New vSphere hardening guide has been released. The news came by from vSphere Security Blog here. The vSphere Hardening guide present itself as an excel spreadsheet, where the different components of vSphere 5.1 are laid on separate worksheet. You have the possibility to consult different ways to restrict (harden) access to different components of vSphere and protect your installation from intruders.
The components that are covered in this guide:
- ESXi hosts
- vCenter and its database with clients
- Virtual Network
- vCenter Web Client
- vCenter SSO server
- vCenter Server Appliance (vCSA)
- vCenter Update Manger (VUA)
Not covered: vSphere Management assistant (vMA) and any other Add Ons.
For example if you would look to restrict access to a SSO database, when on the SSO worksheet you would find how to give least possible privilege to a SSO Db user, where the process of configuration is explained, or there is a link to a vSphere documentation page.
SSO requires certain privileges on its database user in order to install, and the installer automatically checks for these. These are documented in the VMware Update Manager Administration Guide. However, after installation, only a small number of privileges are required for operation. The privileges on the SSO database user can be reduced during normal operation. These privileges should be added again if an upgrade or uninstall must be performed. Least privileges mitigates attacks if the SSO database account is compromised. There is currently no way to restrict AD users from logging in, even if they can't do anything.
vSphere 5.1 Hardening Guide Released – Here is a quote from the announce of the release:
I’m pleased to announce to availability of the official release of the vSphere 5.1 Hardening Guide. The guide is being released as an Excel spreadsheet only. This guide follows the same format as the 5.0 guide.
- All reference and documentation URL’s and code samples have been updated for 5.1.
- All reference and documentation URL’s and code samples have been updated for 5.1. The guide is available here
- The permanent home will be here soon: https://vmware.com/go/securityguides
Also available is a separate document containing the Change Log for the guide. The Change Log is available here
Source: vSphere Security Blog