Up to Documents in Security

VI3 Hardening Guide and Updates

VERSION 3 Published

Created on: Aug 7, 2008 9:06 AM by Charu Chaubal - Last Modified:  Sep 20, 2008 2:34 PM by Charu Chaubal

The VI3 Security Hardening Best Practices paper provides recommendations for steps you can take to ensure that your VMware Infrastructure 3 environment is properly secured. It also explains in detail the security-related configuration options of the components of VMware Infrastructure 3 and the consequences for security of enabling certain capabilities.

 

The latest version of this guide may be found here:

 

http://www.vmware.com/resources/techresources/726

 

 

VI3 Security Hardening Guide Updates

This section is meant to provide errata and other updates to the Hardening Guide. The guide, plus the contents of this document, should together be considered the most current hardening recommendations from VMware. Comments and suggestions are welcome.

  1. Section "Configuring the Service Console in ESX 3.5", Subsection "Establish and Maintain File System Integrity"

    The guide is not clear on the default file permissions for log files in the /var/log/vmware directory. The default permissions are as follows:

    • /var/log/vmware/webAccess: 755

    • /var/log/vmware/webAccess/*: 644 (i.e., all files contained in /var/log/vmware/webAccess)

    • /var/log/vmware/vpx: 750

    • /var/log/vmware/vpx/*: 644

    • all other log files in /var/log/vmware: 644

  2. Section "Configuring the Service Console in ESX 3.5", Subsection "Disable Automatic Mounting of USB Devices"
    Following this step could result in USB keyboard and mice becoming unusable. It is recommended that you verify that mouse and keyboard continue to operate normally and not implement this step if they do not.

  3. Section "Configuring the Service Console in ESX 3.5", Subsection "Limit the Software and Services Running in the Service Console"
    Please note that the default enabled services might change in different minor releases of ESX. The recommendation remains that you only enable those services which are needed and disable the rest.

  4. In the section "Virtual Machine Files and Settings", sub-section "Prevent Unauthorized Removal or Connection of Devices", the parameter to include is incorrectly stated. Instead of "isolation.tools.connectable.disable", the parameter should be "isolation.device.connectable.disable"

  5. Related to the previous point, the parameter "isolation.device.edit.disable " should also be set to true, in order to prevent ordinary users in a VM from modifying devices.

Tags: security, hardening, vi3.5
Average User Rating
(0 ratings)




Comments (1)
Aug 7, 2008 12:18 PM Click to view Steve Chambers's profile Steve Chambers says:

It would be good to see someone post the actual steps they took... like a bullet point list of hardening steps.

More Like This

  • Retrieving data ...

Incoming Links

More by Charu Chaubal

View Charu Chaubal's profile