VMware VCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS, VCM 5.3 Configuration

vCenter Configuration Manager
Security Environment Requirements

VMware VCM 5.3

WHITE PAPER

vCenter Configuration Manager Security Environment Requirements

Table of Contents

1.0 Introduction to The Security Environment of VCM 5

2.0 Background Concepts 6

3.0 Secure Domain Infrastructure 9

3.1 Domain controller is trusted 9

3.2 Network infrastructure is secure 9

3.3 Network infrastructure services are available 9

3.4 'Trusted' certificates, certificate authorities, and certificate servers are trusted 9

3.5 Network infrastructure hosts are at least as secure as VCM 10

4.0 Hosting Environment 11

4.1 VCM servers are secured and managed like network infrastructure 11

4.2 UI Zone machines should be subject toaccess controls 11

4.3 Data originating from a managed machine is no more trustworthy than the machine 12

4.4 Server zone machine dedicated to VCM 12

5.0 Personnel Selection and Training 13

5.1 VCM accounts are granted to users who are trusted, trained, and qualified as system and net­work administrators 13

5.2 VCM users are advised to treat direct login prompts to VCM with skepticism and caution 13

5.3 VCMusers must protect collected data as confidential information 13

5.4 Trust individual collectionresults nomore than their source 13

5.5 Beware of cross-site scripting attacks 14

5.6 Exported data is outside the control of VCM 14

6.0 Host Preparation and Management 15

6.1 VCM hosts pass Foundation Checker checks 15

6.2 Cryptographic service providers are FIPS-140 certified 15

6.3 SQL Server best practices are followed 16

6.4 Only trusted software should be installed in the server zone 16

6.5 Perform routine backups, patches, and virus scanning 16

7.0 Safeguarding Installation Kits 17

TECHNICAL WHITE PAPER / 2

vCenter Configuration Manager Security Environment Requirements

7.1 VCM installation kits are obtained from VMware or secure sources 17

7.2 VCM installation kits are protected from tampering or verified 17

7.3 Unknown software publisher warnings during ClickOnce installations are not dismissed unless
the publisher is VMware 18

7.4 Automatic upgrade of the VCM Remote Client is not used to install software 18

8.0 IIS Preparation 19

8.1 IIS set to use Windows integrated authentication for the VCM Web site root 19

8.2 VCM Web Service uses HTTPS 19

8.3 SSL/HTTPS certificate issued by trusted CA or self Issued 19

9.0 SQL Server Preparation 20

9.1 Follow Microsoft SQL Server configuration best practices 20

9.2 Use delegation with a VCM split installation 20

9.3 Protect SQL Server from connections originating outside the server zone 20

9.4 Forbid direct SQL Server login by VCM users 20

10.0 Web Browser Preparation 21

10.1 Place the VCM Web host in the IE trusted zone 21

10.2 Verify the VCM Web host's HTTPS certificate 21

10.3 Verify the VCM software publisher certificate 21

10.4 Remove untrusted machines from the IE trusted zone 21

10.5 Customize Internet Explorer's trusted zone Internet security options 22

11.0 Agent Installation and Maintenance 23

11.1 File and directory access controls prevent tampering 23

11.2 Access control on machine configuration prevents tampering 23

11.3 The Agent is available for collection 23

11.4 The Trusted Certificate Store contains reputable certificates 24

11.5 The enterprise certificate authorized collection 24

11.6 Unauthorized (private) Agents are not allowed 24

11.7 Continuous possession and control of the Agent 24

12.0 Software Provisioning Components 25

12.1 All published packages are signed by trusted parties 26

12.2 Protect repositories 26

TECHNICAL WHITE PAPER / 3

vCenter Configuration Manager Security Environment Requirements

12.3 Accept only reputable software package publishers 26

12.4 Configure only trusted sources over secure channels 26

12.5 Take precautions when using VCM Software Provisioning Extensions 26

13.0 Proper Decommissioning 28

13.1 An installation of VCM is properly decommissioned before its hardware is repurposed or
retired 28

13.2 Collector and Agent private keys used for TLS are not copied between machines 28

13.3 Enterprise certificate private key and IIS (for HTTPS) host private keys are transferred manually 29

13.4 Server zone hosts have their disks removed and transferred, secured, or erased before decom­missioning 29

13.5 Agent private keys are erased at Agent install 29

13.6 Unused network authority accounts are disabled or removed 29

References 30

TECHNICAL WHITE PAPER / 4

vCenter Configuration Manager Security Environment Requirements

1.0 Introduction to The Security Environment of VCM

VCM operates within the context of a security environment. This environment consists of host configuration, various
personnel and usage assumptions, organizational security policies, configuration settings, and best practices.
Ultimately all security requirements are met either by controls built into VCM that leverage the environment, or by
controls built into the environment itself. Understanding and maintaining the security environment is an important
responsibility of the VCM administrator and users. Toward that end, this document provides a description of the VCM
security environment and a checklist for its maintenance.

The security environment must provide certain guarantees. For example, authorized VCM users are presumed to be
trusted, and the hosts on which VCM is installed must be access-controlled to prevent access by unauthorized users.
Installation kits must be checked for alteration, and eventually VCM hosts must be decommissioned properly. Overall
security requirements must be observed for the domain and infrastructure, hosting environment, personnel, host
preparation, installation kit security, login roles, IIS preparation, SQL server preparation, web browsers preparation,
Agent installation and maintenance, and proper decommissioning.

When a security environment requirement is not met, the confidentiality, integrity, or availability of information assets
that flow through the deficient system are at risk.

This is not a prescriptive document. Described within are the assumptions made by VCM, not procedures for
administrators. For example, under the guarantees regarding VCM logins, an assumption made by VCM is that the
domain controller for each user is trusted. Not listed is a best practice such as "keep the domain controller in a locked
room."

TECHNICAL WHITE PAPER / 5

vCenter Configuration Manager Security Environment Requirements

2.0 Background Concepts

Numerous physical and conceptual objects make up a VCM installation. These are described in detail in the VCM
Hardware and Software Requirements Guide as well as in the VCM Installation and Getting Started Guide. For

convenience, a summary of that information is repeated here.

VCM is a distributed application with five main components:

l

Browser-based user interface (UI) that renders in Internet Explorer (IE) on user desktops

l

Internet Information Services (IIS) web server that hosts the UI web application and accepts work requests

l

Collector service that processes requests and receives results

l

SQL Server database that stores both results and application control information

l

Agents that inspect managed machines and return results in response to requests.

In some installations there are also optional ancillary components such as an Agent proxy that works with VMware
ESX, ESXi, and vSphere servers, an orchestration host that coordinates with service desk applications such as
Remedy, VCM Remote service, Software Provisioning components, and alternate source file servers that store VCM
installation kits and VCM Patching patches.

With the exception of the UI, Agent, and alternate sources, all VCM components execute on Microsoft Windows
Server computers. The UI runs within IE on Windows desktops. The Agent executes on either Windows or one of a
variety of UNIX systems (Solaris, HPUX, AIX, Linux, or Max OS X). An alternate source can be any file server
exporting shares or ftp.

These components, with the exception of the UI Software Provisioning Repositories, and alternate source hosts, are
shown below.

These components, with the exception of the VCM Software Provisioning components, the UI, and alternate source
hosts, are shown below. Software Provisioning components are diagrammed separately in All published packages are

signed by trusted parties on page 26.

TECHNICAL WHITE PAPER / 6

vCenter Configuration Manager Security Environment Requirements

Figure 1: VCMSingle Server Installation

As shown in the figure, several VCM services can share a host. In a single-host installation, IIS, the web application,
SQL Server, and the Collector service are installed on a server machine referred to as the “Collector host”. There is an
optional split installation configurations where the SQL Server is installed on a database host separate from the
Collector host. However, VMware strongly recommends that you select the default, single machine installation type
because it will be the simplest to administer in the future. A split installation across two machines should be used only
when required by your organization’s policy.

Several different types of personnel utilize the five components of VCM. Domain administrators create the accounts
and manage the infrastructure in which VCM runs. The infrastructure includes domain controllers, routers, certificate
servers, SMTP email, domain name service (DNS) and DHCP. A VCM installer loads the VCM software and
configures IIS, SQL server, the Collector, and other services. The installer is also the first VCM administrator and is
responsible for authorizing the other administrators and regular VCM users from the inventory of accounts managed by
the domain administrators. VCM users and administrators log on to VCM and use its web interface to administer
managed machines via the Agents, run Compliance tests, and generate reports. Agents can be installed, upgraded,
and un-installed by either VCM administrators, users or managed machine administrators.

Conceptually, the VCM services, hosts, and personnel can be organized into the following trust zones:

TECHNICAL WHITE PAPER / 7

vCenter Configuration Manager Security Environment Requirements

l

Infrastructure: Consists of domain controllers (DCs), routers, SMTP, DNS, and other infrastructural items.

l

User Interface (UI): Consists of VCM user desktops.

l

Server: Consists of the Collector service, VCM Remote service, IIS, web application, SQL Server, Orches­trator, and Agent proxy.

l

Agent: Each managed machine, software provisioning repository, and alternate source resides in an Agent
zone. There may be multiple Agent zones.

Domain administrators manage the infrastructure, UI and server zones. Each Agent zone is controlled by a local zone
administrator. This is often the managed machine or repository administrator

This partitioning allows us to understand trust between VCM components on a more granular level than DC domains.
A trust boundary separates each zone. Machines and services in one zone distrust those in another without either
special configuration or authentication. Special configuration establishes implicit trust. Authentication engenders trust
between components lacking implicit trust. When an entire zone trusts another, this means that every VCM
component in the first zone implicitly trusts every component in the second. If two machines are in the same zone, it
does not mean that they trust each other, rather it means that they are not required to distrust each other by default.
Once VCM is installed, the UI and Agent zones trust the infrastructure and server zone. On the other hand, the server
zone completely trusts only the infrastructure; it does not trust the UI zone except as a source of UI commands from
VCM users that were authenticated by the infrastructure. The server zone also trusts the Agent zone as a source for
Agent data but not to provide data or implement change that would affect other Agents or VCM configuration.

These trust zones and boundaries are pedagogical tools, and are not visible in the features of the VCM product. The
trust zones have no relationship to the zones in IE.

TECHNICAL WHITE PAPER / 8

vCenter Configuration Manager Security Environment Requirements

3.0 Secure Domain Infrastructure

VCM security environment requirements are divided into categories for the domain and infrastructure, hosting
environment, personnel, host preparation, safeguarding installation kits, login roles, IIS preparation, SQL Server
preparation, web browser preparation, Agent installation and maintenance, Software Provisioning, and proper
decommissioning.

This section describes the domain and infrastructure. Here and in subsequent sections, each requirement is
numbered, stated, and followed by elaborative text.

3.1 Domain controller is trusted

VCM relies on a domain controller (DC) to authenticate VCM users, to discover machines, to enumerate domain group
members, to run VCM services under Network Authority accounts, and to authenticate administrators who control the
hosts onto which VCM and its databases are installed. The VCM installer and VCM administrator cite the domain
controller in VCM when the system is installed, DC discoveries are conducted, or when new Network Authorities or
VCM users are added. An untrustworthy domain controller should never be configured into VCM and VCM hosts
should never be joined to an untrustworthy domain.

3.2 Network infrastructure is secure

Besides domain controllers, VCM relies on other network infrastructure services such a DNS, WINS, email, time
servers, and DHCP. The DNS and WINS translate domain names into IP addresses. Email is used for various
notifications and alerts. Time servers synchronize time, allowing Kerberos authentication and certificate validation to
work. DHCP, even when not used by VCM servers, assigns IP addresses consistently. These services must be
properly configured, secure, and available in order for VCM to operate correctly and reliably.

3.3 Network infrastructure services are available

All network infrastructure services must not only be correct and secure, but also available and responsive. An active
denial of service or attack on network infrastructure will impact VCM performance.

3.4 'Trusted' certificates, certificate authorities, and certificate servers are trusted

VCM establishes the validity of HTTPS/SSL certificates used by IIS, and of TLS certificates used during Collector-to­Agent communication by checking the signatures along the certificate chain that extends from the certificate in
question up to a certificate installed in one of the trusted certificate stores.

VCM trusts that:

TECHNICAL WHITE PAPER / 9

vCenter Configuration Manager Security Environment Requirements

l

A certificate in a 'trusted' store is in fact trusted

l

Certificate authorities issuing certificates in a trusted store are trusted

l

Certificate services managing certificates in a trusted certificate store and the associated renewals and cer­tificate revocation lists are trusted

In particular, certificates that exist in the trusted store that were not issued in conjunction with VCM are still trusted by
VCM.

To view the contents of the trusted certificate stored on Microsoft platforms1, use the Certificate Manager Tool
(Certmgr.exe) or the Microsoft Management Console (MMC) Certificates snap-in.

3.5 Network infrastructure hosts are at least as secure as VCM

Since VCM relies on infrastructure services, machines on which these services are hosted must be at least as secure
as VCM. These machines should be protected by firewalls, anti-virus software, current security updates, and access
controls. Access to these machines should also be restricted to trusted personnel.

TECHNICAL WHITE PAPER / 10