The VMware vSphere Hardening Guide is something you should always be familiar with and keep stashed away in your vArmory of useful things. This MS Excel based document/guide contains valuable information and a checklist of the settings and best practices that you should be applying to your vSphere infrastructure to ensure that it is secure against the risk of common exploits, etc.
Mike Foley and the VMware vSphere security team have just released the latest update to the vSphere hardening guide which covers vSphere 5.5 Update 1 (U1). This is the latest update since the vSphere 5.5 version of the Hardening guide and contains all the usual great stuff pertaining to securing your vSphere environment, but also includes the following four new updates (along with minor amendments):
enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.
As always I recommend that you download, familiarise and apply, where necessary, the security recommendations and best practices outlined in this guide, this will help you sleep at night knowing that your vSphere environment is better secured.
Download your copy of the vSphere 5.5 U1 Hardening Guide from VMware’s dedicated page here, where you can also download vSphere Hardening Guides for previous versions of vSphere.
Happy securing!
Leave a Reply