vSphere 6.5 Update 1 Security Configuration Guide Released

Introduction

On the 12th March 2018 VMware released the latest version of the vSphere Security Configuration Guide. This is an indispensable guide for securing your vSphere infrastructure which I highly recommend all VMware admins read.

Purpose

I have been following the guide for a few iterations now. Back in the early versions there were a lot of settings that could mean the over zealous administrator could have gone in and potentially caused problems. For example in the v5.1 version of the guide there were 172 settings listed over multiple sheets. In the latest version there are 68. A couple of reason for this are the mitigation change has been eradicated due to code changes or the guidance is no longer required because the software is secure by default.

Also included are some common sense ‘best practices’. This goal of secure by default can be seen in the graphs in the blog post from VMware. In vSphere 6.5 there were 24 settings available to harden the deployment. In 6.5 Update 1 there are now 10 due to VMware coding the guidelines into the code. So for that 68 Guidelines 10 are Hardening settings with 58 Non-Hardening (Audit only + Site Specific). Great job VMware!

How To Use

The sheet is pretty easy to follow and covers a wide range of guidelines. As I said above some are pretty common sense. The first is the Guideline ID ESXi.apply-patches - keep your systems patched. There is no glory in having an uptime of 365 days! For each Guideline ID there is a column:

  • Guideline ID
  • Risk Profile
  • Description
  • Vulnerability Discussion
  • Configuration Parameter
  • Desired Value
  • Default Value
  • Is desired value the default
  • Action Type
  • Assessment using Web Client
  • Negative Functional Impact
  • Remediation using Web Client
  • vSphere API
  • ESXi Shell Command Assessment
  • ESXi Shell Command Remediation
  • vCLI Command Assessment
  • vCLI Command Remediation
  • PowerCLI Command Assessment
  • PowerCLI Command Remediation
  • Able to set using Host Profile
  • Reference
  • DISA STIG ID
  • Hardening
  • Site Specific Setting
  • Audit Setting

What I think is excellent about the guide is everything you need to learn and remediate the ‘issue’ is in the sheet. For example VM.disable-console-copy. The vulnerability discussion is:

Copy and paste operations are disabled by default. However, if you explicitly disable this feature audit controls can check that this setting is correct.

You can see from the guide the Desired Value is True and the Default Value is True. If you want to check your VM’s are compliant using PowerCLI the commands are listed:

# List the VMs and their current settings
Get-VM | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | where {$_.value -eq "false"} | Select Entity, Name, Value

and if you want to remediate:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true

If you prefer using the GUI:

From the vSphere web client, select each VM and click “Configure” -> “Settings” -> “VM Options”. Expand “Advanced Settings”. Scroll the list of “Configuration Parameters” and ensure that the desired configuration parameter is present with the desired value.

All options for checking and remediating the Guideline is there. No having to Google or searching the VMware Knowledgebase. There is of course references to VMware documentation if available.

Please don’t take the Guidelines and blindly apply them to you environment. Evaluate each setting and make an informed decision if you want to apply it. At the very least you can use the Assessment options to verify your environment.

Conclusion

VMware, and in particular Mike Foley at VMware have done a great job on the guide with each iteration. It’s gone from a large, complicated set of Guidelines to an easy to follow, practical set of instructions anyone can follow and apply. Please check it out. Here is the link to the guide again.

Categories:

Updated: