Session Heading
VMUG Sri Lanka Virtual Meetup - May, 2020
Presenter Credentials
vCphere Security
HOL-2011-03
Thusitha Perera
General ESXi Security Recommendations
VMware vSphere
To protect an ESXi host against unauthorized intrusion and
misuse, VMware imposes constraints on several parameters,
settings, and activities. You can loosen the constraints to meet
your configuration needs. If you do, make sure that you are
working in a trusted environment and take other security
measures.
Presenter Credentials
Securing ESXi Hosts VMware vSphere 6.5
Configure ESXi Hosts with Host Profiles
General ESXi Security Recommendations
Certificate Management for ESXi Hosts
Customizing Hosts with the Security Profile
Assigning Privileges for ESXi Hosts
Using Active Directory to Manage ESXi Users
Using vSphere Authentication Proxy
Configuring Smart Card Authentication for ESXi
Using the ESXi Shell
UEFI Secure Boot for ESXi Hosts
ESXi Log Files
Presenter Credentials
Built-In Security Features
Risks to the hosts are mitigated out of the box as follows:
ESXi Shell and SSH are disabled by default.
Only a limited number of firewall ports are open by default. You can explicitly open
additional firewall ports that are associated with specific services.
ESXi runs only services that are essential to managing its functions. The distribution is
limited to the features required to run ESXi.
By default, all ports that are not required for management access to the host are
closed. Open ports if you need additional services.
Presenter Credentials
Built-In Security Features
A Tomcat Web service is used internally by ESXi to support access by Web clients.
VMware monitors all security alerts that can affect ESXi security and issues a security
patch if needed.
Ensure secure services installed
.
Consider using UEFI Secure Boot for your ESXi system. See UEFI Secure Boot for ESXi
Hosts.
Presenter Credentials
Additional Security Measures
Consider the following recommendations when evaluating host security and
administration.
Limit access
Provide only trusted users with ESXi Shell login
Do not access managed hosts directly
Presenter Credentials
Use DCUI only for troubleshooting Access the host from the DCUI or the ESXi Shell as
the root user only for troubleshooting.
Use one of the GUI clients, or one of the VMware CLIs or APIs to administer
your ESXi hosts.
If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts.
Use only VMware sources to upgrade ESXi components The host runs several thirdparty packages to support management interfaces or tasks that you must perform.
Presenter Credentials
Use Scripts to Manage Host Configuration Settings
ESXi Passwords and Account Lockout
SSH Security
Use Scripts to Manage Host Configuration Settings
ESXi Passwords and Account Lockout
SSH Security
PCI and PCIe Devices and ESXi
Disable the Managed Object Browser
Presenter Credentials
ESXi Networking Security Recommendations
Modifying ESXi Web Proxy Settings
vSphere Auto Deploy Security Considerations
Presenter Credentials
ESXi uses the Linux PAM
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-412EF981-D4F1-430B-9D09A4679C2D04E7.html.
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B71-B365BBFA24673FDB.html
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-FD142F1A-FE26-473E-BF09AC2F84B15318.html
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-3E2AFC73-1E33-403C-AB2EE3C29FD6717C.html
https://www.vmware.com/security/hardening-guides.html
Presenter Credentials
ESXi uses the Linux PAM
For ESXi hosts, you have to use a password with
predefined requirements.
You can change the required length and character
class requirement or allow pass phrases using
Security.PasswordQualityControl advanced option.
Presenter Credentials
ESXi Passwords and Account Lockout
module pam_passwdqc for password management and control
See the manpage for pam_passwdqc for detailed information
Note: the default requirements for ESXi passwords can change form one release to the
next. You can check and change the default password restrictions using the
Security.PasswordQulityControl advanced option
Presenter Credentials
ESXi Passwords
ESXi enforces password requirements for access from the Direct Console
User Interface, the ESXi Shell, SSH, or the VMware Host Client.
An uppercase character that begins a password does not count toward the
number of character classes used. A number that ends a password does not
count toward the number of character classes used.
Presenter Credentials
Example ESXi Passwords
The following passoword candidate illustrate potential password if
the option is set as follows:
retry=3 min=disabled,disabled,disabled,7,7
Presenter Credentials
Example ESXi Passwords
xQaTEhb!: Contains eight characters from three character classes.
xQaT3#A: Contains seven characters from four character classes.
xQaTEh2: Ends with a number, reducing the effective number of
character classes to two. The minimum number of required
character classes is three.
Presenter Credentials
ESXi Pass Phrase
Instead of a password, you can also use a pass phrase; however, pass phrases are disabled by default. You
can change this default or other settings, by using the Security.PasswordQualityControl advanced option
from the vSphere Web Client.
For example, you can change the option to the following:
retry=3 min=disabled,disabled,16,7,7
This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces.
For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is depreciated
for future releases. Use the Security.PasswordQualityControl advanced option instead.
Presenter Credentials
Changing Default Password Restrictions
You can change the default restriction on passwords or pass phrases by using
the Security.PasswordQualityControl advanced option for your ESXi host.
See the vCenter Server and Host Management documentation for information on
setting ESXi advanced options.
You can change the default, for example, to require a minimum of 15 characters and a
minimum number of four words, as follows: retry=3 min=disabled,disabled,15,7,7
passphrase=4
See the manpage for pam_passwdqc for details.
Presenter Credentials
Configuring Login Behavior
You can configure the login behaviour for your ESXi host with the following
advanced options:
Security.AccountLockFailures. Maximum number of failed login attempts
before a user's account is locked. Zero disables account locking.
Security.AccountUnlockTime. Number of seconds that a user is locked out.
See the vCenter Server and Host Management documentation for information
on setting ESXi advanced options.
Presenter Credentials
ESXi.apply-patches
Keep ESXi system properly patched to minimize Vulnerability
threats
By staying up to date on ESXi patches, vulnerabilities in the
hypervisor can be mitigated. An educated attacker can
exploit known vulnerabilities when attempting to attain
access or elevate privileges on an ESXi host.
Presenter Credentials
ESXi Patches
Keep ESXi system properly patched to minimize Vulnerability
threats
By staying up to date on ESXi patches, vulnerabilities in the
hypervisor can be mitigated. An educated attacker can
exploit known vulnerabilities when attempting to attain
access or elevate privileges on an ESXi host.
Presenter Credentials
Web Client Assessment
Employ a process to keep ESXi hosts up to date with patches
in accordance with industry-standards and internal
guidelines. VMware Update Manager is an automated tool
that can greatly assist with this. VMware also publishes
Advisories on security patches, and offers a way to subscribe
to email alerts for them.
https://www.vmware.com/support/policies/security_respon
se
Presenter Credentials
Questions?
A. Shane Delima BEng(Hons) VCIX6-DCV, VCIX-NV, FCNSP, RHCSA & ITILv3
Thank You…
A. Shane Delima BEng(Hons) VCIX6-DCV, VCIX-NV, FCNSP, RHCSA & ITILv3