lab, you will get some
examples on how to harden your vSphere 8 environment.

•Module
Module 1 - Security Configuration and Hardening Guide (30 minutes) (Advanced) The vSphere Security Configuration Guide is

intended to be a baseline set of security best practices that inform a vSphere Administrators security efforts in a general way

that examines the tradeoffs at hand. This module will walk you through a step by step of how to harden your vSphere

environment for: access ESXi and VCSA via SSH, access ESXi and VCSA using PowerCLI, CAT 1 checks, and a sample of CAT

II checks using both SSH – users need to make a setting change in an XML file – and PowerCLI – users need to create and

validate settings using PowerCLI

Lab Captains:

•Chris Horning - Staff Technical Account Manager

Lab Principal:

•Dwayne Callahan - Solutions Architect

Content Architect/Leads:

•Matthew Meyer - Content Architect

HANDS-ON LABS MANUAL | 3


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

First time using Hands-on Labs? [3]

Welcome!

1. If this is your first time taking a lab navigate to the Appendix in the Table of Contents to review the interface and features

before proceeding. For returning users, feel free to start your lab by clicking next in the manual.

You are ready....is your lab? [4]

HANDS-ON LABS MANUAL | 4


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

The lab console will indicate when your lab has finished all the startup routines and is ready for you to start. If you see anything other
than "Ready", please wait for the status to update. If after 5 minutes your lab has not changed to "Ready", please ask for assistance.
Welcome! If this is your first time taking a lab, navigate to the Appendix in the Table of Contents to review the interface and features
before proceeding.

For returning users, feel free to start your lab by clicking next in the manual.

Lab Description [5]

This module will walk you through a step by step of how to hardening your vSphere environment for:

•Access ESXi and VCSA via SSH

•Access ESXi and VCSA using PowerCLI

•Hardening for System Design, Hardware Configuration, and Security Controls

HANDS-ON LABS MANUAL | 5


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Module 1 - vSphere 8 Security Technical Implementation Guide – Manual Process (30 minutes)
Intermediate

Introduction [7]

The vSphere Security Configuration and Hardening Guide is the baseline for hardening and auditing guidance for VMware vSphere
itself. Started more than a decade ago, it has long served as guidance for vSphere Administrators looking to protect their infrastructure.

The vSphere Security Configuration and Hardening Guide is intended to be a baseline set of security best practices that inform a
vSphere Administrator's security efforts in a general way that examines the trade-offs at hand. Turning on all security features to their
highest levels can be detrimental, impeding day-to-day efforts by administrators to operate, patch, and monitor their environments.
vSphere Security Configuration and Hardening Guide is not a catalog of all available security controls, it is simply a reasonable baseline
from which we can operate.

HANDS-ON LABS MANUAL | 6


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

HANDS-ON LABS MANUAL | 7


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

’s New in vSphere Security Configuration and Hardening Guide 8


[8]
What
What’

This release of the vSphere Security Configuration and Hardening Guide has been updated for vSphere 8. It reflects new features and
functionality present in the new major version. As future updates are released for vSphere, this guidance will evolve.

This release of the vSphere 8.02 vSphere Security Configuration and Hardening Guide builds on the latest guidance for previous
releases of vSphere, with similar changes to the format of the resources:

•Addition of Solution mapping information, to make it easier to handle VMware product groupings like VMware vSphere

(which is a combination of VMware vCenter Server, VMware ESXi, and other components) or VMware Cloud Foundation.

•Synchronization of control titles and recommended values, where feasible, with DISA STIG guidance and downstream

regulatory compliance guidance.

•Expansion of feature-specific guidance. For example, our guidance still recommends not enabling SSH on ESXi, but if you do,

there are additional controls that should be audited. Auditors who use this guidance should first survey the environment for

use of specific features covered by this guide.

•Addition of controls present in DISA STIG and downstream regulatory compliance guidance.

•Addition of DISA STIG Suggested Values. The DISA STIG, delivered from public.cyber.mil, should always be considered the

reference if there is a discrepancy between the guides.

•Addition of VMware Configuration ID mappings, to help align downstream regulatory compliance guidance.

•Addition of VCF Compatibility information, denoting parameters that should be used with care in a VMware Cloud Foundation

environment.

•Reintroduction of esxi-8.timekeeping-services, ensuring that timekeeping services such as NTP or PTP are enabled and

running, separate from the configuration controls. In general, the approach moving forward is to have one programmatically

auditable setting per control.

•Reintroduction of esxi-8.ad-auth-proxy.

•Various PowerCLI example updates(Thank you to those who have submitted feedback).

This guide also departs from the traditional vSphere Security Configuration Guide in a few ways:

•The addition of compliance-oriented guidance such as login banners. While these are not strictly related to the security of the

platform, there are important business reasons to use them.

•Stronger opinions on product defaults. In talking with customers about security, they say that staffing and staff time continues

to be a concern. By relying on the product defaults (many of which were updated in vSphere 8 to be secure by default),

organizations can reduce the time they spend managing settings. You will see this reflected in the Audit guidance, where an

undefined value can be accepted as valid.

•The removal of hardening guidance that does not apply to vSphere 8 or workloads running on vSphere 8. Third-party tools

and resources that continue to check for unimplemented, irrelevant, and obsolete parameters should be updated.

There are some options you can do to make sure you are compliant and avoid attacks to your environment. You can configure and
manage "Lockdown Mode" on ESXi Hosts. You can also use Aria Operation Compliance Content to detect some vulnerabilities in your
environment.

HANDS-ON LABS MANUAL | 8


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

vSphere 8 Security Configuration and Hardening Guide Overview [9]

The VMware vSphere Security Configuration & Hardening Guide (SCG) is the baseline for hardening and auditing guidance for VMware
vSphere itself. Started more than a decade ago, it has long served as guidance for virtualization administrators looking to protect their
infrastructure.

Security is always a trade-off, and turning on all security features to their highest levels often impedes day-to-day administration efforts.
The goal of the vSphere Security Configuration and Hardening Guide is to be a baseline set of security best practices that informs
administrators while weighing the trade-offs. It is not a catalog of all available security controls, but instead a reasonable baseline on
which to build.

Severity Code Means [10]

Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a facility or system security posture. Each
security policy specified is assigned a Severity Category Code or CAT I, II, III.

<table style="width: 89%; margin-right: calc(11%);"> <thead><tr><th colspan="2" style="width: 100%; text-align: center; background-
color: rgb(84, 172, 210);">Defense Information Systems Agency (DISA) Category Code Guidelines</th></tr></thead> <tbody> <tr> <td
style="width: 11.5725%;">CAT I</td> <td style="width: 88.5519%;">Any vulnerability, the exploitation of which will <strong>directly and
immediately</strong> result in loss of Confidentiality, Availability, or Integrity </td> </tr> <tr> <td style="width: 11.5725%; background-
color: rgb(255, 255, 255);">CAT II</td> <td style="width: 88.5519%;">Any vulnerability, the exploitation of which <strong>has a
potential</strong> to result in loss of Confidentiality, Availability, or Integrity<br> </td> </tr> <tr> <td style="width: 11.5725%;
background-color: rgb(255, 255, 255);">CAT III</td> <td style="width: 88.5519%;">Any vulnerability, the existence of which
<strong>degrades measures</strong> to protect against loss of Confidentiality, Availability, or Integrity<br> </td> </tr> </tbody>
</table>

There are example scripts and playbooks to aid in these tasks available in the GitHub repository linked below. Please carefully examine
and test before running these in a production environment. https://github.com/vmware/dod-compliance-and-automation/

For example, with vSphere 7, there is a script that you can run to make sure your environment is secure and hardend. The script
provided on the link only works for that specific version of vSphere. Please do not run these scripts on any other version.

https://public.cyber.mil/stigs/

https://core.vmware.com/security-configuration-guide#vmware-vsphere-8--vcf-5x

We have broken each article into 3 sections: System Design, Hardware Configuration and Security Controls. We will work on some tasks
that you can do to manually harden your vSphere 8 environment.

System Design [11]

VMware appliances, such as vCenter Server, are tested and qualified in known configurations. If you choose to alter those be sure to
understand the reason and implecations as it will affect support. In particular, avoid upgrading the appliance virtual hardware versions
except under the guidance of VMware Global Support Services.

The VMware vSphere Cluster Services VMs have been hardened with guidance present here and take advantage of vSphere default
settings. If your security scanner identifies missing parameters check to ensure that they actually need to be set.

There are ongoing efforts to standardize security guidance & implementations within VMware and the vSphere Security Configuration
Guide (SCG) is a part of that. Future product releases will bring the defaults forward, as old product versions become unsupported.

A new System Design contains security controls that require deeper system design consideration and enablement. When seen through

HANDS-ON LABS MANUAL | 9


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

the core tenants of information security, all features of vSphere are security features. The latest releases of the SCG begin to treat them
as such.

Open Firefox Web Browser from Taskbar [12]

1. Click on the Firefox icon on taskbar

Login to vSphere Client [13]

1. Click Region A

2.Click vcsa-01a Client

HANDS-ON LABS MANUAL | 10


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. On the vSphere Client Login Screen, login in with these credentials

•Login: [email protected]

•Password: VMware123!

2.Click LOGIN

HANDS-ON LABS MANUAL | 11


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Administration Client Plugins [14]

Reduce or eliminate third-party vCenter Server plugins.

Installation of plugins and other third-party cross-connections between systems erodes boundaries between different infrastructure
systems, offering opportunities for attackers who have compromised one system to move laterally to another. Tight coupling of other
systems to vSphere often create impediments to timely patching and upgrades. Consider any third-party plugins or add-ons to vSphere
components carefully and ensure that there is significant value added by them, versus using individual management consoles, to offset
the risks they create.

Manage Client Plugin-Ins [15]

1. Click Menu (Hamburger icon)

2.Click Administration

HANDS-ON LABS MANUAL | 12


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Client Plugins [16]

With Client Plug-In Management you can monitor plug-in downloads, deployments, upgrades, and removals.

1. Select Solutions > Client Plugins

In this case, all of them are VMware plugins.

HANDS-ON LABS MANUAL | 13


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Select Solutions > vCenter Server Extensions

You can click on the Plugins and remove what is unnecessary. We won't be doing this step since we need all these plugins.

Centralized Authentications [17]

Use caution when connecting infrastructure management interfaces to general-purpose authentication and authorization sources.

Centralized enterprise directories are targets for attackers because of their role in authorization across an enterprise. An attacker can
move freely inside an organization once that directory is compromised. Connecting IT infrastructure to centralized directories has
proven to be a considerable risk for ransomware and other attacks, and it is recommended that infrastructure systems of all types have
their authentication and authorization isolated.

For ESXi it is recommended that all host management be handled through vCenter Server, with ESXi shells disabled, ESXi placed in
normal lockdown mode, and the ESXi root password set to a complex password.

HANDS-ON LABS MANUAL | 14


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Enforce Complex Passwords (CAT II) [18]

1. Click Menu (Hamburger Icon)

2.Click Inventory

HANDS-ON LABS MANUAL | 15


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Enforce Complex Passwords [19]

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex
passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set
than they may otherwise use.

1. Expand vcsa-01a.vcf.sddc.lab -> RegionA01 -> RegionA01-COMP01

2.Click esx-01a.vcf.sddc.lab

3.Click Configure

4.Click System > Advanced System Settings

5.Click EDIT...

HANDS-ON LABS MANUAL | 16


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Set Password Strings [20]

1. Click on the Filter icon for Key

2.Type: security

3.Look for Security.PasswordQualityControl

If the "Security.PasswordQualityControl
Security.PasswordQualityControl" setting is set to a value other than "similar=deny retry=3
min=disabled,disabled,disabled,disabled,15", this is a finding and we will need to edit it.

4.Click CANCEL

We will not be changing the value for this exercise.

HANDS-ON LABS MANUAL | 17


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Lockdown Mode (CAT II) [21]

Enabling Lockdown Mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. This
is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging
on to a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated
privileges or performing tasks that are not properly audited is greatly reduced.

1. Click esx-01a.vcf.sddc.lab

2.Click Configure

3.Click System > Security Profile (You might need to scroll down to see it)

Notice Lockdown Mode is set for Disabled


Disabled. This is the finding.

4.Click EDIT...

HANDS-ON LABS MANUAL | 18


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

esx-01a.vcf.sddc.lab - Lockdown Mode [22]

1. Enabled Lockdown Mode to either Normal or Strict

2.Click CANCEL

We will not be changing the settings.

HANDS-ON LABS MANUAL | 19


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Enable vSphere DRS [23]

Enable vSphere Distributed Resources Scheduler (DRS) in Fully Automated mode.

vSphere DRS uses vMotion to move workloads between physical hosts in order to ensure performance and availability. Fully Automated
mode ensures that vSphere Lifecycle Manager can work with DRS to enable patching and update operations.

If specific VM-to-host mappings are needed use DRS rules, and where possible use "should" rules instead of "must" so that the rule can
be temporarily suspended during patching and high availability recovery.

1. Click RegionA01-COMP01

2.Click Configure

3.Click Services > vSphere DRS

Notice vSphere DRS is Turned OFF. This is a finding.

4.Click EDIT...

HANDS-ON LABS MANUAL | 20


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Edit Cluster Settings [24]

1. Toggle vSphere DRS to on (green)

2.Click CANCEL

We won't be enabling it in this lab but you can. It might take a couple of minutes to turn on and configure.

Enable vSphere High Availability (HA) [25]

vSphere HA restarts workloads on other cluster hosts if an ESXi host fails suddenly. Ensure that the settings for HA are configured
correctly for your environment.

HANDS-ON LABS MANUAL | 21


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click RegionA01-COMP01

2.Click Configure

3.Click Services > vSphere Availability

Notice vSphere HA is Turned OFF


OFF. This is the finding.

4.Click EDIT...

HANDS-ON LABS MANUAL | 22


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Edit Cluster Settings [26]

1. Toggle vSphere HA to on (green)

2.Click CANCEL

We won't be enabling it in this lab but you can. It might take a couple of minutes to turn on and configure.

HANDS-ON LABS MANUAL | 23


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Enable Enhanced vMotion Compatibility (EVC) [27]

vSphere Enhanced vMotion Compatibility (EVC) ensures that workloads can be live migrated, using vMotion, between ESXi hosts in a
cluster that are running different CPU generations. EVC also assists in situations with CPU vulnerabilities, where new microcode
instructions may be introduced to CPUs which makes them temporarily incompatible with one another.

1. Click RegionA01-COMP01

2.Click Configure

3.Click Configuration > VMware EVC

VMware EVC is Disabled. This is the finding.

1. Click EDIT ...

HANDS-ON LABS MANUAL | 24


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Change EVC Mode [28]

1. Click the radio button for Enabled EVC for Intel Hosts

2.Click CANCEL

We will not be enabling the EVC for this lab.

HANDS-ON LABS MANUAL | 25


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Hardware Physical Security [29]

Ensure that ESXi host systems and related storage & networking components are protected from tampering, unauthorized access, and
unauthorized removal, as well as damage from environmental factors like flooding, extreme temperatures (low or high), and dust &
debris.

Use of security features like vSphere Native Key Provider and ESXi Key Persistence may cause security material to be stored locally on
ESXi hosts, enabling attackers to boot and unlock otherwise-protected clusters. Consideration of physical security and appropriate
threats, like theft, are important.

Beyond theft, being security-minded also means asking yourself and your organization "what could go wrong?" as well as "how would I
know that something went wrong?" especially in unstaffed data center locations and co-location facilities.

Examine your data center and rack configurations. Do the doors to the data center automatically close and lock properly on their own?
If they were left ajar, would there be a proactive alert? If your rack doors lock, is it still possible for someone to reach into the rack from
the side or top and disconnect a cable? Or perhaps connect a cable of their own to a network switch? Is it possible for someone to
remove a device, like a storage device or even an entire server? What would they get if they do?

Could someone glean information about your environment or your business from information displays on the servers, such as LCD
panels or consoles? If those information displays are inactive, could they be triggered with the use of a stiff metal wire from outside the
rack? Are there other buttons, like the power button, that could be pushed to create a service disruption for your company?

Are there other physical threats, such as the possibility of flooding, freezing, high heat, or dust & debris from the environment that
would impact availability?

Naming [30]

Ensure that objects in vSphere are named descriptively, changing default names of objects to ensure accuracy and reduce confusion.

Use good naming practices for vSphere objects, change default names like "Datacenter", "vsanDatastore", "DVSwitch", and "VM
Network" to include additional information. This helps improve accuracy and reduce errors when developing, implementing, and
auditing security policies and operational processes.

Port groups using 802.1q VLAN tagging could include the VLAN number. Datacenters and cluster names could reflect locations and
purposes. Datastore and virtual distributed switch names could reflect the datacenter and cluster names to which they are attached.
Key Provider names are particularly important, especially when protecting encrypted VMs with replication to alternate sites. Work to
avoid potential "name collisions" with objects present in other data centers and clusters.

Some organizations do not name systems with physical location identifiers such as street addresses, preferring to obscure the physical
location of data centers through the use of terms like "Site A," "Site B," and so on. This also helps if sites are relocated, preventing the
need to rename everything or endure inaccurate information.

When deciding on a naming schema, keep in mind that many objects can have similar properties. For example, two port groups could
both have the same VLAN assigned, but have different traffic filtering and marking rules. Incorporating a project name or short
description in the name may be helpful for disambiguating objects of this type.

Lastly, consider automation when developing a naming schema. Names that can be derived programmatically are often helpful when
scripting and automating tasks.

HANDS-ON LABS MANUAL | 26


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Network Isolation Management [31]

Ensure IT infrastructure management interfaces are isolated on their own network segment or as part of an isolated management
network.

Ensure that all management interfaces configured for virtualization components are on a network segment (VLAN, etc.) dedicated only
to virtualization management, free of workloads and unrelated systems, and controlled with perimeter security controls such that only
authorized vSphere Administrators can access those interfaces from authorized workstations.

Some system designs put vCenter Server and other management tools on their own network segments, isolated from ESXi, thinking
that it offers them better monitoring of those systems. Others put vCenter Server in with ESXi management as well because of the
relationship between the two products and the possibility of firewall configuration errors or outages disrupting service. Whichever you
choose, do so thoughtfully.

Network Isolation vMotion [32]

Ensure vMotion uses data-in-transit encryption (set to "Required" for VMs) or that VMkernel network interfaces used for vMotion are
isolated on their own network segments which have other perimeter controls.

vMotion and Storage vMotion copy virtual machine memory and storage data, respectively, across the network. Ensuring that the data
is encrypted in transit ensures confidentiality. Isolation to a dedicated network segment with appropriate perimeter controls can add
defense-in-depth and also allow for network traffic management.

Like all other forms of encryption, vMotion encryption does introduce performance loss, but that performance change is on the
background vMotion process and does not impact the operation of the virtual machine.

Network Isolation vSAN [33]

Ensure vSAN uses data-in-transit encryption or that VMkernel network interfaces used for vSAN are isolated on their own network
segments which have perimeter controls.

vSAN features data-in-transit encryption which can help maintain confidentiality as vSAN nodes communicate. As with many security
controls, there is a trade-off with performance, so care should be taken to monitor storage latency and performance as data-in-transit
encryption is enabled. Organizations that do not or can not enable vSAN data-in-transit encryption should isolate the network traffic to
a dedicated network segment with appropriate perimeter controls.

HANDS-ON LABS MANUAL | 27


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Network I/O Control [34]

Ensure resilience to network denial-of-service by enabling Network I/O Control (NIOC).

VMware vSphere Network I/O Control (NIOC) is a traffic management technology that offers quality of service at the hypervisor level,
enhancing network performance by prioritizing resources in multi-tenant cloud and shared workload environments. Incorporated into
the vSphere distributed switch (vDS), NIOC partitions network adapter bandwidth into "network resource pools" that correspond to
different traffic types, such as vMotion and management traffic, allowing users to allocate shares, limits, and reservations to these pools.

NIOC preserves network availability for essential services and prevents congestion by limiting less critical traffic. This is achieved by
enabling the creation of network control policies per business requirements, ensuring traffic type isolation, and allowing dynamic
resource reallocation based on priority and usage.

Network Reserved VLAN [35]

Ensure that physical switch uplinks from ESXi hosts are not configured with vendor-reserved virtual local area networks (VLANS).

The vSphere management network provides access to the vSphere management interface on each component. Services running on the
management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely
would begin with gaining entry to this network. The Management VMkernel port group can be on a standard or distributed virtual
switch, but it must be on a dedicated VLAN. The Management VLAN must not be shared by any other function and must not be
accessible to anything other than management-related functions such as vCenter.

HANDS-ON LABS MANUAL | 28


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click esx-02a.vcf.sddc.lab

2.Click Configure

3.Click Networking > VMkernel adapters

4.Click the elipse dots for ESXi-RegionA01-VDS-COMP which is the Management Enabled Services

5.Click Edit...

vmk0 - Edit Settings [36]

Review each VMkernel adapter that is used for management traffic and view the "Enabled services". Review the VLAN associated with
each VMkernel that is used for management traffic. Verify with the system administrator that they are dedicated for that purpose and
are logically separated from other functions. If any services are enabled on any Management VMkernel adapter, this is a finding.

1. Click CANCEL

HANDS-ON LABS MANUAL | 29


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Network Untagged Traffic [37]

Ensure that physical switch uplinks from ESXi hosts are configured as "access ports" assigned to a single VLAN, or as tagged 802.1q
VLAN trunks with no native VLAN. Ensure that vSphere port groups do not allow access to VLAN 1 or untagged native VLANs.

Network connections that have a "native" VLAN configured to accept untagged traffic, or have access to VLAN 1, may offer
opportunities for attackers to craft specialized packets that defeat network security controls. VLAN 1 is the default often used for
network management and communications and should be isolated from workloads. Ensure that port groups are not configured for
access to native VLANs, VLAN trunk ports are configured with specific definitions of VLANs (not "all"), and that port groups are
configured appropriately so that attackers cannot use a virtualized environment to circumvent network security controls.

Storage Fabric Isolation [38]

Ensure storage fabric connections use data-in-transit encryption or are isolated on their own network segments or SANs which have
perimeter controls.

Protecting storage data while in transit helps ensure the confidentiality of the data. Encryption is not an option for many storage
technologies, often because of availability or performance concerns. In those cases isolation to a dedicated network segment with
appropriate perimeter controls can be an effective compensating control and add defense-in-depth.

Storage LUN Masking [39]

Ensure storage systems employ LUN masking, zoning, and other storage-side security techniques to ensure that storage allocations are
only visible to the vSphere cluster in which it is to be used.

LUN masking on the storage controller and SAN zoning help ensure that storage traffic is not visible to unauthorized hosts and that
unauthorized hosts cannot mount the datastores, bypassing other security controls.

VCSA Firewall [40]

Consider the use of VCSA appliance firewall to limit connections to authorized systems and administrators.

The vCenter Server Appliance (VCSA) contains a basic firewall that can be used to limit the incoming connections to vCenter Server.
This can be an effective layer of defense-in-depth in conjunction with perimeter security controls.

As always, before adding rules to block connections, ensure that rules are in place to allow access from administrative workstations.

Hardware Configuration [41]

The vSphere Security Configuration Guide does not map directly to regulatory guidelines or frameworks, and so is not a compliance
guide. Also, the vSphere Security Configuration Guide is not intended for use as a security checklist. Security is always a trade-off.
When you implement security controls, you might affect usability, performance, or other operational tasks negatively. Consider your
workloads, usage patterns, organizational structure, and so on carefully before making security changes, whether the advice is from
VMware or from other industry sources.

HANDS-ON LABS MANUAL | 30


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

You can get the full list of hardware configuration on core.vmware.com website.

Hardware TPM (Cat II) [42]

Ensure that a Trusted Platform Modules (TPM) 2.0 is installed and enabled on the host.

ESXi can use TPM 2.0 to enable advanced security features that prevent malware, remove dependencies, and secure hardware lifecycle
operations. We strongly recommend all servers be configured with a TPM 2.0 chip and that TPM be enabled in the system firmware.

Launch Terminal [43]

1. Click Terminal on the Task Bar

HANDS-ON LABS MANUAL | 31


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Login to ESX-01A [44]

1. Type ssh [email protected] and hit Enter

2.Type yes to accept the hosts fingerprint and hit Enter

You will now be logged into the ESXi host as root.

HANDS-ON LABS MANUAL | 32


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

TPM-based configuration encryption [45]

Configuration encryption uses the physical TPM when it is available and supported at install or upgrade time. If the TPM was added or
enabled later, the ESXi host must be told to reconfigure to use the newly available TPM. Once the TPM configuration encryption is
enabled, it cannot be disabled.

1. Run the following command and hit Enter


Enter:

esxcli system settings encryption get

Expected result: Mode: TPM

If the "Mode" is not set to "TPM", this is a finding. You will need to set -- mode=TPM

For more information on how to enable TPM, take the VMware vSphere - Security - Getting Started lab (module 3) .

HANDS-ON LABS MANUAL | 33


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Secure Boot is Enabled (CAT - II) [46]

Enabling Unified Extensible Firmware Interface (UEFI) Secure Boot on the ESXi host's hardware helps prevent malware and untrusted
configurations.

Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless
the operating system bootloader has a valid digital signature. Secure Boot for ESXi requires support from the firmware and requires
that all ESXi kernel modules, drivers, and vSphere Installation Bundles (VIBs) be signed by VMware or a partner subordinate. Secure
Boot is enabled in the BIOS of the ESXi physical server and supported by the hypervisor boot loader. There is no ESXi control to "turn
on" Secure Boot. Requiring Secure Boot (failing to boot without it present) is accomplished in another control.

You should still have your active Terminal session for esx-01a.vcf.sddc.lab
esx-01a.vcf.sddc.lab. If you do not, please terminal into the ESXi Host from
previous steps.

1. Run this command and hit Enter


Enter:

/usr/lib/vmware/secureboot/bin/secureBoot.py -s

If Secure Boot is not "Enabled", this is a finding. However, our host is Enabled so we can move on.

Enabling this after installation may render the host unbootable. Refer to the vSphere documentation for more information about
enabling Secure Boot.

HANDS-ON LABS MANUAL | 34


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Virtual machines (VMs) must remove unneeded USB devices (CAT II) [47]

Security is always a tradeoff, and ease of recovery from an outage or incident should always be part of the equation when considering a
security control like this. In this case, disablement of external ports will affect the ability to use the ESXi console in case of emergency.

Some servers have the ability to dynamically disable and enable certain USB ports for management. Ensure that whatever you choose
meets your organization's needs, and that you have tested these methods before an incident.

Unused ports, especially USB, can be used by attackers to attach storage, networking, and keyboards. Take reasonable steps to control
access to these ports through disablement, access control, and/or with other means such as solid rack doors, rack side panels, and
flooring that makes the ports inaccessible from outside the rack when the rack door is closed. Cables fit easily through many gaps in
and around racks and rack doors, and stiff wires can be used to push them into sockets from outside the rack, as well as to dislodge
cables to create a service disruption.

Where possible, USB ports should also be set to only permit keyboards.

When disabling functionality like this please consider that you may need to access the server using a USB keyboard during an outage or
as part of lifecycle operations, and plan accordingly.

HANDS-ON LABS MANUAL | 35


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Return to your Firefox window with the connection to vCenter.

1. Right-Click the virtual machine core-A

2.Select Edit Settings...

HANDS-ON LABS MANUAL | 36


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Edit Settings [48]

1. Scroll down to the bottom

2.Expand Other

Notice for Input Devices, you only see Keyboard and Pointing device. If we see USB Controller, this is the finding and need to be
remove.

3.Click CANCEL

HANDS-ON LABS MANUAL | 37


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

ESXi CIM Disabled (CAT II) [49]

Ensure that integrated hardware management controllers are fully secured. The ESXi Common Interface Model (CIM) service must be
disabled.

Many servers have integrated hardware management controllers that can be extremely helpful when monitoring and updating
hardware, settings, and firmware. These controllers should be checked to ensure that ALL unused functionality is disabled, ALL unused
access methods are disabled, passwords and password controls are set, and firewall and access control is in place so that the only
access is from authorized access workstations for the virtualization administration team.

All "first boot" configuration options should be disabled, especially ones that reconfigure the system from USB devices that are
inserted. Disable or protect USB ports attached to the management controllers. Where possible, USB ports should be set to only permit
keyboards.

Default passwords for accounts should be changed.

External information displays should be secured to prevent information leakage. Power and information buttons should be secured
against unauthorized use.

Many hardware management controllers provide mechanisms for alerting when hardware faults & configuration changes occur. You
should consider those if you are not using another method for hardware monitoring.

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard
application programming interfaces (APIs). These APIs are consumed by external applications such as HP SIM or Dell OpenManage for
agentless, remote hardware monitoring of the ESXi host. To reduce attack surface area and following the minimum functionality
principal, the CIM service must be disabled unless explicitly needed and approved.

HANDS-ON LABS MANUAL | 38


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click esx-02a.vcf.sddc.lab

2.Click Configure

3.Click System > Services

4.Scroll
Scroll Down until you see CIM Server

5.Select CIM Server

Notice that CIM Server is Stopped but we need to check if the Startup Policy is set to "Start and stop manually"
manually". This is the finding.

6.Click EDIT STARTUP POLICY...

Edit Startup Policy [50]

1. Select Start and stop manually

2.Click CANCEL

HANDS-ON LABS MANUAL | 39


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

ESXi host must synchronize with clock (CAT II) [51]

Cryptography, audit logging, cluster operations, and incident response/forensics depend deeply on synchronized time. This
recommendation extends to all devices in infrastructure. The recommendation for NTP is to have at least four sources. Do not have two
sources (one source is preferable to two).

To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source. Many system functions, including
time-based logon and activity restrictions, automated reports, system logs, and audit records, depend on an accurate system clock. If
there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of
diminished value.

1. Click esx-02a.vcf.sddc.lab

2.Click Configure
3.Click System > Time Configuration

4.Click REFRESH

Verify the NTP or PTP service is running and configured to start and stop with the host. If the NTP service is not configured with
authoritative time sources or the service is not configured to start and stop with the host ("Policy" of "on" in PowerCLI) or is stopped,
this is a finding. If PTP is used instead of NTP, this is NOT a finding.

Security Controls [52]

VMware vSphere has evolved over two decades with new features and functionality. The default settings for vSphere components have
also evolved over time as VMware balances change in the ecosystem with the need for security by default. As these changes have
occurred, security guidance and best practices baselines for VMware products have tried to balance three things: security impact,

HANDS-ON LABS MANUAL | 40


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

operational impact, and audit-ability.

Security impact is straightforward, insofar as any guidance should decrease risk, increase confidentiality, integrity, and/or availability.
Security is always a trade-off, and that is where operational impact applies. Some potential security controls have detrimental effects on
the performance or operation of workloads. For instance, using the now-deprecated svga.vga Only control, present in older guidance,
means that modern guest operating systems will not operate correctly (impacting availability). Environments are still free to use
svga.vga Only as they see fit, but it is no longer part of our baseline recommendations.

There are over 100 Security Configuration Guideline ID from https://core.vmware.com/vmware-vsphere-8-security-configuration-guide


and we are only highlighting a few in this article.

Welcome Message (CAT II) [53]

Display of a standardized and approved use notification before granting access to the host ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users and are not required when such human
interfaces do not exist. The banner must be formatted in accordance with applicable government policy. Use the following verbiage for
a host that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) VMM (IS) that is provided for
USG-authorized use only.

HANDS-ON LABS MANUAL | 41


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click esx-02a.vcf.sddc.lab

2.Click Configure

3.Click System > Advanced System Settings

4.Locate Annotation.WelcomeMessage and it has no value

If the "Annotations.WelcomeMessage" setting does not contain the standard mandatory government notice and consent banner, this is
a finding. We won't be editing the value for this exercise.

You can see a sample code below on what you can add for the Value.

{bgcolor:black} {/color}{align:left}
{bgcolor:black}{color:yellow}{hostname} , {ip}
{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}
{bgcolor:black}{color:yellow}{esxproduct}
{esxversion}{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}
{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}
{bgcolor:black}{color:white} {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}
{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}
{bgcolor:black} {/color}{align:left}
{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG)
Information System (IS) that is provided for USG-authorized use only. By
{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}
{bgcolor:yellow}{color:black} using this IS
(which includes any device attached to this IS), you consent to the following
conditions: {/color}{/bgcolor}{/align}

Account Auto Lock TimeOut (CAT II) [54]

Ensures that user accounts on the ESXi host are automatically locked after a defined period of inactivity. By enforcing automatic account
locking, organizations can maintain a balance between security and usability, ensuring that idle accounts are reactivated promptly while
minimizing the potential for unauthorized access.

If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely and increase the
likelihood of inappropriate host access via session hijacking. The "ESXiShellInteractiveTimeOut" allows the automatic termination of idle
shell sessions.

HANDS-ON LABS MANUAL | 42


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click esx-02a.vcf.sddc.lab

2.Click Configure

3.Click System > Advanced System Settings

4.Click on Filter icon for Key

5.Type: uservar

6.Locate UserVars.ESXiShellInteractiveTimeOut and it has 0 for the value

If the "UserVars.ESXiShellInteractiveTimeOut" setting is set to a value greater than "900" or "0", this is a finding. You will need to Edit
the value to something else, but we won't be doing this.

Deactivate MOB (CAT II) [55]

The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).

The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be
changed. This interface is meant to be used primarily for debugging the vSphere Software Development Kit (SDK), but, because there
are no access controls, it could also be used as a method to obtain information about a host being targeted for unauthorized access.

HANDS-ON LABS MANUAL | 43


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

1. Click esx-02a.vcf.sddc.lab

2.Click Configure

3.Click the Filter in the Key column

4.Search for config.hostagent.plug

5.Locate Config.HostAgent.plugins.solo.enableMob

If the "Config.HostAgent.plugins.solo.enableMob" setting is not set to "false"


"false", this is a finding.

vMotion Encypted (CAT II) [56]

Virtual machines must require encryption for vMotion.

Requiring encryption for vMotion in virtual machines guarantees secure data transfer. The default 'opportunistic' encryption likely
results in encryption due to widespread AES-NI support in vSphere-compatible hardware. However, enforcing 'required' encryption
prevents any unencrypted operations.

More information on vSphere vMotion Encryption can be found on our VMware Documentation Site - vSphere vMotion Encryption.

HANDS-ON LABS MANUAL | 44


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Conclusion [57]

The United States Department of Defense (DoD), Security Technical Implementation Guides (STIGs) provide technical, standards-based
hardening guidance.

In this lab, we just deployed DoD STIG controls for different CAT 1 checks, and walked through a sample of CAT II and CAT III checks.

For further information on the STIGs, refer to the following sites:

•VMware vSphere 8 STIG Readiness Guide

•US Department of Defense Compliance Guidance

HANDS-ON LABS MANUAL | 45


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Appendix

Hands-on Labs Interface (Ubuntu Main Console) [59]

Welcome to Hands-on Labs! This overview of the interface and features will help you to get started quickly. Click next in the manual to
explore the Main Console or use the Table of Contents to return to the Lab Overview page or another module.

Location of the Main Console [60]

1. The area in the large RED box contains the Main Console. The Lab Manual is on the tab to the right of the Main Console.

2.Your lab starts with a timer. The lab cannot be saved and will end when the timer expires. Click the EXTEND button to

increase the time allowed. The amount of time you can extend will depend on the lab.

Alternate Methods of Keyboard Data Entry [61]

In this lab you will input text into the Main Console. Besides directly typing in the console, two alternate methods make it easier to enter
complex data.

HANDS-ON LABS MANUAL | 46


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Click and Drag Lab Manual Content Into Console Active Window [62]

https://www.youtube.com/watch?v=xS07n6GzGuo

You can click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the
Main Console.

HANDS-ON LABS MANUAL | 47


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

Accessing the Online International Keyboard [63]

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Human icon (Universal Access) on the top taskbar

2.Enable Screen Keyboard

HANDS-ON LABS MANUAL | 48


HOL-2536-01-VCF-L: Getting Started with vSphere Security Configuration and Hardening Guide

The Keyboard Is Now Enabled [64]

The keyboard will now be enabled and will autohide and appear when needed; e.g., when you click in a text field or terminal.

Return to Lab Guidance [65]

Use the Table of Contents to return to the Lab Overview page or another module.

HANDS-ON LABS MANUAL | 49


VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 vmware.com.
Copyright © 2024 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or
more patents listed at vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other
marks and names mentioned herein may be trademarks of their respective companies. Lab SKU: HOL-2536-01-VCF-L Version: 20241106-074723

You might also like