VMworld 2015/vSphere 6 Security Update

vSphere Hardening Guide - READ IT

by Mike Foley


 * 1) INF4758 on Twitter

http://blogs.vmware.com/vsphere/author/mike_foley

Twitter: @vSphereSecurity

VMware Security Hardening Guides | United States - http://www.vmware.com/security/hardening-guides

vSphere 6.0 Hardening Guide – Overview of coming changes - VMware vSphere Blog - VMware Blogs - https://blogs.vmware.com/vsphere/2015/02/vsphere-6-0-hardening-guide-overview-coming-changes.html

vSphere is secure out of the box, so this guide is more of an "auditing" guide.

Prepares system for operational readiness
 * auditing, control, active directory, ntp, syslog

May disable some ease-of-use features
 * features meant for POC and test environments

Reduces attack surface - disabled un-used functionality

Provides audit guidelines for compliance standards (PCI, HIPAA, SOX, DISA, etc)

Makes the product less susceptible to threats and vulnerabilities

Acts as a tool to generate discussion on risk management

vSphere 6 Hardening Guide - major improvements
 * cleaned up
 * easier to implement
 * new focus on programmatic guidance
 * goal to be mostly accessible via APIs and/or CLIs
 * automation, automation, automation
 * leverage vsphere APIs
 * easier to produce

Programmatic Guidance vs Operational Guidance
 * Science vs Art

Operational Guidance becomes "best practices"

Old guide grouped by tabs. New guide now a flat namespace (taxonomy), easier to parse through.

vCheck Hardening Guide plugin - free powershell script that can send a daily update on various statuses (recommended)

Major security enhancements in vSphere 6.0:
 * increased flexibility in lockdown mode
 * added cac smart card authentication to dcui (fed customers only)
 * improved esxi password and account management
 * enhanced auditing of admin actions
 * certificate lifecycle management for vcenter and esxi

all sorts of new commands added to esxcli

Flexible Lockdown Mode:
 * Normal and Strict (DCUI stopped)

vSphere 6.0 Certificate Manager - generate SSL and CSRs

VMCA - VMware Certificate Authority