This is another article about vSphere virtualization environment and I want to talk about hardening processes for ESXi 5 in this article. By design, ESXi 5 has a very small attacking surface and is a relatively secure platform. But further hardening can be performed on ESXi hosts and virtual machines to make virtualization infrastructure more secure (and that is a good thing). Third party products can be used for security reasons but today our topic will be the basic configuration changes that we can make on vSphere environment itself for a more secure platform.
One of the things that I want to talk about is the hardening guide that VMware published two months ago. I will also explain the “VMware Compliance Checker For vSphere” tool which is very helpful to find out the absences in vSphere security. “vSphere 5.0 Hardening Guide” can be downloaded from http://communities.vmware.com/docs/DOC-19605 . At the time of this writing, the released version of the guide is version 1.1. Actually it is a simple Excel file which gives us the configuration tricks related to security.
The guide covers “virtual machine, ESXi host, virtual network, vCenter Server and vCenter Update Manager” components of vSphere infrastructure. Hence you can find hundreds of configuration tips related to these components. By the way, the Excel file has 6 worksheets. The first 2 worksheets are introduction page and change log page. All the above-mentioned components are grouped under the following 4 sheets which are “VM, ESXi, vNetwork and vCenter”.
I will show you few configurations from hardening guide but after I talk about “VMware Compliance Checker For vSphere” tool. Because they are very related to each other (actually Compliance Checker is based on hardening guide). “VMware Compliance Checker For vSphere” is a simple tool which runs an assessment on ESXi hosts managed by a vCenter Server. The assessment is based on a predefined subset of the vSphere 5.0 Hardening Guide rules and is run against the first 5 ESXi hosts that are found on the target vCenter Server. The assessment results for each host include the rules, the rule descriptions, and the success or failure of each rule. Figure 1 shows an example output of the tool.
“VMware Compliance Checker For vSphere” tool can be downloaded from https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk website. You have to sign-in to VMware website by the way. After you download the tool, you can install and run it on 32-bit or 64-bit versions of Windows Server 2003, Windows XP, Windows Vista, Windows Server 2008, or Windows 7. Java 1.6 must be installed on the machine before Compliance Checker can be installed.
After you install the tool, an icon is placed on the desktop and by double-clicking it, you can run the tool. The tool looks like Figure 2. You can run the tool against the vCenter server only. I mean you can not check single ESXi server by the tool. To run the tool, I fill the necessary fields (Machine Name/IP Address, User ID, Password) and press the Access Compliance button. After that, the tool checks the first 5 ESXi hosts for sometime that vCenter manages and opens an HTML page which it summarizes its findings (Figure 1).
As you can see in the first cell of the table in Figure1, you can expand the compliance rule to see the full description. It is not expanded by default. It is important to see the full details because the name of the compliance rule is not very clear whether it is a VM-based rule or ESXi host-based rule. Therefore it could be hard to find it in hardening guide. To expand all the descriptions, there is a selection at the top of the HTML page (which is shown in Figure 1).
As usual, green color means the setting is OK and red color means the setting is fully or partially NOT OK. If we take “REJECT-MAC-CHANGES” as an example, 3 of my hosts are red and two of them are green. This setting is related to virtual network and therefore I open the hardening guide and open the vNetwork worksheet. Here I can see the REALLY full description of this setting. For security reasons, I have to change this setting to REJECT (which is described how you can do it in hardening guide). But on my first 3 ESXi hosts, I have MS Clustered virtual machines and this setting will negatively affect them (which is also described in hardening guide – Figure 3). Therefore I didn’t change the settings for these hosts. At the end of the day, you make the changes according to your needs. If it has a possibility to stop your work, don’t modify it.
The previous example is actually a host-based setting. I changed the setting from configuration tab of the related host. “DISABLE-CONSOLE-COPY” is another setting which is reported by “Compliance Checker” but it is a VM-based setting. Therefore, I change the setting from VM settings (Figure 4 & 5). I learn from hardening guide what the name of the setting is (Figure 6). In my example, the setting name is isolation.tools.copy.disable . To make things simple, I give you a hint here. You can do all the modifications to a virtual machine and then convert it to a template. All the future virtual machines that you create with this template will take the same modified settings also.
And that is it! In this article, I tried to explain how you could make your vSphere environment more secure with the free tool and guide that VMware offers. I also gave examples for host-based and vm-based security settings. With a little effort, you can figure out the rest easily. I hope it will be helpful in your Vmware adventure. See you soon.