VCAP5-DCA Objective 7.1 – Secure ESXi hosts

Objectives

  • Add/Edit Remove users/groups on an ESXi host
  • Customize SSH settings for increased security
  • Enable/Disable certificate checking
  • Generate ESXi host certificates
  • Enable ESXi lockdown mode
  • Replace default certificate with CA-signed certificate
  • Configure SSL timeouts
  • Configure vSphere Authentication Proxy
  • Enable strong passwords and configure password policies
  • Identify methods for hardening virtual machines
  • Analyze logs for security-related messages
  • Manage Active Directory integration

Last Update: 24-12-2012

Add/Edit Remove users/groups on an ESXi host

Official Documentation:
vSphere Virtual Machine Administration, Chapter 4 “Authentication and User Management”, Section “Managing vSphere Users / Groups”, page 42.

Summary:
When a vSphere Client or vCenter Server user connects to ESXi, a connection is established with the VMware Host Agent process. The process uses the user names and passwords for authentication.

ESXi authenticates users accessing hosts using the vSphere Client or SDK. The default installation of ESXi uses a local password database for authentication.

ESXi uses the Pluggable Authentication Modules (PAM) structure for authentication when users access the ESXi host using the vSphere Client. The PAM configuration for VMware services is located in /etc/pam.d/system-auth-generic, which stores paths to authentication modules. Changes to this configuration affect all host services.

ESXi users fall into two categories:

  • Authorized vCenter Server users
  • Direct-access Users

VMware recommends these Best practices:

  • Do not create a user named ALL. Privileges associated with the name ALL might not be available to all users in some situations.
  • Use a directory service or vCenter Server to centralize access control, rather than defining users on individual hosts.
  • Choose a local Windows user or group to have the Administrator role in vCenter Server.
  • Because of the confusion that duplicate naming can cause, check the vCenter Server user list before you create ESXi host users to avoid duplicating names. To check for vCenter Server users, review the Windows domain list.

Important Note: By default, some versions of the Windows operating system include the NT AUTHORITY\INTERACTIVE user in the Administrators group. When the NT AUTHORITY\INTERACTIVE user is in the Administrators group, all users you create on the vCenter Server system have the Administrator privilege. To avoid this, remove the NT AUTHORITY\INTERACTIVE user from the  Administrators group on the Windows system where you run vCenter Server.

Remember:

  • You can assign a Role to  User or Group;
  • A role is a set of Privileges;
  • Roles are assigned to Objects;
  • Permission = User/Group + Role;
  • Permissions are inherited (flows down the tree)
  • Apply Permissions on the level where it is needed

To Add or Edit Local Users and Groups:

  • With the vSphere Client, connect to an ESXi host (not the vCenter Server)
  • Select the Host object
  • Go to Tab “Local Users & Groups”
  • Now you can Add, Remove or Edit a User or Group

Figure 1

Editing a user:

Figure 2

Go to the tab ”Permissions” to combine Roles and Users.

Other references:

  • A

Customize SSH settings for increased security

Official Documentation:

Summary:
By default is SSH not enabled, so if you want to connect to an ESXi host using a SSH client (like PuTTY), you must first enable SSH.

  • With the vSphere Client connect to vCenter Server or an individual ESXi host;
  • Go to Tab Configuration, Software, Security Profile.
  • Under the Services section, choose Properties, select SSH
  • Choose Options and Start the Service

Another way is using the console and the DCUI

  • Open a Console
  • Logon
  • Go to “”Troubleshooting Mode Options”
  • Select “Enable SSH”, now at the right hand it will tell you “SSH is Enabled”

You can set a timeout value for local and remote shell access. By default, the max. time is 1440 minutes. Entering a zero, means no timeout.

Figure 3

The Timeout value can also be adjusted with the vSphere Client, under the Advanced Setings section.

Figure 4

Another way to increase security is by editing the firewall Rule, accompanying the SSH server. By choosing the “Only allow connections from the following networks”, you can limit traffic to the ESXI host using SSH.

Figure 5

Other references:

Enable/Disable certificate checking

Official Documentation:
vSphere Security Guide, Chapter 5 “Encryption and Security Certificates for ESXi and vCenter Server”, page 72.

Summary:
To prevent man-in-the-middle attacks and to fully use the security that certificates provide, certificate checking is enabled by default. You can verify that certificate checking is enabled in the vSphere Client.

Figure 6

Other references:

  • A

Generate ESXi host certificates

Official Documentation:
vSphere Security Guide, Chapter 5 “Encryption and Security Certificates for ESXi and vCenter Server”, section “Generate New Certificates for ESXi”,  page 72.

Summary:
The steps are carefully outlined in this section:

You typically generate new certificates only if you change the host name or accidentally delete the certificate.

Procedure

1 Log in to the ESXi Shell and acquire root privileges.

2 (Optional) In the directory /etc/vmware/ssl, back up any existing certificates by renaming them using the following commands.

# mv rui.crt orig.rui.crt

# mv rui.key orig.rui.key

3 Run the following command to generate new certificates.

# /sbin/generate-certificates

4 Run the following command to restart the hostd process.

# /etc/init.d/hostd restart

5 Confirm that the host successfully generated new certificates by using the following command and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key. Note that an ESXi is not running your local time!

# ls -la

NOTE: There are three different certificate files:

  • Rui.key = Private key file;
  • Rui.crt = Certificate file;
  • Rui.pfx = personal information Exchange file, used to transport certificates and their private keys between ywo systems. This file is only found on the vCenter server

Certificate Locations:

  • ESXi host: /etc/vmware/ssl
  • vCenter Server (Windows 2008): C:\Program Data\VMware\VMware VirtualCenter\SSL

Other references:

  • A

Enable ESXi lockdown mode

Official Documentation:
vSphere Security Guide, Chapter 6 “Lockdown Mode”, page 81.

Summary:
The goal of the ESXi Lockdown mode is to increase security.
Lockdown mode forces all operations to be performed through vCenter Server.

Lockdown Mode can be enabled in three ways:

  • While using the “Add Host” wizard to add a host to the vCenter Server;
  • vSphere Client, while managing a host;
  • using the DCUI.

How does Lockdown mode affect operations on a ESXi host? Here is a comparison between Normal Mode and Lockdown Mode (provided by VMware).

Figure 7 – Lockdown Mode

Besides enabling Lockdown Mode, you can enable or disable remote and local access to the ESXi Shell to create different lockdown mode configurations. There is also a paranoid setting, called “Total Lockdown Mode”.

Another overview provided by VMware that shows the relationship between; Lockdown Mode, ESXi Shell, SSH and the DCUI settings.

Figure 8

When you enable Lockdown mode using the DCUI, be aware that permissions for users and groups are discarded (that means, permissions are lost). I also noticed some strange behaviour after enabling Lockdown mode with the DCUI, the Lockdown Mode status in the vSphere Client remains disabled.

Figure 9 – Related Services

Other references:

  • A

Replace default certificate with CA-signed certificate

Official Documentation:
vSphere Security Guide, Chapter 5 “Encryption and Security Certificates for ESXi and vCenter Server”, section “Replace a Default Host Certificate with a CA-Signed Certificate”, page 73.

Summary:
The certificates installed during the installation process are signed by VMware and are not verifiable and are not signed by a trusted certificate authority (CA).

You can replace the default certificates.

The procedures are nearly identical as described in the previous section

Procedure

1 Log in to the ESXi Shell and acquire root privileges.

2 (Optional) In the directory /etc/vmware/ssl, back up any existing certificates by renaming them using the following commands.

# mv rui.crt orig.rui.crt

# mv rui.key orig.rui.key

3 Copy the new certificate and key to /etc/vmware/ssl

4 Rename the new certificate and key to rui.crt and rui.key

5 Run the following command to restart the hostd process.

# /etc/init.d/hostd restart

5 Confirm that the host successfully generated new certificates by using the following command and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key. Note that an ESXi is not running your local time!

# ls -la

TIP: you can use WinSCP to copy files from your Windows management system to your ESXi host

Other references:

  • vSphere Examples and Scenarios Guide, chapter 4 “Increasing Security for Session Information Sent Between vSphere Components” presents detailed information on related topics like:
    • Replace Default Server Certificates with Certificates Signed by a Commercial Certificate Authority.
      Includes using the OpenSSL libraries and toolkits for creating the Certificate-Signing Requests for the vCenter Server.
    • Replace Default Server Certificates with Self-Signed Certificates

Configure SSL timeouts

Official Documentation:
vSphere Security Guide, Chapter 5 “Encryption and Security Certificates for ESXi and vCenter Server”, Section “”Configure SSL Timeouts”, page 75.

Summary:
SSL Timeout periods can be set for two types of idle connections:

  • The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi.
  • The Handshake Timeout setting applies to connections that have not completed the SSL handshake process with port 443 of ESXi.

Both connection timeouts are set in milliseconds.

Idle connections are disconnected after the timeout period. By default, fully established SSL connections have a timeout of infinity.

The process is outlined in the Security Guide, and must be performed directly on the ESXi host.

You have to edit the file: /etc/vmware/hostd/config.xml.

You have to add these lines at the correct location. This example shows how to add these settings with a value of 20000 ms. (20 seconds).

<vmacore>
 ...
 <http>
  <readTimeoutMs>20000</readTimeoutMs>
 </http>
 ...
 <ssl>
 ...
  <handshakeTimeoutMs>20000</handshakeTimeoutMs>
 ...
 </ssl>
</vmacore>

...

Other references:

  • A

Configure vSphere Authentication Proxy

Official Documentation:
vSphere Security Guide, Chapter 4 “Authentication and User management”, section “Using vSphere Authentication Proxy” page 65.

Summary:
You install vSphere Authentication Proxy to enable ESXi hosts to join a domain without using Active Directory credentials.

The installation is also outlined in the vSphere Installation and Setup Guide  , Chapter 12 “Ater you install vCenter Server”, section “Install VMware vSphere Authentication Proxy”, page 215.

Notes on installing:

  • IIS is also a prerequisite, select the default installation and add; IIS 6 Metabase Compatibility, ISAPI Extensions, IP and Domain Restrictions

An overview of the configuration process:

  • Configure a Host to Use the vSphere Authentication Proxy for Authentication;
  • Authenticating vSphere Authentication Proxy to ESXi;
    • Export vSphere Authentication Proxy Certificate
    • Import a vSphere Authentication Proxy Server Certificate to ESXi
    • Use vSphere Authentication Proxy to Add a Host to a Domain

Figure 10 – Configure IIS to set up the DHCP range

Figure 11 – Adding ESXI host to the domain

Note:  I received this message while joining the ESXi host to the domain.

Figure 12

This needs further investigation. Anyone?

Other references:

Enable strong passwords and configure password policies

Official Documentation:
vSphere Security Guide, Chapter 7 “Best Practices for Virtual Machine and Host Security”, section “Host Password Strength and Complexity”, page 72.

Summary:
Regarding an ESXi host.

By default, ESXi uses the pam_passwdqc.so plug-in to set the rules that users must observe when creating passwords and to check password strength.

You can change the default password complexity for this plugin, by editing the following file: /etc/pam.d/passwd

Edit this line:

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6

More info on the pam_passwdqc.so is available, like:

  • The man page.
  • This post by Vincent Danen.

On the other hand, when it comes to Active Directory Integration and using Active Directory user account, the password policies set on the domain apply.

Other references:

  • A

Identify methods for hardening virtual machines

Official Documentation:
vSphere Security Guide, Chapter 7 “Best Practices for Virtual Machine and Host Security”, section “Virtual Machine Recommendations”, page 87.

Summary:
In essence, virtual machines should be treated the same way like physical hosts. However there are a few points characteristic for virtual machines.

  • Install Antivirus and Malware protection Software;
  • Install Operating System Security patches and Application patches;
  • Limit Copy and Paste between a Guest OS and the Remote Console (disabled by default);
  • Remove unnecessary virtual hardware (like floppy drives, CD/DVD drives, Network adapters);
  • Use Firewalls or Access Control Lists, to limit access to your VMs;
  • Do not use VMCI (VM communication interface

Figure 13 – VMCI

  • In vCenter Server limit access to your VMs by using Roles and Permissions;
  • Limits the size of VM logging
  • In the Guest OS, turn off unneeded services;
  • Collect Guest OS logfiles and consider auditing.

Other references:

Analyze logs for security-related messages

Official Documentation:

Summary:
Analysing Guest OS logging should be part of you daily operations. In addition, you should also review logging related to the vCenter Server and ESXi hosts. In large environments, consider using tools like Splunk.

See also Objective 6.1 on vSphere Log files.

Other references:

  • A

Manage Active Directory integration

Official Documentation:
vSphere Security Guide, Chapter 4 “Authentication and User Management”, section “Using Active Directory to Manage Users and Groups”, page 61.

Summary:
The section “Using Active Directory to Manage Users and Groups” in the Security Guide outlines the steps to configure a host to use a directory service.

You can view the settings under the tab “Configuration”, “Authentication Services”.

Figure 14

After joining an ESXi host to the Active Directory domain, you can set permissions to Domain Users or (better) Groups. Now you can use a domain account to establish a session with an ESXi host, using the vSphere Client or even a SSH session.

Also note, in the vCenter Server Settings is a section dedicated to Active Directory. Here you can adjust Time-out settings and other settings.

Figure 15

Even the vMA can be configured for Active Directory Authentication, see vSphere Management Assistant Guide, page 15.

Other references:

  • A

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: