Wednesday, April 4, 2012

vCenter Server security hardening guide

  • Server host
  1. Maintain supported OS, Database, and hardware for vCenter
  2. Keep vCenter Windows OS patches up to date
  3. Provide Windows system protection on vCenter server
  4. Limit access to vCenter server system
  5. Install vCenter Server with service account, instead of a build-in Windows account, while it is a local administrator account
  6. Restrict usage of vSphere administrator privilege.
  • vCenter server communication
  1. SSL certificate from CA
  2. Service account access to certification directory
  3. Restrict access to SSL certificate files
  4. Always verify SSL certificates
  5. Restrict access to only those essential components required to communicated with vCenter.
  6. Block unused port on vCenter.
  7. Disable managed object browers from vpxd.cfg
  8. Disable vSphere web access (tomcat under infrastructure folder, ui directory)
  9. Disable datastore browser: vpxd.cfg
  • vCenter Server database
  1. Least privilege for vCenter server database user.
  • vSphere client components
  1. Restrict use of Linux-based clients, jump-box is preferred.
  2. Verify the integrity of vSphere client: only authorized extensions from trusted source.
  • vCenter Update Manager
  1. Least privilege for the update Manager database user.
  2. Keep VUM patched up to date
  3. Provide Windows OS protection on VUM server
  4. Avoid user log into VUM server
  5. VUM won't manage patch for VUM server
  6. Limit the connectivity between VUM and public patch repository
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)