vSphere Security - VMware vSphere 6 vSphere Security Update 2 Modified on 27 AUG 2019 VMware vSphere

download vSphere Security - VMware vSphere 6 vSphere Security Update 2 Modified on 27 AUG 2019 VMware vSphere

of 287

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of vSphere Security - VMware vSphere 6 vSphere Security Update 2 Modified on 27 AUG 2019 VMware vSphere

  • vSphere Security Update 2 Modified on 23 DEC 2019 VMware vSphere 6.7 VMware ESXi 6.7 vCenter Server 6.7

  • You can find the most up-to-date technical documentation on the VMware website at:


    If you have comments about this documentation, submit your feedback to


    VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

    Copyright © 2009-2019 VMware, Inc. All rights reserved. Copyright and trademark information.

    vSphere Security

    VMware, Inc. 2

    https://docs.vmware.com/ mailto:docfeedback@vmware.com http://pubs.vmware.com/copyright-trademark.html

  • Contents

    About vSphere Security 10

    Updated Information 13

    1 Security in the vSphere Environment 14 Securing the ESXi Hypervisor 14

    Securing vCenter Server Systems and Associated Services 16

    Securing Virtual Machines 17

    Securing the Virtual Networking Layer 18

    Passwords in Your vSphere Environment 20

    Security Best Practices and Resources 21

    2 vSphere Permissions and User Management Tasks 23 Understanding Authorization in vSphere 24

    Hierarchical Inheritance of Permissions 26

    Multiple Permission Settings 28

    Managing Permissions for vCenter Components 30

    Add a Permission to an Inventory Object 31

    Change or Remove Permissions 32

    Change User Validation Settings 32

    Global Permissions 33

    Add a Global Permission 34

    Permissions on Tag Objects 35

    Using Roles to Assign Privileges 36

    Create a Custom Role 37

    vCenter Server System Roles 38

    Best Practices for Roles and Permissions 39

    Required Privileges for Common Tasks 40

    3 Securing ESXi Hosts 44 General ESXi Security Recommendations 44

    Configure ESXi Hosts with Host Profiles 46

    Use Scripts to Manage Host Configuration Settings 46

    ESXi Passwords and Account Lockout 48

    SSH Security 50

    PCI and PCIe Devices and ESXi 53

    Disable the Managed Object Browser 53

    ESXi Networking Security Recommendations 54

    VMware, Inc. 3

  • Modifying ESXi Web Proxy Settings 54

    vSphere Auto Deploy Security Considerations 55

    Control Access for CIM-Based Hardware Monitoring Tools 55

    Certificate Management for ESXi Hosts 57

    Host Upgrades and Certificates 59

    Certificate Mode Switch Workflows 60

    ESXi Certificate Default Settings 62

    View Certificate Expiration Information for Multiple ESXi Hosts 63

    View Certificate Details for a Single ESXi Host 64

    Renew or Refresh ESXi Certificates 65

    Change the Certificate Mode 65

    Replacing ESXi SSL Certificates and Keys 66

    Use Custom Certificates with Auto Deploy 70

    Restore ESXi Certificate and Key Files 72

    Customizing Hosts with the Security Profile 73

    ESXi Firewall Configuration 73

    Customizing ESXi Services from the Security Profile 81

    Enable or Disable a Service 82

    Lockdown Mode 83

    Manage the Acceptance Levels of Hosts and VIBs 89

    Assigning Privileges for ESXi Hosts 90

    Using Active Directory to Manage ESXi Users 92

    Configure a Host to Use Active Directory 93

    Add a Host to a Directory Service Domain 94

    View Directory Service Settings 95

    Using vSphere Authentication Proxy 95

    Enable vSphere Authentication Proxy 96

    Add a Domain to vSphere Authentication Proxy with the vSphere Web Client 97

    Add a Domain to vSphere Authentication Proxy with the camconfig Command 98

    Use vSphere Authentication Proxy to Add a Host to a Domain 99

    Enable Client Authentication for vSphere Authentication Proxy 99

    Import the vSphere Authentication Proxy Certificate to ESXi Host 100

    Generate a New Certificate for vSphere Authentication Proxy 101

    Set Up vSphere Authentication Proxy to Use Custom Certificates 102

    Configuring Smart Card Authentication for ESXi 104

    Enable Smart Card Authentication 105

    Disable Smart Card Authentication 105

    Authenticating With User Name and Password in Case of Connectivity Problems 106

    Using Smart Card Authentication in Lockdown Mode 106

    Using the ESXi Shell 106

    Enable Access to the ESXi Shell 107

    vSphere Security

    VMware, Inc. 4

  • Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell 109

    Log in to the ESXi Shell for Troubleshooting 110

    UEFI Secure Boot for ESXi Hosts 111

    Run the Secure Boot Validation Script on an Upgraded ESXi Host 112

    Securing ESXi Hosts with Trusted Platform Module 113

    View ESXi Host Attestation Status 114

    Troubleshoot ESXi Host Attestation Problems 115

    ESXi Log Files 115

    Configure Syslog on ESXi Hosts 116

    ESXi Log File Locations 117

    Securing Fault Tolerance Logging Traffic 117

    4 Securing vCenter Server Systems 118 vCenter Server Security Best Practices 118

    Best Practices for vCenter Server Access Control 118

    Protecting the vCenter Server Windows Host 121

    Limiting vCenter Server Network Connectivity 121

    vCenter Server Appliance Security Best Practices 123

    vCenter Password Requirements and Lockout Behavior 123

    Verify Thumbprints for Legacy ESXi Hosts 124

    Required Ports for vCenter Server and Platform Services Controller 125

    Additional vCenter Server TCP and UDP Ports 130

    5 Securing Virtual Machines 133 Enable or Disable UEFI Secure Boot for a Virtual Machine 133

    Limit Informational Messages from Virtual Machines to VMX Files 135

    Prevent Virtual Disk Shrinking 135

    Virtual Machine Security Best Practices 136

    General Virtual Machine Protection 137

    Use Templates to Deploy Virtual Machines 137

    Minimize Use of the Virtual Machine Console 138

    Prevent Virtual Machines from Taking Over Resources 138

    Disable Unnecessary Functions Inside Virtual Machines 139

    6 Virtual Machine Encryption 146 How vSphere Virtual Machine Encryption Protects Your Environment 147

    vSphere Virtual Machine Encryption Components 149

    Encryption Process Flow 150

    Virtual Disk Encryption 152

    Prerequisites and Required Privileges for Encryption Tasks 153

    Encrypted vSphere vMotion 154

    vSphere Security

    VMware, Inc. 5

  • Encryption Best Practices, Caveats, and Interoperability 155

    Virtual Machine Encryption Best Practices 155

    Virtual Machine Encryption Caveats 158

    Virtual Machine Encryption Interoperability 159

    7 Use Encryption in Your vSphere Environment 161 Set up the Key Management Server Cluster 161

    Add a KMS to vCenter Server in the vSphere Client 161

    Add a KMS to vCenter Server in the vSphere Web Client 163

    Establish a Trusted Connection by Exchanging Certificates 164

    Set the Default KMS Cluster 167

    Complete the Trust Setup 167

    Set up Separate KMS Clusters for Different Users 168

    Create an Encryption Storage Policy 169

    Enable Host Encryption Mode Explicitly 170

    Disable Host Encryption Mode 170

    Create an Encrypted Virtual Machine 171

    Clone an Encrypted Virtual Machine 172

    Encrypt an Existing Virtual Machine or Virtual Disk 173

    Decrypt an Encrypted Virtual Machine or Virtual Disk 174

    Change the Encryption Policy for Virtual Disks 176

    Resolve Missing Key Issues 177

    Unlock Locked Virtual Machines 179

    Resolve ESXi Host Encryption Mode Issues 179

    Re-Enable ESXi Host Encryption Mode 180

    Set Key Management Server Certificate Expiration Threshold 181

    vSphere Virtual Machine Encryption and Core Dumps 181

    Collect a vm-support Package for an ESXi Host That Uses Encryption 182

    Decrypt or Re-Encrypt an Encrypted Core Dump 184

    8 Securing Virtual Machines with Virtual Trusted Platform Module 186 Add a Virtual Trusted Platform Module to a Virtual Machine 188

    Enable Virtual Trusted Platform Module for an Existing Virtual Machine 189

    Remove Virtual Trusted Platform Module from a Virtual Machine 189

    Identify Virtual Trusted Platform Enabled Virtual Machines 190

    View vTPM Module Device Certificates 190

    Export and Replace vTPM Module Device Certificates 191

    9 Securing Windows Guest Operating Systems with Virtualization-based Security 193 Virtualization-based Security Best Practices 194

    Enable Virtualization-based Security on a Virtual Machine 195

    vSphere Security

    VMware, Inc. 6

  • Enable Virtualization-based Security on an Existing Virtual Machine 196

    Enable Virtualization-based Security on the Guest Operating System 196

    Disable Virtualization-based Security 197

    Identify VBS-Enabled Virtual Machines 198

    10 Securing vSphere Networking 199 Introduction to vSphere Network Security 199

    Securing the Network With Firewalls 201

    Firewalls for Configurations With vCenter Server 201

    Connecting to vCenter Server Through a Firewall 202

    Connecting ESXi Hosts Through Firewalls 202

    Firewalls for Configurations Without vCenter Server 202

    Connecting to the Virtual Machine Console Through a Firewall 203

    Secure the Physical Switch 204

    Securing Standard Switch Ports with Security Policies 204

    Securing vSphere Standard Switches 205

    MAC Address Changes 206

    Forged Transmits 206

    Promiscuous Mode Operation 207

    Standard Switch P