VMware vCenter Configuration Manager - 5.6 Security Guide
VMware vCenter Configuration Manager
Security Guide
vCenter Configuration Manager 5.6
This document supports the version of each product listed and supports all
subsequent versions until the document is replaced by a new edition. To
check for more recent editions of this document, see
http://www.vmware.com/support/pubs.
EN-001046-00
VCM Security Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
© 2006–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All
other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2
VMware, Inc.
Contents
About This Book 7
Introduction to VCM Security 9
VCM Security Environment 9
VCM Components 9
How Personnel Use VCM 11
Trust Zones 12
System Guidelines Across Zones 12
Domain Infrastructure 15
Using VCM to Manage Infrastructure Zone Systems 15
Infrastructure Zone Machine Group 15
Domain Controller 15
Microsoft Domain Controller Hardening Guidelines 16
Domain Controller Diagnostic Tests 16
Network Infrastructure Services 16
Network Infrastructure Systems 16
Domain Accounts 16
Carefully Assigning Accounts 17
VCM Application Services Account 17
Personnel Considerations 17
Confidentiality of Collected Data 17
Vulnerability of Exported Data 17
VCM Installation Kits 19
Sources for Installation Kits 19
Protecting Installation Kits 19
Unknown Software Publisher Warnings 20
Do Not Use VCM Remote to Install Other Software 20
Server Zone Security 21
Using VCM to Manage Server Zone Systems 21
Server Zone Administrator Role 21
Server Zone Auditor Role 21
General Security Guidelines for VCM Servers 22
Protection Profiles 22
Physical Security 22
Disabling Automatic Login 22
Dedicating a Server to VCM 23
Foundation Checker 23
Trusted Software 23
Routine Backup, Patching, and Virus Scanning 23
Authentication Certificates 23
FIPS Cryptographic Service Providers 23
VCM Collector Server 25
Using VCM to Manage the Collector Server 25
Having a Collector Machine Group in VCM 25
SQL Server 27
VMware, Inc.
3
VCM Security Guide
Using VCM to Manage the SQL Server 27
Having a SQL Server Machine Group in VCM 27
Microsoft SQL Server Best Practices and Hardening Tests 27
Direct SQL Server Login 28
Login Accounts for SQL Server 28
Restrict Access to Configuration Tools 28
Delegation for Split Installations 28
Do Not Connect from Outside the Server Zone 29
Web Server 31
Using VCM to Manage the Web Server 31
Having a Web Server Machine Group in VCM 31
Using Windows Integrated Authentication 31
Using HTTPS 32
Web Server Certificates 32
Mutual Authentication 32
VCM Agent Systems and Managed Machines 33
Trusting the VCM Agent on a Managed Machine 33
Using VCM to Manage Machines 33
Machine Groups 33
Restricting Access to Scripting 34
Users Who Are Not Local Administrators 34
VCM Agent 34
Agent Installation Directory 34
Agent Availability 34
Continuous Possession and Control of the Agent 34
Unauthorized Agents 35
Restricting Access to Machine Configuration 35
Local Administrator Account 35
BIOS Password 35
Disabling Alternative Startup 35
Maintenance Mode 35
Trusted Certificate Store 36
Protecting Private Keys 36
Protecting Authorized Collector Certificates 36
Securing Machine Backups that Contain Keys 36
Enterprise Certificate 36
Trustworthiness of Data 36
Individual Collection Results 37
VCM User Interface System 39
Using VCM to Manage the UI System 39
User Interface Systems Machine Group 39
Access Control 40
Disabling Automatic Login 40
Disabling Simultaneous Login 40
Using Windows Credentials 40
Public Access Points 41
Cross-site Scripting 41
Internet Explorer Trusted Zone 41
Adding the VCM Web Server 41
Removing Untrusted Systems 42
Customizing Internet Security Options 42
Trusted Software 42
Verifying Certificates 42
HTTPS Certificate 42
4
VMware, Inc.
Contents
VMware Software Publisher Certificate 43
FIPS Cryptographic Service Providers 43
Running Anti-virus and Anti-rootkit Tools 43
Software Provisioning Components 45
Separating and Securing the Software Provisioning Zone 46
Software Publishers and Software Signing 46
Protection of Repositories 46
Connecting to Repositories 46
Software Provisioning Credentials 47
Operating System Provisioning Components 49
Separating and Securing the OS Provisioning Zone 50
Dedicating a Server to Operating System Provisioning 50
Closing Unnecessary Ports 50
Protection of Baseline OS Images 50
OS Provisioning Credentials 50
Decommissioning 53
Erasing versus Deleting 53
Confidential Data to Remove 53
Distinct Collector and Agent Keys 53
Enterprise Certificate Key and Web Server Keys 54
Removal of Agent Keys at Uninstallation 54
Network Authority Accounts 54
Erasing Server Disks 54
Erasing Virtual Machines 54
Authentication 57
Transport Layer Security 57
Server Authentication 57
Mutual Authentication 57
Keys and Certificates 57
Using Single or Paired Keys 58
Certificates 58
Public Key Infrastructure 58
Trust Chains 58
Certificate Expiration and Revocation 59
Certificate Standards 59
Certificate Storage 59
How VCM Uses Certificates 59
Enterprise Certificate 60
Collector Certificate 61
Agent Certificates 62
Installing Certificates for the VCM Collector 63
Installing Certificates on the First Collector 63
Certificates for Additional Collectors 64
Changing Certificates 64
Renewing Certificates 64
Replacing Certificates 65
Delivering Initial Certificates to Agents 66
Installing the Agent 66
Changing the Communication Protocol 67
Storing and Transporting Certificates 68
Access the Windows Certificate Store 68
Export a Certificate on Windows 68
Import a Certificate on Windows 69
VMware, Inc.
5
VCM Security Guide
Mark a Certificate as Authorized on Windows 69
Creating Certificates Using Makecert 70
Create the Enterprise Certificate and First Collector Certificate 71
Create Certificates for Additional Collectors 71
Importing Certificates for Additional Collectors 72
Makecert Options 72
Update the Collector Certificate Thumbprint in the VCM Database 74
Managing the VCM UNIX Agent Certificate Store 75
Using CSI_ManageCertificateStore 75
Supplemental References 81
Cryptography 81
FIPS for Windows 81
FIPS Used by VCM Agent Proxies 83
Export Considerations 83
VCM Ports 84
Index 87
6
VMware, Inc.
About This Book
The VMware vCenter Configuration Manager Security Guide describes how to harden vCenter Configuration
Manager (VCM) for secure use.
Parts of this document describe assumptions made in the design and operation of VCM. For example, the
guarantees regarding VCM logins assume that the domain controller for each user is trusted. Other parts
of this document describe specific, nondefault hardening requirements that you must apply.
Intended Audience
This information is for experienced Windows, Linux, UNIX, or Mac OS X system administrators who are
familiar with managing network users and resources, and with performing system maintenance.
To use this information effectively, you must have a basic understanding of how to configure network
resources, install software, and administer operating systems. You also need to fully understand your
network topology and resource naming conventions.
Document Feedback
VMware welcomes your suggestions for improving our documentation. If you have comments, send
your feedback to docfeedback@vmware.com.
Technical Support and Education Resources
The following technical support resources are available to you. To access the current version of this book
and other books, go to http://www.vmware.com/support/pubs.
Online and Telephone
Support
Support Offerings To find out how VMware support offerings can help meet your business
VMware Professional
Services
VMware, Inc.
To use online support to submit technical support requests, view your
product and contract information, and register your products, go to
http://www.vmware.com/support.
Customers with appropriate support contracts should use telephone support
for priority 1 issues. Go to http://www.vmware.com/support/phone_
support.html.
needs, go to http://www.vmware.com/support/services.
VMware Education Services courses offer extensive hands-on labs, case study
examples, and course materials designed to be used as on-the-job reference
tools. Courses are available onsite, in the classroom, and live online. For
7
VCM Security Guide
onsite pilot programs and implementation best practices, VMware Consulting
Services provides offerings to help you assess, plan, build, and manage your
virtual environment. To access information about education classes,
certification programs, and consulting services, go to
http://www.vmware.com/services.
8
VMware, Inc.
Introduction to VCM Security
To understand VCM security requirements, familiarize yourself with the overall security environment,
VCM components, VCM personnel roles, and trust zones.
VCM Security Environment
VCM operates in the context of a security environment, which involves system configuration, personnel
and usage assumptions, organizational security policies, and best practices. Security requirements are met
either by controls built into VCM that leverage the security environment or by controls built into the
environment itself. When a security requirement is not met, the confidentiality, integrity, or availability of
information assets that flow through the deficient system are at risk.
A healthy security environment assumes or provides certain guarantees:
n
Trust in, and training for, your authorized VCM users
n
Protection of VCM installation kits from tampering
n
Protection of current VCM systems from access by unauthorized users
1
n
Proper decommissioning of outgoing VCM systems
To establish proper security, you must prepare and apply security requirements across the following
equipment:
n
The server that acts as the VCM Collector
n
The VCM SQL Server and database system
n
The VCM Web server
n
The VCM user interface Web browser
n
Systems on which the VCM Agent runs
n
The domain, its supporting infrastructure, and user accounts
VCM Components
VCM is a distributed application with several physical and conceptual components:
VMware, Inc.
9
VCM Security Guide
n
Collector service that processes requests and receives results
n
SQL Server database that stores results and application control information
n
Internet Information Services (IIS) Web server that hosts the UI Web application and accepts work
requests
n
Browser-based user interface (UI) that renders in Internet Explorer (IE) on user desktops
n
Agents that inspect managed machines and return results in response to requests
In some installations, optional components might also be present:
n
An Agent proxy that works with ESX, ESXi, and vSphere servers
n
An orchestration system that coordinates with service desk applications such as Remedy
n
A VCM Remote service
n
Operating system provisioning components
n
Software provisioning components
n
Alternative source file servers that store VCM installation kits and VCM Patching patches
With the exception of the UI, Agent, alternative sources, and OS Provisioning Server, all VCM components
run on Microsoft Windows Server systems. The UI runs in Internet Explorer on Windows desktops. The
Agent executes on either Windows or UNIX systems, including Linux, Solaris, HPUX, AIX, and Max OS X.
An alternative source can be any file server that exports shares or FTP.
The following figure shows VCM components, with the exception of provisioning and alternative sources.
Provisioning component areas appear in their respective chapters.
10
VMware, Inc.
Figure 1–1. VCMComponents and Zones
Introduction to VCM Security
CAUTION Any system that participates in your VCM environment can contain sensitive data, or it
can hold authentication keys that can grant access to sensitive data on other systems. Never reuse or
dispose of VCM systems without proper decommissioning as described in "Decommissioning" on
page 53.
As shown, a combination of VCM services can share one system. In a single-machine installation, the
Collector, SQL Server, IIS Web server, and Web application are installed on one system. Optional split
installation configurations support running the SQL Server and database on a separate system and the IIS
Web server on a separate system.
How Personnel Use VCM
Different personnel use the features of VCM.
VMware, Inc.
11
VCM Security Guide
n
Domain administrators create the accounts and manage the infrastructure in which VCM runs. The
infrastructure includes domain controllers, routers, certificate servers, SMTP email servers, domain
name services (DNS), and dynamic host configuration protocol (DHCP) servers.
n
A VCM installer loads the VCM software and configures the Collector, SQL Server, IIS, and other
services. The installer is also the first VCM administrator and is responsible for authorizing other
administrators and regular VCM users from the inventory of accounts that the domain administrators
manage.
n
VCM users and administrators log in to VCM and use its Web interface to administer managed
machines using the Agents, run compliance tests, and generate reports. VCM administrators, users, or
managed machine administrators can install, upgrade, and uninstall Agents.
Trust Zones
Conceptually, VCM components are organized into trust zones. The zones and boundaries are for ease in
understanding VCM security and are not related to zones in Internet Explorer or your domain, nor are
they cited anywhere in the VCM user interface.
n
Infrastructure. Domain controllers, routers, SMTP servers, DNS servers, and other infrastructure items
n
User interface. VCM user desktops
n
Server. Collector service, SQL Server, IIS, Web application, Agent proxy, software provisioning
repository, VCM Remote service, and Orchestrator
n
Agent. Managed machines and alternative sources
Multiple Agent zones are supported.
n
Operating system provisioning. OS Provisioning Servers, provisionable targets, and the network
infrastructure that connects them
Domain administrators manage the infrastructure, user interface zone, and server zone. A local zone
administrator controls each Agent zone. This administrator is often the administrator of the managed
machine or repository.
The zones help you understand the trust between VCM components at a more detailed level than by
domain controller domains alone. A trust boundary separates each zone. Without special configuration or
authentication, the machines and services in one zone distrust the machines and services in another zone.
Special configuration can establish implicit trust, and authentication can establish trust between
components that are not configured for implicit trust.
When an entire zone trusts another zone, every VCM component in the first zone implicitly trusts every
component in the second zone. If two machines reside in the same zone, they do not necessarily trust each
other, but rather they are not required to distrust each other by default. After you install VCM, the user
interface and Agent zones trust the infrastructure and server zones.
The server zone trusts only the infrastructure zone, and does not trust the user interface zone except as a
source of user interface commands from VCM users authenticated by the infrastructure. The server zone
trusts the Agent zone as a source for Agent data, but not to provide data or implement change that would
affect other Agents or the VCM configuration.
System Guidelines Across Zones
There are certain security requirements in this document that apply across more than one zone. The
following table summarizes them in case you want to make these wider configuration changes in one pass
through your security environment.
12
VMware, Inc.
Table 1–1. Zones and Requirements
Requ irement Infrastructure
Zone
Server
Zone
Introduction to VCM Security
UI
Zone
Agen t
Zone
Cryptographic service providers are FIPS-140
X X
validated.
Only trusted software is installed in the zone. X X X
Access to machine configuration settings is
X X X X
restricted.
Routine backups, patches, and virus scanning are
X X X X
performed.
The provisioning zone is not listed in the table. For provisioning details, see "Software Provisioning
Components" on page 45 or "Operating System Provisioning Components" on page 49 .
VMware, Inc.
13
VCM Security Guide
14
VMware, Inc.
Domain Infrastructure
Securing the domain infrastructure for use with VCM involves configuring the domain controller,
network infrastructure services, network infrastructure systems, certificates, accounts, and personnel.
Using VCM to Manage Infrastructure Zone Systems
After you install VCM, your first course of action should be to manage infrastructure zone systems in
VCM and subject them to assessment. VCM comes with compliance rules for domain controller best
practices, domain controller health, and other settings that are valuable in domain infrastructure zones. In
addition, you can create your own templates and rules.
The rest of this chapter briefly explains the infrastructure zone security hardening steps to pursue, either
manually or, if possible, through compliance rules.
Infrastructure Zone Machine Group
For the settings that you can apply using VCM, having the infrastructure systems in their own, dedicated
machine group provides a way of managing the systems and synchronizing their settings.
2
For example, you prevent non-VCM administrators from having administrator access to infrastructure
systems by placing all infrastructure systems in the dedicated machine group and configuring the group to
be accessible only to VCM administrators.
Domain Controller
VCM relies on a domain controller in order to perform the following functions:
n
Authenticate VCM users
n
Discover machines to manage
n
Enumerate domain group members
n
Run VCM services under Network Authority accounts
n
Authenticate administrators who control the systems on which VCM and its databases are installed
As the VCM installer and administrator, you identify the domain controller in VCM when you install,
discover domain controllers, add new Network Authority accounts, or add VCM users.
CAUTION Do not authorize VCM accounts to principals authenticated by an untrusted domain
controller, and do not join VCM servers to an untrustworthy domain.
VMware, Inc.
15
VCM Security Guide
Microsoft Domain Controller Hardening Guidelines
To secure the domain controller for use with VCM, start by following Microsoft domain controller
hardening guidelines, available for various server versions on the Microsoft Web site.
The Microsoft guidelines are more comprehensive than the compliance templates and need to be followed
even if you are managing the domain controller with VCM.
Domain Controller Diagnostic Tests
Part of correctly configuring a domain controller for use with VCM is to run the dcdiag utility. The dcgiag
utility checks for general connectivity and responsiveness of a domain controller, which includes verifying
that the domain controller has the following properties.
n
Can be located in DNS
n
Responds to ICMP pings
n
Allows LDAP connectivity
n
Allows binding to the Active Directory RPC interface
Network Infrastructure Services
VCM relies on network infrastructure services. For VCM to operate correctly and reliably, you must
properly configure, secure, and make these services available and responsive. An active denial of service
(DoS) or other attack on network infrastructure services can affect VCM performance.
n
DNS and WINS. Translate domain names into IP addresses.
n
Email. Used for VCM notifications and alerts.
n
Time servers. Synchronize timekeeping across systems, which allows Kerberos authentication and
certificate validation to work.
n
DHCP. Even when not used directly on VCM servers, DHCP assigns IP addresses consistently in the
rest of the security environment.
Network Infrastructure Systems
VCM relies on secure infrastructure services; such as DNS, NTP, DHCP, routers, and services that issue
certificates. The systems on which these services are hosted must be at least as secure as VCM. Protect
network infrastructure systems with the following:
n
Firewalls or vShield
n
Anti-virus software
n
Current security updates
n
Controls or login authorizations that restrict access to trusted personnel only
Domain Accounts
VCM accounts must only be granted to users who are trusted, trained, and qualified as system and
network administrators. A "VCM account" is a domain or local account that is granted authorization to use
VCM.
16
VMware, Inc.
Domain Infrastru cture
Carefully Assigning Accounts
As an enterprise-wide configuration management and compliance tool, VCM can collect, correlate, and
change system data on managed machines throughout the enterprise. VCM can configure security
policies, collect and aggregate confidential information, install software and patches, and generally act as
an administrator interface over an entire network.
VCM is intended for use only by responsible system and network administrators who protect their access
from being subverted for unauthorized uses.
VCM administrators must follow these guidelines:
n
Do not assign entire domain groups to VCM accounts.
n
Set Windows login restrictions and password policies for user accounts that are VCM accounts to values
consistent with administrator accounts.
VCM Application Services Account
Make the VCM Application Services account a domain user account. The VCM Application Services
account must be a domain user because the account has full administrator authority for the CSI_Domain
database.
Do not use the VCM Application Services account for VCM login or for any other purpose.
Personnel Considerations
For your VCM environment to be secure, the personnel who work with VCM must be trusted.
Confidentiality of Collected Data
The results of a VCM collection can contain infrastructure configuration settings, password and credential
policies, encrypted password file entries, and any file uploaded from a managed machine.
VCMusers must protect collected data as confidential information. Even if this data was not guarded as
confidential on the managed machine itself, it might be confidential to the machine users. Without explicit
knowledge about what data is sensitive, VCM users must treat and protect all collection results as
confidential.
CAUTION Do not store collected data on public shares or in directories that are accessible to other
users, including other VCM users, because they might not have collection rights on the machine
from which the data originated.
Vulnerability of Exported Data
VCM supports several ways for personnel to export collected data:
n
Email notifications and alerts
n
Exported or printed grids
n
Exported SRS summary views and reports
n
n
n
VMware, Inc.
Service desk work requests
Uploaded and exported files
Screen snapshots
17
VCM Security Guide
VCM cannot control access to data after it is exported in these ways. When data must be exported,
personnel must protect the exported files while stored or in transit to other sites.
18
VMware, Inc.
VCM Installation Kits
Like the systems on which VCM runs, the software installation kits for VCM must be secured and
protected from tampering.
Sources for Installation Kits
Secure operation of VCM requires that its product software kit not be tampered with and that it is intact as
delivered by VMware. The best practice is to ensure that each kit is obtained directly from VMware, from
another secure and trusted source, or that it is verified.
VMware ships VCM and add-on products on CD/DVD and in packages signed by the VMware Software
Publisher Certificate. The kit can reach customer machines in the following ways:
n
Physical CD/DVD
n
Download from
http://downloads.vmware.com
n
ClickOnce download from the server zone
3
n
Agent push install by the Collector service
n
Patching Agent push by VCM Patching
n
Thin client user interface by HTTP
n
VCM Remote updates
n
Patching deployed patches and updates
n
VMware VCM software provisioning
n
SMS
n
Group Policy
n
VCM Remote Command file attachments
You can verify EXE and MSI installers with the chktrust.exe certificate verification tool from the Microsoft
Developer Network. Alternatively, you can verify using signtool.exe, also available from Microsoft.
Protecting Installation Kits
VCM installation kits that are stored on writable media must be protected from tampering before
installation. Authenticode signatures on installation kits are verified before installation. For example:
C:\> signtool verify /a /v "CMAgent<version>.msi"
VMware, Inc.
19
VCM Security Guide
Unknown Software Publisher Warnings
Do not ignore unknown software publisher warnings during ClickOnce installations unless the publisher is
VMware.
When you install ClickOnce software through the VCM user interface, Internet Explorer warns you when
the software comes from an untrusted publisher. An untrusted publisher can be anyone, even a company
that you recognize. The warning means only that the certificate is not in the trusted software publisher
certificate store.
If you receive an unknown software publisher warning, open the certificate details view. VMware
software is signed with the VMware Software Publisher Certificate. If the software publisher is VMware,
you can install in spite of the warning.
Do Not Use VCM Remote to Install Other Software
Although VCM Remote can push new VCM Remote Agents to VCM Remote clients, do not use this
mechanism to distribute software other than VCM Remote.
20
VMware, Inc.
Server Zone Security
Address the following security environment guidelines for all systems in the server zone, including the
VCM Collector, SQL Server host, and Web server. These three functions might reside all on one system, or
they might be distributed across two or three. Be sure to apply the security settings in this chapter to all
the systems that are used.
Server zone systems must be treated and managed with security measures that are consistent with those
used for the infrastructure zone.
n
For security instructions that are unique to the VCM Collector, see "VCM Collector Server" on page 25.
n
For security instructions that are unique to the SQL Server host, see "SQL Server" on page 27.
n
For security instructions that are unique to the Web server, see "Web Server" on page 31.
Using VCM to Manage Server Zone Systems
After you install VCM, your first course of action should be to manage server zone systems in VCM and
subject them to assessment. VCM comes with compliance rules for some of the necessary security settings
on the Collector, SQL database server, and Web server. In addition, you can create your own templates
and rules.
4
The rest of this chapter briefly explains security hardening steps to pursue, manually or through
compliance rules, for all server zone systems.
Machines in the VCM server zone need to be trusted more than those in the user interface, managed
machine, or provisioning zones. In VCM, server zone systems must be controlled with the same measures
used for infrastructure systems such as domain controllers.
Server Zone Administrator Role
VCM can manage its own servers, but it is unsafe to allow nonadministrator VCM users into server zone
systems. When nonadministrator VCM users administer a VCM server, they have access to all the data
and actions that are authorized to VCM. To help prevent this situation, create a role dedicated solely to
server zone administration.
Having a role dedicated to server zone administration minimizes the risk of granting access to VCM
servers to nonadministrator VCM users.
Server Zone Auditor Role
Create an auditor role, for example, VcmAuditor, in VCM that has read-only access to all VCM data but
has no rights to create change actions or invoke inspections. Place at least one user account in that role.
Having an auditor role is an industry best practice.
VMware, Inc.
21
VCM Security Guide
General Security Guidelines for VCM Servers
In the server zone, VCM systems store and manipulate the collected data and change requests for every
managed machine.
All server zone systems must have the following properties:
n
Unavailable for login by general users
n
Protected from the open Internet by firewalls
n
Updated to the current operating system patch levels
n
Routinely backed up
n
Trusted by managed resource administrators
Specifically, managed resource administrators implicitly delegate administrative rights over their
resources when they allow the VCM Agent to be installed. Consequently, the managed resource
administrators must have administrative trust in both the VCM users and in the VCM servers.
Protection Profiles
Operating systems for VCM servers must conform to the Controlled Access Protection Profile (CAPP) or
General Purpose Operating System Protection Profile (GPOSPP), described on the Common Criteria
Evaluation and Validation Scheme Web site.
The protection profiles ensure the following safeguards:
n
Access to the system is protected by a certified authentication process.
n
User data is protected from other users.
n
Security functions of the operating system are protected from unauthorized changes.
Windows 2000, 2003, XP, and Vista, 2003 Server, and 2008 Server, 2008 Server R2, and Windows 7 conform
to the CAPP. Windows 7 and Windows Server 2008 R2 conform to the GPOSPP.
Physical Security
An administrator must maintain possession and control of any VCM server zone system. The loss of
possession or control of a VCM server zone system subjects the server to offline analysis, which can mean
the loss of confidentiality or integrity of its data or the misuse of its software. Even the temporary loss of
possession presents a risk, regardless of whether confidentiality appears to have been preserved.
If the VCM server zone systems run on virtual machines, the administrator must maintain possession and
control of physical machines on which the virtual machines are hosted.
Use physical (possession, locks) or cryptographic (encrypted file system) means to maintain continuous
control of VCM server zone systems.
Disabling Automatic Login
VCM systems in the server zone must require login access control.
Automatic login is a convenience that logs a specific Windows user into a machine after the machine
finishes restarting. Because it bypasses the access control that the login prompt provides, always disable
automatic Windows login on VCM systems in the server zone.
22
VMware, Inc.
Dedicating a Server to VCM
VCM relies on the server operating system to protect the confidentiality, integrity, and availability of
server zone data from other services or users that run on the VCM server zone systems.
When server zone systems are used for purposes other than VCM, the risk of granting unintended access
to VCM data exists if those services or users have server administrator rights.
Foundation Checker
The VCM Foundation Checker determines whether a machine configuration is compatible with VCM.
Candidate systems must pass the Foundation Checker evaluation before you install VCM. Do not install
VCM on systems that fail Foundation Checker.
Trusted Software
Even if server zone systems are dedicated to running VCM, you might need software packages beyond
those from VMware or Microsoft.
Install only trusted software, preferably software that is accompanied and verified by a software publisher
certificate. It is unsafe to run software of unaccountable origin on machines in the VCM server zone.
Server Zone Security
Routine Backup, Patching, and Virus Scanning
Routine maintenance functions like backups, patches, and virus scanning must be performed on VCM
servers. You can perform these functions using VCM.
Authentication Certificates
VCM establishes the validity of HTTPS SSL certificates that IIS uses, and TLS certificates used during
Collector-to-Agent communication. To verify the validity, VCM checks signatures up the trust chain, from
the certificate in question up to a certificate installed in one of the trusted certificate stores.
VCM assumes and trusts that:
n
A certificate in a trusted store is in fact trusted.
n
Certificate authorities that issue certificates in a trusted store are trusted.
n
Certificate services that manage certificates in a trusted certificate store, and the associated renewals
and revocations, are trusted.
IMPORTANT VCM trusts any certificates in the trusted store, even when they were not issued with VCM.
To view the contents of the trusted certificate stored on Microsoft platforms, use the Certmgr.exe
Certificate Manager Tool or the Microsoft Management Console (MMC) Certificates snap-in.
For more about authentication and certificates, see "Authentication" on page 57.
FIPS Cryptographic Service Providers
Most government and financial organizations require the use of FIPS cryptography. FIPS is also part of the
VCM Common Criteria Security Target. All cryptographic service providers (CSPs) installed in the zone
should be FIPS 140-validated.
VMware, Inc.
23
VCM Security Guide
The Microsoft CSPs that ship with Windows 2000, 2003, XP, Vista, Windows 7, and Server 2008 meet the
FIPS 140–2 standard. Do not delete, replace, or supplement these packages with non-FIPS cryptography.
All systems in this zone are Microsoft Windows-based. To view the list of installed cryptography
providers, run the following command:
Check your list against the National Institute of Standards and Technology (NIST) Computer Security
Resource Center (CSRC) Web site to verify that your modules are FIPS 140-validated.
C:\> certutil -csplist
24
VMware, Inc.
VCM Collector Server
The following sections describe security and hardening guidelines that are unique to the VCM Collector
function by itself. The Collector might be the same machine as the one that hosts the database or the Web
server, or it might be a standalone system.
Using VCM to Manage the Collector Server
After you install VCM, use it to manage the Collector server itself, subject it to assessment, and maintain
its integrity. Running the following VCM compliance template against the Collector detects and identifies
some of the security setting and configuration issues that you must address, including non-VCM
administrators who have access to systems and administrator functions.
VMware vCenter Configuration Manager Hardening - Host
NOTE If you have VCM installed and are preparing to set up another Collector, running the template can
help you preharden the candidate system.
Having a Collector Machine Group in VCM
5
To better manage Collector systems, place them into a separate, dedicated Collector machine group in
VCM, and make sure that the machine group is not authorized to any nonadministrator VCM user.
Without a machine group, you might mix VCM Collector management with non-VCM servers, which can
result in the misconfiguration of necessary security settings.
Managing the right group of Collectors allows them to be assessed routinely by the VCM security
assessment compliance tests and monitored for configuration and change. These tests and changes can be
managed and tracked through VCM.
If you do not organize all Collectors into a machine group, it is harder for VCM to assess, track, and
control the security posture of the Collectors. Also, if a new Collector comes under VCM management, it
might be incorrectly placed into a machine group that is managed by nonadministrator VCM users.
The remaining Collector hardening steps are the same as those that you apply for all server zone systems.
See "Server Zone Security" on page 21.
VMware, Inc.
25
VCM Security Guide
26
VMware, Inc.
SQL Server
The following sections describe security and hardening guidelines that are unique to the system where
Microsoft SQL Server and your databases are installed. The database machine might be the same one as
the VCM Collector, or it might be a separate machine if you are running a split VCM installation.
Using VCM to Manage the SQL Server
After you install VCM, use it to manage the SQL Server system, subject it to assessment, and maintain its
integrity. Running the following VCM compliance template against SQL Server detects and identifies some
of the security setting and configuration issues that you must address.
VMware vCenter Configuration Manager Hardening - SQL Server 2008
NOTE If you have VCM installed and are preparing to set up another SQL Server, running the template
can help you preharden the candidate system.
The remaining SQL Server hardening steps in this chapter are in addition to those that you apply for all
server zone systems. See "Server Zone Security" on page 21.
6
Having a SQL Server Machine Group in VCM
To better manage SQL Server systems, place them into a separate, dedicated SQL Server machine group in
VCM, and make sure that the machine group is not authorized to any nonadministrator VCM user.
Without a machine group, you might mix VCM SQL Server management with non-VCM servers, which
can result in the misconfiguration of necessary security settings.
Managing the right group of SQL Server allows them to be assessed routinely by the VCM security
assessment compliance tests and monitored for configuration and change, all of which can be managed
and tracked through VCM.
Failure to follow this guideline means that the security posture of unmanaged VCM SQL Servers cannot
be assessed, tracked, or controlled with VCM. Later, if a SQL Server comes under VCM management,
there is also the risk that it might be incorrectly placed into a machine group that is managed by
nonadministrator VCM users.
Microsoft SQL Server Best Practices and Hardening Tests
Microsoft provides guidelines and an auditing tool that ensure the secure installation and operation of SQL
Server. The following tools are available from the Microsoft Web site.
n
SQL Server 2005 Best Practices Analyzer Tool
n
SQL Server 2008 R2 Best Practices Analyzer Tool
VMware, Inc.
27
Loading...