IT security can often become an issue once your company gets above a certain size. When considering the overall security of a VMware virtualized environment, limiting access to vCenter is the first step. Next, you should look at the security underlying the actual host itself and take steps to make that safer. These four steps will pave the way for a more secure VMware environment.
1. Restrict who can access the host
The first and easiest step to securing a host is to enable lockdown mode. This ensures that all the hosts connected to vCenter are managed by vCenter. It also prevents users from directly logging into the host using vSphere or any other tool that doesn't communicate through vCenter. To do this for ESXi version 4, log into vCenter and select a host you wish to secure. Click Configuration tab followed by Security. Navigate to Lockdown Mode, click Edit and click Enable Lockdown Mode. Click OK. If you are using version 5 of ESXi, log into the console and use the Direct Console User Interface (DCUI) to enable lockdown.
This feature is only available on ESX 4 and above. In an emergency, you can disable lockdown mode -- for example, if vCenter is unavailable for some reason -- by directly logging into the host console and disabling lockdown from the DCUI.
2. Secure the network
By default, when a vSwitch is created, it disables promiscuous mode but allows MAC address changes and forged transmits to accept. Unless you have a really compelling reason to do so, set MAC address changes to Reject and the same for forged transmits. Be careful, as some load-balancing products and virtual appliances make use of this feature.
To configure the switch security, select the host in question, go to Configuration, then Properties of the Network, to change. Select the virtual machine (VM) vSwitch and edit the switch. Select the Security tab and select from the dropdown to modify as needed. This operation can also be selected for port groups as well as switches.
It is also worth noting that if you do use port groups, the settings are inherited from the vSwitch settings unless you explicitly change them.
3. Secure the VM
By default, copy and paste between the client and the VM is enabled when using the vSphere application. In a secure environment, this is not an appropriate setting. In order to fix this, select the VM where you wish to prevent the copy-and-paste operation interaction. Then select Options>Advanced. Select the General tab and enter the following (or use a combination of them if you wish to enable only one operation, i.e., copy or paste):
isolation.tools.copy.disable true
isolation.tools.paste.disable true
4. Enable domain authentication
TIGHTEN SECURITY IN VCENTER
Use vCenter roles wisely for VM security
Four steps to securing vCenter
Sharing the root password creates several issues around security, not least accountability, but this can easily be resolved by changing the authentication methods. You can set up the host to use Active Directory (AD) authentication quite easily.
Before you enable this feature, you need to create a group in your AD infrastructure called ESX Admins. It must be exactly as shown or it will not work.
Once that is done, AD authentication can be enabled on the host. Find the host in question and go to the Configuration tab, click the Properties menu in the right-hand corner. This will pop up a Directory Services configuration menu. On the dropdown, choose Select Directory Service Type and select Active Directory. Domain settings will then become available. Fill in your domain name and press the Join Domain button. At this point you will need to enter an account with credentials to join the domain. If you have issues using the domain\username format, use user@domain format. The latter usually works better than the former.
To make life a bit easier, you may find it appropriate to nest your administrators group in the ESX Admins group. However, don't just place your Domain Admins group inside the ESX Admin group. Do it properly and create a group with your administrators in it.
This login can also be used for the DCUI console if needed.
By Stuart Burns
Posts
0 comments:
Post a Comment