Tuesday, 16 August 2016

VCP6-DCV Exam Cram Notes: Section 1 of 10

Section 1 – Configure and Administer vSphere 6.x Security

Objective 1.1 – Configure and Administer Role Based Access Control

In VMware there are 4 types of permissions that can be leveraged:
- vCenter Server Permissions
- Global Permissions
- Group Membership in vSphere.local Groups
- ESXi Local Host Permissions

Default user: administrator@vsphere.local
License management group: LicenseService.Administrators

Out of the box, vCenter provides several default roles that cannot be deleted or modified:
- Administrator
- Read-Only
- No Access
- Tagging Admin

Out of the box, vCenter provides several sample roles which can be deleted and modified:
- Resource Pool Administrator
- Virtual Machine User
- VMware Consolidated Backup User
- Datastore Consumer
- Network Administrator
- Virtual Machine Power User
- Content Library Administrator

Determine the Appropriate Set of Privileges for Common Tasks in vCenter Server

Required privileges for: Create a virtual machine
- Virtual machine.Inventory.Create new
- Virtual machine.Configuration.Add new disk (new disk)
- Virtual machine.Configuration.Add existing disk (existing disk)
- Virtual machine.Configuration.Raw device (RDM or SCSI pass-through)
- Resource.Assign virtual machine to resource pool
- Datastore.Allocate space
- Network.Assign network

Required privileges for: Deploy a virtual machine from a template
- Virtual machine.Inventory.Create from existing
- Virtual machine.Configuration.Add new disk
- Virtual machine.Provisioning.Deploy template
- Resource.Assign virtual machine to resource pool
- Datastore.Allocate space
- Network.Assign network

Required privileges for: Take a virtual machine snapshot
- Virtual machine.Snapshot management.Create snapshot
- Datastore.Allocate space

Required privileges for: Move a virtual machine into a resource pool
- Resource.Assign virtual machine to resource pool (*2)
- Virtual machine.Inventory.Move

Required privileges for: Install a guest operating system on a virtual machine
- Virtual machine.Interaction.Answer question
- Virtual machine.Interaction.Console interaction
- Virtual machine.Interaction.Device connection
- Virtual machine.Interaction.Power Off
- Virtual machine.Interaction.Power On
- Virtual machine.Interaction.Reset
- Virtual machine.Interaction.Configure CD media (install from CD)
- Virtual machine.Interaction.Configure floppy media (install from floppy)
- Virtual machine.Interaction.VMware Tools install
- Datastore.Browse datastore
- Datastore.Low level file operations

Required privileges for: Migrate a virtual machine with vMotion
- Resource.Migrate powered on virtual machine
- Resource.Assign Virtual Machine to Resource Pool (*2) (different destination)

Required privileges for: Cold migrate (relocate) a virtual machine
- Resource.Migrate powered off virtual machine
- Resource.Assign virtual machine to resource pool (*2) (different destination)
- Datastore.Allocate space

Required privileges for: Migrate a virtual machine with Storage vMotion
- Resource.Migrate powered on virtual machine
- Datastore.Allocate space

Required privileges for: Move a host into a cluster
- Host.Inventory.Add host to cluster (*2)

Note: *2 refers to where the privilege is applied in 2 different places.

Objective 1.2 – Secure ESXi, vCenter Server, and vSphere Virtual Machines

ESXi Firewall services can be configured with one of 3 Startup Policies:
- Start and stop with host
- Start and stop manually
- Start and stop with port usage

Lockdown mode supports 3 configurations:
- Disabled - Lockdown mode is disabled
- Normal - The host is accessible only through the local console or vCenter Server
- Strict - The host is accessible only through vCenter Server. The Direct Console UI service is stopped.

Note: vSphere 6 “Exception Users” keep their permissions when the host enters lockdown mode.
Note: Configure Lockdown Mode via the Direct Console User Interface (DCUI) - Enable lockdown mode

Network Security Policies can be configured on vSphere Standard Switches (VSS) and vSphere Distributed Switches (VDS) at the switch or Port Group level:
- MAC Address Changes
- Forged Transmissions
- Promiscuous Mode*

*Use Promiscuous Mode (Security Policy) - for a better understanding (troubleshooting/sniffing) of the network traffic across multiple virtual machines on separate vSwitches in a vSphere 6.x environment

Note: An ESXi Host can be added to a Directory Service (join domain)
Note: Permissions can be applied to ESXi Hosts using Host Profiles

Virtual Machine Security Best Practices:
- Use templates to deploy virtual machines
- Minimize use of virtual machine console
- Prevent virtual machines from taking over resources
- Disable unnecessary functions inside virtual machines
- Remove unnecessary hardware devices
- Disable unused display features
- Disable unexposed features
- Disable HGFS file transfers
- Disable copy and paste operations between guest operating system and remote console
- Limiting exposure of sensitive data copied to the Clipboard
- Restrict users from running commands within a virtual machine
- Prevent a virtual machine user or process from disconnecting devices
- Modify guest operating system variable memory limit
- Prevent guest operating system process from sending configuration messages to the host
- Avoid using Independent Nonpersistent Disks

New to vSphere 6 is the VMware Certificate Authority (VMCA) feature. Using the VMCA you can manage certificates in 3 ways:
- VMCA Default
- Make VMCA an Intermediate CA
- Do not use the VMCA

Note: By default the VMCA root certificate expires after 10 years.

Utilities to manage vCenter Server certificates:
- vSphere Certificate Manager Utility
- Certificate Management CLI’s (dir-cli, certool, vecs-cli)
- vSphere Web Client

Regarding vSphere certificates...
... ESXi host upgrades preserve the existing SSL certificate
... ESXi hosts have assigned SSL certificates from the VMware Certificate Authority (VMCA) during install

Objective 1.3–Enable SSO & Active Directory Integration

Configuration of the VMware Single Sign-On service can only be completed via the vSphere Web Client.

Identity source types:
- Active Directory
- Active Directory as an LDAP Server
- Open LDAP
- Local OS

New to vSphere 6.0 is the Platform Services Controller (PSC). The PSC is comprised of:
- vCenter Single Sign-On
- vSphere License Service
- VMware Certificate Authority

Deploying vCenter Server with PSC deployment methods:
- vCenter Server with an embedded PSC
- vCenter Server with an external PSC*
*Must first deploy the PSC
Note: Cannot switch models after deployment

Advantages of vCenter Server with an embedded PSC:
- Connection between vCenter and PSC is not over the network
- Fewer virtual machines or physical servers
- Do not need a load balancer to distribute the load across PSCs

Disadvantages of vCenter Server with an embedded PSC:
- There is a PSC for each product which might be more than required (consumes more resources)
- Only suitable for small-scale environments

Advantages of vCenter Server with an external PSC:
- Your environment can consist of more vCenter Server instances

In vSphere 6, the VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate using the VMCA as the root authority.

3 certificate modes supported in vSphere 6.x:
- VMCA
- Custom Certificate Authority
- Thumbprint Mode (fallback to vSphere 5.5)

No comments:

Post a Comment