VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.2 – Part 1

Home / blueprint / VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.2 – Part 1

In this post we will follow the guideline from VMware VCP6-DCV blueprint

This post will include only some of the objectives and i will continue in the next post.

below are the objective for this post taking from VMware site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=64180&ui=www_cert

Knowledge

  • Harden virtual machine access
    • Control VMware Tools installation
    • Control VM data access
    • Configure virtual machine security policies
  • Harden a virtual machine against Denial-of-Service attacks
    • Control VM-VM communications
    • Control VM device connections
    • Configure network security policies
  • Harden ESXi Hosts
    • Enable/Configure/Disable services in the ESXi firewall
    • Change default account access
    • Add an ESXi Host to a directory service
    • Apply permissions to ESXi Hosts using Host Profiles
    • Enable Lockdown Mode
    • Control access to hosts (DCUI/Shell/SSH/MOB)
  • Harden vCenter Server
    • Control datastore browser access
    • Create/Manage vCenter Server Security Certificates
    • Control MOB access
    • Change default account access
    • Restrict administrative privileges
  • Understand the implications of securing a vSphere environment

Harden virtual machine access

Control VMware Tools installation:

At this point we still looking at the VMware vSphere Security document, for this objective we can take a look at page 251 under the “Virtual Machine Interaction Privileges” subject

” Virtual Machine Interaction privileges control the ability to interact with a virtual machine console,configure media, perform power operations, and install VMware Tools.You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.”

From vCenter >> Roles >> New(+) >> All Privileges > Virtual machine > Interaction

 

VM_role

 


 

Control VM data access:

looking at this requirement i am assuming that VMware is looking to disable unnecessary functions inside the virtual machine

from VMware security guide page 199

dataacess
Source: VMware vSphere Security document

 

Configure virtual machine security policies:

Before I can practice this subject I needed to install at least one virtual machine , so I installed one Linux OS on my esxi0 using the NFS datastore.

In addition to the above security features , VMware provide advanced virtual machine option to harden the security

To access the advanced features from vCenter >> select the host that the VM is running >> Related objects >> Virtual Machine >> edit setting >> VM Option >> advanced and click on Edit setting .

 

here is a summary of the advanced features to set to TRUE to disable :

 

Disable Unexposed Features :  

  • isolation.tools.unity.push.update.disable
  • isolation.tools.ghi.launchmenu.change
  • isolation.tools.memSchedFakeSampleStats.disable
  • isolation.tools.getCreds.disable
  • isolation.tools.ghi.autologon.disable
  • isolation.bios.bbs.disable
  • isolation.tools.hgfsServerSet.disable

Disable Unused Display Features:

  • svga.vgaonly
  • mks.enable3d – set to FALSE

Disable HGFS File Transfers

  • isolation.tools.hgfsServerSet.disable

Disable Copy and Paste Operations Between Guest Operating System and Remote Console

  • isolation.tools.copy.disable
  • isolation.tools.paste.disable

Prevent a Virtual Machine User or Process from Disconnecting Devices

  • isolation.device.connectable.disable
  • isolation.device.edit.disable

Modify Guest Operating System Variable Memory Limit

  • tools.setInfo.sizeLimit

Prevent Guest Operating System Processes from Sending Configuration Messages to the Host

you need to add a new Raw  isolation.tools.setinfo.disable and et the value to TRUE..

 

vm_adv

Thanks for reading

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *