Section 1 – Configure and Administer vSphere 6.x
Security
Objective 1.1 –
Configure and Administer Role Based Access Control
In VMware there are 4 types of permissions that can be
leveraged:
- vCenter Server
Permissions
- Global
Permissions
- Group Membership
in vSphere.local Groups
- ESXi Local Host
Permissions
Default user:
administrator@vsphere.local
License management
group: LicenseService.Administrators
Out of the box, vCenter provides several default roles
that cannot be deleted or modified:
- Administrator
- Read-Only
- No Access
- Tagging Admin
Out of the box, vCenter provides several sample roles
which can be deleted and modified:
- Resource Pool Administrator
- Virtual Machine User
- VMware Consolidated Backup User
- Datastore Consumer
- Network Administrator
- Virtual Machine Power User
- Content Library Administrator
Determine the
Appropriate Set of Privileges for Common Tasks in vCenter Server
Required privileges for: Create a virtual machine
- Virtual machine.Inventory.Create new
- Virtual machine.Configuration.Add new disk (new disk)
- Virtual machine.Configuration.Add existing disk
(existing disk)
- Virtual machine.Configuration.Raw device (RDM or SCSI
pass-through)
- Resource.Assign virtual machine to resource pool
- Datastore.Allocate space
- Network.Assign network
Required privileges for: Deploy a virtual machine from a template
- Virtual machine.Inventory.Create from existing
- Virtual machine.Configuration.Add new disk
- Virtual machine.Provisioning.Deploy template
- Resource.Assign virtual machine to resource pool
- Datastore.Allocate space
- Network.Assign network
Required privileges for: Take a virtual machine snapshot
- Virtual machine.Snapshot management.Create snapshot
- Datastore.Allocate space
Required privileges for: Move a virtual machine into a resource pool
- Resource.Assign virtual machine to resource pool (*2)
- Virtual machine.Inventory.Move
Required privileges for: Install a guest operating system on a virtual machine
- Virtual machine.Interaction.Answer question
- Virtual machine.Interaction.Console interaction
- Virtual machine.Interaction.Device connection
- Virtual machine.Interaction.Power Off
- Virtual machine.Interaction.Power On
- Virtual machine.Interaction.Reset
- Virtual machine.Interaction.Configure CD media (install
from CD)
- Virtual machine.Interaction.Configure floppy media
(install from floppy)
- Virtual machine.Interaction.VMware Tools install
- Datastore.Browse datastore
- Datastore.Low level file operations
Required privileges for: Migrate a virtual machine with vMotion
- Resource.Migrate powered on virtual machine
- Resource.Assign Virtual Machine to Resource Pool (*2) (different
destination)
Required privileges for: Cold migrate (relocate) a virtual machine
- Resource.Migrate powered off virtual machine
- Resource.Assign virtual machine to resource pool (*2)
(different destination)
- Datastore.Allocate space
Required privileges for: Migrate a virtual machine with Storage vMotion
- Resource.Migrate powered on virtual machine
- Datastore.Allocate space
Required privileges for: Move a host into a cluster
- Host.Inventory.Add host to cluster (*2)
Note: *2 refers to
where the privilege is applied in 2 different places.
Objective 1.2 –
Secure ESXi, vCenter Server, and vSphere Virtual Machines
ESXi Firewall services can be configured with one of 3 Startup Policies:
- Start and stop with host
- Start and stop manually
- Start and stop with port usage
Lockdown mode supports 3 configurations:
- Disabled - Lockdown mode is disabled
- Normal - The host is accessible only through the local
console or vCenter Server
- Strict - The host is accessible only through vCenter
Server. The Direct Console UI service is stopped.
Note: vSphere 6
“Exception Users” keep their permissions when the host enters lockdown mode.
Note: Configure
Lockdown Mode via the Direct Console User Interface (DCUI) - Enable lockdown
mode
Network Security Policies can be configured on vSphere
Standard Switches (VSS) and vSphere Distributed Switches (VDS) at the switch or
Port Group level:
- MAC Address Changes
- Forged Transmissions
- Promiscuous Mode*
*Use Promiscuous Mode (Security Policy) -
for a better understanding (troubleshooting/sniffing) of the network traffic
across multiple virtual machines on separate vSwitches in a vSphere 6.x
environment
Note: An ESXi Host
can be added to a Directory Service (join domain)
Note: Permissions
can be applied to ESXi Hosts using Host Profiles
Virtual Machine Security
Best Practices:
- Use templates to deploy virtual machines
- Minimize use of virtual machine console
- Prevent virtual machines from taking over resources
- Disable unnecessary functions inside virtual machines
- Remove unnecessary hardware devices
- Disable unused display features
- Disable unexposed features
- Disable HGFS file transfers
- Disable copy and paste operations between guest
operating system and remote console
- Limiting exposure of sensitive data copied to the
Clipboard
- Restrict users from running commands within a virtual
machine
- Prevent a virtual machine user or process from
disconnecting devices
- Modify guest operating system variable memory limit
- Prevent guest operating system process from sending
configuration messages to the host
- Avoid using Independent Nonpersistent Disks
New to vSphere 6 is the VMware Certificate Authority
(VMCA) feature. Using the VMCA you can manage certificates in 3 ways:
- VMCA Default
- Make VMCA an Intermediate CA
- Do not use the VMCA
Note: By default
the VMCA root certificate expires after 10 years.
Utilities to manage vCenter Server certificates:
- vSphere Certificate Manager Utility
- Certificate Management CLI’s (dir-cli, certool,
vecs-cli)
- vSphere Web Client
Regarding vSphere
certificates...
... ESXi host upgrades preserve the existing
SSL certificate
... ESXi hosts have assigned SSL
certificates from the VMware Certificate Authority (VMCA) during install
Objective
1.3–Enable SSO & Active Directory Integration
Configuration of the VMware Single Sign-On service can
only be completed via the vSphere Web Client.
Identity source types:
- Active Directory
- Active Directory
as an LDAP Server
- Open LDAP
- Local OS
New to vSphere 6.0 is the Platform Services Controller
(PSC). The PSC is comprised of:
- vCenter Single Sign-On
- vSphere License Service
- VMware Certificate Authority
Deploying vCenter Server with PSC deployment methods:
- vCenter Server with an embedded PSC
- vCenter Server with an external PSC*
*Must first deploy
the PSC
Note: Cannot switch
models after deployment
Advantages of vCenter
Server with an embedded PSC:
- Connection between vCenter and PSC is not over the
network
- Fewer virtual machines or physical servers
- Do not need a load balancer to distribute the load
across PSCs
Disadvantages of vCenter
Server with an embedded PSC:
- There is a PSC for each product which might be more
than required (consumes more resources)
- Only suitable for small-scale environments
Advantages of vCenter
Server with an external PSC:
- Your environment can consist of more vCenter Server
instances
In vSphere 6, the VMware
Certificate Authority (VMCA) provisions each new ESXi host with a signed
certificate using the VMCA as the root authority.
3 certificate modes supported in vSphere 6.x:
- VMCA
- Custom
Certificate Authority
- Thumbprint Mode
(fallback to vSphere 5.5)
Comments
Post a Comment