Session Heading VMUG Sri Lanka Virtual Meetup - May, 2020 Presenter Credentials vCphere Security HOL-2011-03 Thusitha Perera General ESXi Security Recommendations VMware vSphere To protect an ESXi host against unauthorized intrusion and misuse, VMware imposes constraints on several parameters, settings, and activities. You can loosen the constraints to meet your configuration needs. If you do, make sure that you are working in a trusted environment and take other security measures. Presenter Credentials Securing ESXi Hosts VMware vSphere 6.5 Configure ESXi Hosts with Host Profiles General ESXi Security Recommendations Certificate Management for ESXi Hosts Customizing Hosts with the Security Profile Assigning Privileges for ESXi Hosts Using Active Directory to Manage ESXi Users Using vSphere Authentication Proxy Configuring Smart Card Authentication for ESXi Using the ESXi Shell UEFI Secure Boot for ESXi Hosts ESXi Log Files Presenter Credentials Built-In Security Features Risks to the hosts are mitigated out of the box as follows: ESXi Shell and SSH are disabled by default. Only a limited number of firewall ports are open by default. You can explicitly open additional firewall ports that are associated with specific services. ESXi runs only services that are essential to managing its functions. The distribution is limited to the features required to run ESXi. By default, all ports that are not required for management access to the host are closed. Open ports if you need additional services. Presenter Credentials Built-In Security Features A Tomcat Web service is used internally by ESXi to support access by Web clients. VMware monitors all security alerts that can affect ESXi security and issues a security patch if needed. Ensure secure services installed . Consider using UEFI Secure Boot for your ESXi system. See UEFI Secure Boot for ESXi Hosts. Presenter Credentials Additional Security Measures Consider the following recommendations when evaluating host security and administration. Limit access Provide only trusted users with ESXi Shell login Do not access managed hosts directly Presenter Credentials Use DCUI only for troubleshooting Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting. Use one of the GUI clients, or one of the VMware CLIs or APIs to administer your ESXi hosts. If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts. Use only VMware sources to upgrade ESXi components The host runs several thirdparty packages to support management interfaces or tasks that you must perform. Presenter Credentials Use Scripts to Manage Host Configuration Settings ESXi Passwords and Account Lockout SSH Security Use Scripts to Manage Host Configuration Settings ESXi Passwords and Account Lockout SSH Security PCI and PCIe Devices and ESXi Disable the Managed Object Browser Presenter Credentials ESXi Networking Security Recommendations Modifying ESXi Web Proxy Settings vSphere Auto Deploy Security Considerations Presenter Credentials ESXi uses the Linux PAM https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-412EF981-D4F1-430B-9D09A4679C2D04E7.html. https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B71-B365BBFA24673FDB.html https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-FD142F1A-FE26-473E-BF09AC2F84B15318.html https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-3E2AFC73-1E33-403C-AB2EE3C29FD6717C.html https://www.vmware.com/security/hardening-guides.html Presenter Credentials ESXi uses the Linux PAM For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using Security.PasswordQualityControl advanced option. Presenter Credentials ESXi Passwords and Account Lockout module pam_passwdqc for password management and control See the manpage for pam_passwdqc for detailed information Note: the default requirements for ESXi passwords can change form one release to the next. You can check and change the default password restrictions using the Security.PasswordQulityControl advanced option Presenter Credentials ESXi Passwords ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client. An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used. Presenter Credentials Example ESXi Passwords The following passoword candidate illustrate potential password if the option is set as follows: retry=3 min=disabled,disabled,disabled,7,7 Presenter Credentials Example ESXi Passwords xQaTEhb!: Contains eight characters from three character classes. xQaT3#A: Contains seven characters from four character classes. xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three. Presenter Credentials ESXi Pass Phrase Instead of a password, you can also use a pass phrase; however, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option from the vSphere Web Client. For example, you can change the option to the following: retry=3 min=disabled,disabled,16,7,7 This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces. For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is depreciated for future releases. Use the Security.PasswordQualityControl advanced option instead. Presenter Credentials Changing Default Password Restrictions You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced option for your ESXi host. See the vCenter Server and Host Management documentation for information on setting ESXi advanced options. You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows: retry=3 min=disabled,disabled,15,7,7 passphrase=4 See the manpage for pam_passwdqc for details. Presenter Credentials Configuring Login Behavior You can configure the login behaviour for your ESXi host with the following advanced options: Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is locked. Zero disables account locking. Security.AccountUnlockTime. Number of seconds that a user is locked out. See the vCenter Server and Host Management documentation for information on setting ESXi advanced options. Presenter Credentials ESXi.apply-patches Keep ESXi system properly patched to minimize Vulnerability threats By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges on an ESXi host. Presenter Credentials ESXi Patches Keep ESXi system properly patched to minimize Vulnerability threats By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges on an ESXi host. Presenter Credentials Web Client Assessment Employ a process to keep ESXi hosts up to date with patches in accordance with industry-standards and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them. https://www.vmware.com/support/policies/security_respon se Presenter Credentials Questions? A. Shane Delima BEng(Hons) VCIX6-DCV, VCIX-NV, FCNSP, RHCSA & ITILv3 Thank You… A. Shane Delima BEng(Hons) VCIX6-DCV, VCIX-NV, FCNSP, RHCSA & ITILv3