Professional Documents
Culture Documents
ESXi 5.5
vCenter Server 5.5
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001164-04
vSphere Security
2 VMware, Inc.
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright
20092013 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Contents
About vSphere Security 7
Updated Information 9
1 Security in the vSphere Environment 11
Security and the Virtualization Layer 11
Security and the Virtual Networking Layer 12
Security Resources and Information 12
2 vSphere Authentication with vCenter Single Sign-On 15
How vCenter Single Sign-On Protects Your Environment 15
vCenter Single Sign-On Components 17
How vCenter Single Sign-On Affects vCenter Server Installation 17
How vCenter Single Sign-On Affects vCenter Server Upgrades 19
Using vCenter Single Sign-On with vSphere 20
Configuring vCenter Single Sign-On 21
Managing vCenter Single Sign-On Users and Groups 33
Troubleshooting vCenter Single Sign-On 38
3 vSphere Security Certificates and Encryption 43
Certificates Used in vSphere 43
Certificate Replacement Overview 44
Certificate Automation Tool Deployment Options 45
Replacing vCenter Certificates With the vCenter Certificate Automation Tool 47
Replace vCenter Server Appliance Certificates 54
Replace vCenter Server Heartbeat Certificates 54
4 vSphere Users and Permissions 57
Hierarchical Inheritance of Permissions 57
Permission Validation 59
Using Roles to Assign Privileges 60
Best Practices for Roles and Permissions 60
Required Privileges for Common Tasks 61
Password Requirements 63
vCenter Server User Directory Settings 64
5 vCenter User Management Tasks 65
Managing Permissions for vCenter Components 65
Roles in vCenter Server and ESXi 68
Adjust the Search List in Large Domains in the vSphere Web Client 69
VMware, Inc. 3
6 Securing vCenter Server Systems 71
Hardening the vCenter Server Host Operating System 71
Best Practices for vCenter Server Privileges 71
Enable Certificate Checking and Verify Host Thumbprints in the vSphere Web Client 73
Removing Expired or Revoked Certificates and Logs from Failed Installations 73
Enable SSL Certificate Validation Over Network File Copy 74
Limiting vCenter Server Network Connectivity 74
7 Securing ESXi Hosts 77
General ESXi Security Recommendations 77
ESXi Firewall Configuration 82
Assigning Permissions for ESXi 86
Using Active Directory to Manage ESXi Users 89
Replacing ESXi SSL Certificates and Keys 91
Uploading an SSH Key to Your ESXi Host 94
Using the ESXi Shell 96
Lockdown Mode 100
Using vSphere Authentication Proxy 103
Replace the Authentication Proxy Certificate for the ESXi Host 107
Modifying ESXi Web Proxy Settings 107
vSphere Auto Deploy Security Considerations 112
Managing ESXi Log Files 113
8 Securing Virtual Machines 117
General Virtual Machine Protection 117
Disable Unnecessary Functions Inside Virtual Machines 118
Use Templates to Deploy Virtual Machines 123
Prevent Virtual Machines from Taking Over Resources 123
Limit Informational Messages from Virtual Machines to VMX Files 124
Prevent Virtual Disk Shrinking in the vSphere Web Client 124
Minimize Use of Virtual Machine Console 125
Configuring Logging Levels for the Guest Operating System 125
9 Securing vSphere Networking 127
Introduction to vSphere Network Security 127
Securing the Network with Firewalls 128
Secure the Physical Switch 134
Securing Standard Switch Ports With Security Policies 134
Securing Standard Switch MAC Addresses 135
Secure vSphere Distributed Switches 136
Securing Virtual Machines with VLANs 137
Creating a Network DMZ on a Single ESXi Host 139
Creating Multiple Networks Within a Single ESXi Host 140
Internet Protocol Security 142
Ensure Proper SNMP Configuration 145
Use Virtual Switches on the vSphere Network Appliance Only If Required 145
vSphere Security
4 VMware, Inc.
10 Best Practices for Virtual Machine and Host Security 147
Synchronizing Clocks on the vSphere Network 147
Securing iSCSI Storage 148
Masking and Zoning SAN Resources 150
Control CIM-Based Hardware Monitoring Tool Access 150
Verify That Sending Host Performance Data to Guests is Disabled 151
11 Defined Privileges 153
Alarms 154
Datacenter 155
Datastore 155
Datastore Cluster 156
vSphere Distributed Switch 156
ESX Agent Manager 157
Extension 157
Folder 158
Global 158
Host CIM 159
Host Configuration 159
Host Inventory 160
Host Local Operations 161
Host vSphere Replication 162
Host Profile 162
Network 162
Performance 163
Permissions 163
Profile-driven Storage 164
Resource 164
Scheduled Task 165
Sessions 165
Storage Views 165
Tasks 166
vApp 166
vCenter Inventory Service Tagging 167
Virtual Machine Configuration 168
Virtual Machine Guest Operations 170
Virtual Machine Interaction 170
Virtual Machine Inventory 172
Virtual Machine Provisioning 172
Virtual Machine Snapshot Management Privileges 173
Virtual Machine vSphere Replication 174
dvPort Group 174
vServices 175
VRM Policy 175
Index 177
Contents
VMware, Inc. 5
vSphere Security
6 VMware, Inc.
About vSphere Security
vSphere Security provides information about securing your vSphere
vCenter