As we know, old traditional IT infrastructure is getting migrated to different type of Virtualization or Cloud platforms, whatever changes happened and new technologies implemented,
Security is vital in IT industry. Here, I am trying to address security hardening VMware vsphere infrastructure. In Vsphere, security is in different level, (excluding addons like NSX, VRA, VRO etc). So let’s get started debut on vSphere Security Hardening.
Virtual Machines & Guest OS >> Esxi Hosts >> Vcenter server >> Network Layer
Virtual Machines & Guest OS
- Security hardening of guest operating system depends on Type and version of guest OS like Linux, Windows, Mac etc. To protect your OS , make sure that it is running with the latest patches, use best anti-malware softwares and enable firewall to control inbound and outbound connections. Disable unused services, modules, unused devices like DVD, USB Port etc.
- From Vsphere 6.5 onwards UEFI booting mode is available, this will help you to enable secure boot for virtual machine instead of BIOS legacy mode. This can be done by navigating VM edit options >> VM options >> Firmware option, see the below image. If a rootkit or malware does replace the boot loader or tamper with it, UEFI won’t allow it to boot. This will prevent malware from hijacking your boot process of the operating system.
- Minimize Use of the Virtual Machine Console – virtual machine console is equivalent to the monitor provides of a physical server. Users who can access the virtual machine console have access to virtual machine power management and removable device connectivity controls . Use native remote access protocol like RDP, SSH and limit concurrent connections to the console.
- Install VMware tools and keep updated.
- Disable unused functionality, such as VMware Shared Folders, which enables sharing of host files to the virtual machine (Host Guest File System).
- Always keep disable Copy paste operation between VMs and remote console, it is by default disabled. This feature can easily be exploited by malware / ransomware to spread over the multiple systems. You can disable/enable this feature by following steps.
- Right-click the virtual machine and click Edit Settings.
- Click on VM Options >> Advance and click Edit Configuration.
- And add entries like shown in below image
- From vSphere 6.5 onwards , You can take advantage of encrypted Virtual machines. Encryption protects virtual machine disks and other files also. An external KMS (Key Management Service) server, vCenter Server system, and your ESXi hosts are contributing to the encrypted Virtual Machine solution. After vCenter Server is connected to the KMS, users with privileges can create encrypted virtual machines, Those users can also perform encrypting existing virtual machines and decrypting already encrypted virtual machines. For more details please go throughhttps://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-A29066CD-8EF8-4A4E-9FC9-8628E05FC859.html
ESXi is a very secured Hypervisor, you can further protect ESXi using more built in features. Let’s check out some of it.
- ESXi apply-patches Keep ESXi hosts properly patched, By staying up to date of ESXi patches, vulnerabilities in the hypervisor can be reduced. A highly educated attacker can exploit known vulnerabilities when trying to attain access or get privileges on an ESXi host.
- ESXi SSH-Disable Check and ensure that SSH is disabled for all your ESXi hosts. by default SSH is disabled on ESXi. Before you enable SSH make sure it is limited to your administrative network only. You can enable and disable SSH controlled via the SSH service, this service is stopped by default.
Enable SSH only for troubleshooting
- Configure NTP time synchronization makes sure that all your systems use same relative source including ESXi, Vcenter server and VMs etc. This will help you to track and correlate the intruder / hacker actions when your review the logs and events. Incorrect time settings will make the auditing very difficult. You can simply configure NTP server in ESXi:
From the vCenter vSphere web client select the host and click on the “Configure tab” -> under system “Time Configuration”. Click the “Edit” button and enter the server name / IP of your NTP server, Then start the NTP service from service menu and change the startup policy to “Start and stop with host”.
Notes: Check and verify the NTP ports are opened in firewall, and it is strongly recommended to synchronize the ESXi clock with a time server that is located on your management network rather than public network.
- Proper SNMP configurationIf you are not using any SNMP monitoring tools , it should remain disabled. If SNMP is not configured properly, your infrastructure monitoring information can be sent to any malicious / hackers host, they can use this information to plan an attack.
Navigate from the vSphere vCenter web client, select the host and click “Configure” -> “System” check for “SNMP Server” under “Services” section. Its status should be “Stopped” until and unless you are using SNMP monitoring tools. You cannot configure any SNMP client through webclient, use esxcli or PowerCLI commands.
- Enable/Disable TLS for ESXi Hosts if necessary From vSphere 6.5 onwards you can enable or disable TLS. From vCenter vSphere web client, select the host and then click “Configure” -> “Settings” -> “System” -> “Advanced System Settings” and change the parameter “UserVars.ESXiVPsDisabledProtocols”. Desired values: sslv3, tlsv1, tlsv1.1, tlsv1.2. Default value: sslv3
- Use Active Directory for local user authentication Join ESXi hosts to an Active Directory (AD) domain to avoid creating and maintaining multiple local user accounts. While using AD, it ensures password complexity and reuse policies are enforced and reduces the risk of security violations and unauthorized access. If the AD group “ESX Admins” (default) exists, then all users and groups that are belongs to this group will have full access to all ESXi hosts the domain.To integrate vCenter with Active directory; navigate through Vcenter Home >> Administration >> Single Sign-on >> Configuration >> Identity Sources >> add (+)
- Enable Mutual CHAP authentication for iSCSI traffic vSphere allows the use of bidirectional or mutual authentication between both the iSCSI target and host. Even though you are using separate VLAN for each iSCSI storage, authenticating both the iSCSI target and host; there is a potential for a MiTM attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication can mitigate this risk. Always configure your iSCSI storage with Mutual CHAP authentication.
- Enable / Disable Lockdown Mode to restrict access to DUI This feature will help you restrict the direct access to ESXi hosts. Enabling lockdown mode restrict direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This will help to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by accessing ESXi host directly. By forcing all interactions and operations to occur only through vCenter Server, the risk of someone carelessly using privileges or performing tasks that are not audited properly is greatly reduced.
There are two modes available Normal mode and Lockdown mode.
- Normal mode: In normal mode, The users defined in the DCUI.Access advanced option; Exception users with administrator privileges on the host can access the ESXi hosts through console, shell or ssh.
- Strict Lockdown mode: In this mode DCUI service is stopped. No one can access the host through DCUI and the users defined in the exception list with administrator privileges can access through shell and ssh.
From the vCenter vSphere Web Client, select the host and click on Configure >> System >> Security Profile >> Scroll down to “Lockdown Mode”, And click on edit to enable / disable the feature as shown in the picture
- ESXi Firewall Configure ESXi firewall to restrict the access to services running in the host. Unrestricted access of services on host can be easily compromised from external / public network. This guideline is specifically focused on two types of access SSH and vSphere web access (port 80). Configuring ESxi firewall to only allow these services from authorised network will reduce the risk.You can edit the Esxi firewall From the vSphere web client. Select the host and click “Configure” >> “System” >> “Security Profile”.
- Set ESXi-count of maximum failed login attempts Multiple login failures for the same account indicates possibility of someone trying brute force attack or denial of service. In such cases, the system will lock the user account after reaching a threshold. Then it requires administrative action to unlock the account or an elapsed time to unlock automatically.From the vSphere Web Client you can set maximum failed login attempt count. – Select the host, click “Configure” -> “System” -> “Advanced System Settings”. Enter “Security.AccountLockFailures” in the filter. Verify that the value for this parameter is set to 3 or 4.
- Set ESXi – time after which a locked account is automatically unlocked In case you want to unlock the locked account automatically without administrative action, set the time for which the account remains locked. Setting a higher duration for which account remains locked will help slow down the brute force method.To set automatic unlock time : From the ‘vSphere Web Client’, select the host, click “Configure” -> “Settings” -> “System” -> “Advanced System Settings”. Enter “Security.AccountUnlockTime” in the filter. Verify that the value for this parameter is set to 900. (Please see the above picture)
- Set ESXi – DCUI idle timeout value DCUI is mainly used to directly login to ESXi host and carry out management tasks. The idle connections to the DCUI should be terminated, which will prevent unintended access of DCUI originating from last left over session.
To configure this : From the vSphere Web Client select the host, click “Configure” -> “Settings” -> “System” -> “Advanced System Settings”. Enter “UserVars.DcuiTimeOut” in the filter. Verify that the value for this parameter is set to 600.
- Set ESXi – shell or SSH session idle timeout If somebody forgets to close their SSH or shell section in ESXi host, these idle connections will remain open indefinitely. This will increase the potential for someone to gain access to the host. To avoid these situations, set the timeout value for idle shell and ssh sessions.
Select host from vCenter Webclient and then click “Configure” -> “Settings” -> “System” -> “Advanced System Settings”. Filter for UserVars.ESXiShellTimeOut to see the configured value. It should be set to desired value or a more restrictive value.
Securing vCenter server
The first step to secure the vCenter server: If you are using vcenter as Virtual machine then secure the Virtual machine and the ESXi host that are running vCenter server.
- Restrict vCenter Server Access Control
- Create one or more named vCenter Server administrator accounts and assign administrator role rather than using local windows administrator account.
- Do not give administrative privileges to all users. Create custom roles with selected, necessary permissions and assign these roles to different users over different entities.
- Restrict Users From Running Commands in a Virtual Machine. Remove “Guests operations” permission for the assigned role under virtual machine privileges.
- Protecting the vCenter Server Windows Host
- Protect the host where vCenter server VM is running. Maintain vCenter in a supported operating system. if the vCenter not running on a fully supported operating system, it will not work properly.
- Keep the vCenter machine Operating system properly patched. This will make the server less vulnerable.
- Protect operating system using latest updated antivirus and anti malware programs.
- vCenter Password Requirements and Lockout Behavior By default; vCenter server single sign-On users’ password policies are specified by vCenter SSO. You can change the SSO password policy by navigating to vCenter home >> administration >> Single Sign-On >> Configuration >> policies >> Password policies
Also you can configure Single Sign-On account Lockout Behavior for number of consecutive failed login attempts.
For better administration on users and groups, you can integrate vCenter with identity sources like Active directory or Ldap.
- vCenter server Firewall configuration Here you can see the required Ports for vCenter Server and Platform Services Controller and additional vCenter Server TCP and UDP Ports. Configure vCenter server windows instance firewall to block all ports except these required ports. If you are running vCSA instance, you can manage firewall configuration through shell. From vCenter Server 6.7 Update 1 onwards there is Appliance Management User Interface (AMUI) for management. From that you can manage vCSA firewall.
Securing vsphere Networking
Securing vsphere networking is an important part of protecting Vsphere environment. You can keep different network zones for different networks, by isolating each VMs to its own network segment, which will help to minimize the risk of data leakage from one network to another.
You can you use different physical NICs for different network segments to ensure whether those segments are isolated or configured virtual or physical local VLAN. For additional security you can use hardware / software firewalls in between your systems. For example you can install a firewall between your client systems and vCenter or between your host and vCenter etc.
Let’s have a look into other security features that are available in vSphere networking
Securing Standard and Distributed Switch Ports with Security Policies
As you know vmkernel port group and virtual machine port group on a standard switch has a configurable security policy. The security policy determines how strong you enforce protection against impersonation and interception of VMs.
The security policy on distributed port groups and ports includes the following options:
- MAC address changes If a virtual machine’s operating system changes its MAC address, it can send frames with different or duplicate source MAC address at any time. This allows vms to stage malicious attacks on devices or other VMs in a network by impersonating a network adaptor authorized by the receiving network. This ‘mac address changes’ option will prevent VMs from changing their effective MAC address. There are two options; Accept/Reject. If you set this as “Reject” and the guest OS changes the MAC address assigned to the vNIC, it stops receiving data frames. But It will affect applications that requires to change mac address. For example Microsoft Clustering, which requires effectively sharing the MAC address of clustered systems.From vSphere web client, for each portgroup of DVswitch or Vswitch within go to “Configure” -> “Settings” -> “Policies”. Verify that “MAC address changes” policy is set to “Reject”.
- Forged Transmits If the virtual machine operating system changes the MAC address, that system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on other devices or VMs in a network by impersonating as a system from authorized network. This means the virtual switch does not compare the source and effective MAC addresses of data packets sent by VMs.This security feature has two options Accept and Reject, To protect against MAC address impersonation, all virtual switches should have forged transmissions option, set to Reject. This can set in Vswitch and DVswitch port level also. Once you set this option as ‘Reject’; the host will check the mac address of data packets that are sent by the VMs. The ESXi host intercepts any packets with impersonated addresses sent by VMs before they are delivered, and those packets will be dropped.
- Promiscuous Mode Operation When promiscuous mode is enabled for a virtual switch or DVswitch; all virtual machines connected to that switch or Portgroup has access to all packets across that network. Promiscuous mode is disabled by default on the ESXI Server, which is recommended. Even though an insecure operation, we can enable this for debugging, monitoring or troubleshooting reasons with very restricted mode. Promiscuous mode can be set at the vSwitch level and/or the DVswitch Portgroup level. If required you can override switch level settings at the Portgroup level.As we have seen, security hardening are on different levels, and it is an ongoing task. We have discussed many security constraints above. Most of the features may have conflict with one software application or the other. So we do not recommend using all these configurations. Please go through every feature and implement those compatible with your current infrastructure.
Do you need any expert advice on debut of vsphere security hardening?
We have an expert team to guide you
Thanks for dropping by. Ready for the next blog?