VMware released the vSphere 5.0 Hardening Guide this month and I wanted to take the opportunity to blog my way through it in order to increase my familiarity, heighten its visibility, and provide a forum for discussion of the recommendations and methods to implement an assessment in your own environment.

Since the hypervisor is the heart of your datacenter, let’s start with the ESXi guidelines:

• Guideline Title: Use Active Directory for local user authentication
  • Title: enable-ad-auth
  • Discussion: The credentials to your ESXi hosts are among the most sensitive in your entire datacenter. The root password should only be given to personnel that have an explicit need for it. Other users that need to login to hosts outside of vCenter can have permissions granted to their Active Directory account. David Davis has a great video demonstrating the process. By default, an AD group names “ESX Admins” is checked for and all members will have full rights to all hosts.
  • Official VMware documentation
• Guideline Title: Establish a password policy for password complexity
  • Title: set-password-complexity
  • Discussion: This setting is used to enforce strong passwords for local accounts. You know, the local accounts you’re not using since all your hosts are joined to AD, right? But seriously, this is a great setting to use to force users to pick strong passwords, even if your hosts have no local users. Configuration drift happens, so let’s plan ahead and make sure these users will have strong passwords. Using vi, you’ll edit the file /etc/pam.d/passwd and modify the third line. The default value is “password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6″. The retry value controls how many attempts users get to pick a strong password. The last 5 numbers control your desired complexity settings, in the following order and referencing four character classes (uppercase letters, lowercase letters, numbers, and symbols/special characters):
    • The first digit is the minimum length for passwords containing characters from 1 of the classes (least complex, e.g. using “password” as your password). You’ll want this to be a very large number.
    • The second digit is the minimum length for password containing characters from 2 of the classes. You’ll also want this to be a very large number.
    • The third digit is the minimum length of SSL certificate passphrases
    • The fourth digit is the minimum length for password containing characters from 3 of the classes. Now were getting into reasonable passwords, so allow whatever reasonable length your organization permits.
    • The fifth digit is the minimum length for password containing characters from 4 of the classes (most complex, e.g. using “p4$wOrd” as your password”). Same as the previous line.
  • Official VMware documentation
• Guideline Title: Verify Active Directory “ESX Admin” group membership.
  • Title: verify-admin-group
  • Discussion: now that our hosts are joined to AD (first bullet point above), we want to audit the membership of “ESX Admins” since those users will automatically have root-level permissions to our hosts. This is a manual check, but you’ll also want to automate it so that it can run regularly. You can write a scheduled Powershell script to read the group membership and email you the contents on a schedule, or products like ADAudit Plus from ManageEngine are perfect for this task and can email you only when group membership changes.
  • Official VMware documentation
• Guideline Title: Ensure that vpxuser auto-password change meets policy.
  • Title: vpxuser-password-age
  • Discussion: ESXi contains a built-in user account called vpxuser. This account has Administrator-level permissions to the local host and is used by vCenter to execute tasks. vCenter sets this password and changes it automatically every 30 days. If your organization requires more frequent password changes, you can change this from the vSphere client by selecting “Administration -> vCenter Server Settings -> Advanced Settings” and changing VirtualCenter.VimPasswordExpirationInDays to your desired interval.
  • Official VMware documentation
•  Guideline Title: Ensure that vpxuser password meets length policy.
  • Title:vpxuser-password-length
  • Discussion: Similar to the guideline above, this check confirms that the password length for the vpxuser password is long enough to comply with your organization’s security policy. By default it is set to 32 characters. To increase this password length, modify the “vpxd.hostPasswordLength” value in the vpxd.cfg file. On Windows this file is located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg  or on the vCenter Server Appliance you’ll find it at /etc/vmware-vpx/vpxd.cfg.
  • Official VMware documentation

That’s it for today! I’ll see you all back here tomorrow to continue our discussion on the vSphere 5.0 Hardening Guide.