Dell EMC VxRack System FLEX Security Configuration Guide

Dell EMC
VxRack™ System FLEX
Security Configuration Guide
Document revision 1.5
February 2018
Revision history
Date
Document revision
Description of changes
February 2018
1.5
•
•
•
•
•
Removed control ID information
Removed Security control identifier numbering
section
Removed non-Dell procedures and references
Added Log Management
Added Certificate Management
October 2017
1.4
Minor edits
August 2017
1.3
Minor edits
June 2017
1.2
Updated the compute layer security baseline for
Controller and Management nodes
October 2016
1.1
•
•
•
May 2016
1.0
Updated management software information
Added reference information for EMC ScaleIO
2.0 features
Updated EMC ScaleIO user accounts
Initial release
Revision history | 2
Contents
Introduction................................................................................................................................................. 5
Disclaimer....................................................................................................................................................6
Security strategies......................................................................................................................................7
Secure development.............................................................................................................................. 7
Threat landscape and security considerations....................................................................................... 7
Administrative control.......................................................................................................................8
Network connectivity........................................................................................................................ 8
Management systems......................................................................................................................9
Change and configuration management........................................................................................10
Patch and update practices........................................................................................................... 10
VxRack System FLEX security baseline................................................................................................. 11
Compute layer security baseline...........................................................................................................11
VxRack Compute nodes ............................................................................................................... 11
Network layer security baseline............................................................................................................14
Cisco NX-OS devices.................................................................................................................... 14
Storage layer security baseline............................................................................................................ 22
ScaleIO.......................................................................................................................................... 22
Virtualization layer security baseline.................................................................................................... 23
Management Virtual Machines...................................................................................................... 23
VMware ESXi.................................................................................................................................32
VMware vCenter Single Sign On (SSO)........................................................................................ 37
VMware vSphere Update Manager................................................................................................37
VMware vCenter Server Appliance (VCSA)...................................................................................38
VMware vNetwork..........................................................................................................................39
VMware vSphere Distributed Switch and DVS networking............................................................41
VMware vSphere Web Client.........................................................................................................42
Management layer security baseline....................................................................................................42
VxRack Controller nodes .............................................................................................................. 42
System infrastructure security baseline................................................................................................45
Panduit Power Distribution Unit (PDU).......................................................................................... 45
Log Management...................................................................................................................................... 47
Internal component log file locations.................................................................................................... 47
Configuring an external syslog server.................................................................................................. 47
Certificate management........................................................................................................................... 48
Operationalizing Converged Systems.................................................................................................... 49
Integrating a new Converged System into a live environment............................................................. 49
Ongoing security administration........................................................................................................... 49
Operational checklist............................................................................................................................ 50
Converged System password management.......................................................................................... 51
Compute...............................................................................................................................................51
3 | Contents
Changing the VxRack System FLEX enclosure password............................................................ 51
Storage.................................................................................................................................................51
ScaleIO default accounts............................................................................................................... 52
ScaleIO user-defined accounts......................................................................................................54
Virtualization.........................................................................................................................................55
Changing a VMware ESXi host root password.............................................................................. 55
Modifying the VMware vCenter Server Single Sign On password.................................................57
Changing virtual machine operating system administrative passwords.........................................58
Management........................................................................................................................................ 58
Changing the VxRack Controller password................................................................................... 59
Vision Intelligent Operations credentials........................................................................................59
Ports and protocols.................................................................................................................................. 64
ScaleIO ports and authentication......................................................................................................... 64
VMware vSphere 6.0 ports and authentication.................................................................................... 64
Vision Intelligent Operations ports and protocols................................................................................. 67
Open port assignments..................................................................................................................67
Northbound Vision software ports and protocols........................................................................... 69
Southbound Vision software ports and protocols...........................................................................70
References.................................................................................................................................................72
Contents | 4
Introduction
This guide focuses on the hardening practices implemented by Dell EMC for VxRack System components
and provides specific configuration guidance to help mitigate security vulnerabilities and risks. It also
provides information on additional security topics related to VxRack Systems.
This document refers to VxRack Systems as Converged Systems.
When reading this guide, consider the following:
•
Use this guide as a starting point for configuration security. The security controls presented
provide a baseline to build on to meet the specific security needs of your organization.
•
As a baseline, this guide minimizes the operational impacts of security, working with feature sets
such as VMware Tools rather than eliminating them, as more secure environments might do.
•
Dell EMC encourages customers to employ a risk-based approach when hardening Converged
Systems to ensure an appropriate balance between security and manageability.
•
This guide does not focus on a specific security compliance target.
Audience
The intended audience for this guide includes those who are planning, implementing, administering, or
auditing security controls in environments containing Converged Systems. The primary audience is
technical, but the document addresses the needs of a range of security program professionals.
Customers and partners are expected consumers of this guide.
Prerequisites
Readers of this guide should have a reasonable understanding of the architecture for their Converged
System, particularly the management infrastructure. Refer to the appropriate Dell EMC architecture
overview for your product for more information.
Additional information
Dell EMC provides other assistance that might be useful in assisting with security or compliance-related
issues, such as:
•
Converged Systems guidance for addressing multi-tenant concerns
•
Protection of management interfaces with enhanced separation of duties, identification,
authorization, auditing, and access control
•
Integrating common security technologies with Converged Systems
•
Guidance related to specific compliance frameworks and outcomes (for example, PCI, HIPAA,
FISMA, and so forth)
•
Guidance related to advanced cloud solutions, such as Enterprise Hybrid Cloud solutions
The Glossary provides Converged Systems-specific terms and definitions.
5 | Introduction
Disclaimer
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." Dell EMC MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
CERTAIN COMMERCIAL ENTITIES, EQUIPMENT, OR MATERIALS MAY BE IDENTIFIED IN THIS
DOCUMENT IN ORDER TO DESCRIBE AN EXPERIMENTAL PROCEDURE OR CONCEPT
ADEQUATELY. SUCH IDENTIFICATION IS NOT INTENDED TO IMPLY RECOMMENDATION OR
ENDORSEMENT BY Dell EMC, NOR IS IT INTENDED TO IMPLY THAT THE ENTITIES, MATERIALS,
OR EQUIPMENT ARE NECESSARILY THE BEST AVAILABLE FOR THE PURPOSE.
NOTHING IN THIS DOCUMENT SHOULD BE TAKEN TO CONTRADICT STANDARDS AND
GUIDELINES MADE MANDATORY AND BINDING BY LAWS OR RULES OF GOVERNMENTAL
AGENCIES.
Disclaimer | 6
Security strategies
Converged Systems are deployed in a wide range of circumstances and need to address a range of risk
conditions. Dell EMC chose to implement a security baseline suitable for the more common, simpler
security needs. Dell EMC also tries to ensure that the products can be configured in environments with
more challenging security, compliance, and/or operational requirements.
Creating and maintaining the security baseline is a process that is generally aligned with the Risk
Management Framework (RMF - NIST Special Publication SP 800-37).
The methodology for controlling risk and the improving processes includes:
•
Secure development life cycle
•
Risk assessment processes
Between them, these processes yield, among other things:
•
Best practices incorporated into code and architecture
•
Component-level hardening guidelines
•
Coding improvements
•
Risks identified so mitigating options can be proactively surfaced
The primary focus of this document is on component-level controls because the other considerations
have been incorporated into the Dell EMC product architecture and software. This section briefly surveys
some threats at a system level and provides insight into alternate risk mitigations.
The Dell EMC account team is available to discuss risks falling outside the baseline scenarios.
Secure development
The Dell EMC Secure Development Life cycle (SDL) is a repeatable and measurable process that
enables Dell EMC to meet customers’ expectations by:
•
Ensuring that product engineering organizations optimally apply security controls during their
product development life cycle
•
Providing product groups with the capability and the information needed to fully assume
accountability for the security of the products they ship
•
Assisting Dell EMC customers in understanding and assessing the overall security posture of the
product
Threat landscape and security considerations
Dell EMC takes certain precautions in designing and building Converged Systems to ensure that
significant security vulnerabilities are minimized.
Dell EMC also recommends additional controls, but does not implement them in the building process due
to variances in customer environments and differing customer security policies.
7 | Security strategies
The security baseline contains more information on security considerations for your Converged System.
Administrative control
Dell EMC takes the precaution of changing all default administrator passwords and following a policy of
creating complex passwords for all accounts controlling the management interfaces.
In addition, Dell EMC uses a more secure password storage option whenever possible. In addition to
these changes to the default settings in administrative access control, Dell EMC recommends employing
the following additional security counter measures, provided they do not conflict with your organization’s
security policy:
Threat
Administrator impersonation or privilege abuse
Counter measures
•
Use Lightweight Directory Access Protocol (LDAP) server or Windows Active Directory
(AD) authentication for all Converged System components to mitigate password-related
threats with password policies and to facilitate entitlements audit.
•
•
Use low-level privilege roles for all Converged System components.
•
Minimize the use of shared credentials. In particular, minimize the use of the default
super user accounts.
•
Capture all event logs with an Secure Information and Event Management (SIEM)
system. Audit privilege and role change activity, and set up alerts for this activity.
•
Use strong authentication such as RSA SecurID for administration of Converged
Systems.
•
Use Converged System-aware Identity and Audit Management (IAM) auditing and
compliance tool to validate the consistent and appropriate application of privileges and
entitlements.
Use separation of duties to the greatest extent feasible when administering Converged
System components.
Network connectivity
As with other network environments, Converged Systems need to be protected from network attacks such
as spoofing, traffic sniffing, and traffic tampering. All Converged System components are configured to
use secure administrative interfaces that are authenticated and encrypted. Non-secure versions of these
interfaces are disabled to mitigate network attacks. Converged Systems authenticate, encrypt, and
segregate traffic on the management, control, and data planes.
The default Converged System architecture separates traffic creating distinct, dedicated network zones
for control, data, VMware vMotion, backup, and other purposes. Converged System network design
incorporates security best practices from the component manufacturers for both physical and virtual
network components. For example, console interfaces are connected to a control plane that should not be
directly accessible to end users.
Connectivity between the planes is regulated by devices outside of the Converged System.
Discuss plane separation with a Dell EMC VMware vArchitect and with Professional
Services before connecting your Converged System into your routing infrastructure.
Threat
Network attacks, including spoofing, sniffing, denial of service, repudiation, man in the
middle, and tampering.
Security strategies | 8
Counter measures
•
Enable secure network protocol options only (for example, HTTPS and Secure
Shell (SSH).
•
Avoid autonomous certificate deployments to ones that are fully integrated with
site trust infrastructures and train people to not accept self-signed certificates.
•
•
•
•
Disable unused and non-secure network protocols and services.
Separate management and control traffic from production application traffic. You
can provide this separation by using VLANs.
Separate VMware vMotion traffic from production traffic.
Separate data protection (backup, BC/DR) traffic from production traffic.
If network segmentation beyond VLANs is required, Converged Systems can be configured to provide
enhanced physical or logical separation of network zones. Some configuration options can be supported
in the standard product, such as network Access Control Lists (ACLs) on Cisco Nexus switches or
VMware ESXi host firewall rule configuration. Other deployment options might require additional
hardware, software, or entitlements (such as Converged Technology Extensions or partner ecosystem
solutions). For example, although not part of the standard product architecture, compatible physical or
virtual firewall technology can be introduced at critical network boundaries where required, to achieve the
required level of security and access control.
Consult with the Dell EMC account team to learn more about options for network segmentation and
security.
Management systems
Management system security is vital to the protection of the Converged System and its managed
components and resource pools. When a Converged System hosts multiple environments (for example,
multiple "tenants" or workloads with distinct security or compliance requirements), the management
environment tends to inherit the peak sensitivities of those environments. For example, it accrues the
security and compliance obligations (PCI CDE status) or the operational/availability obligations in a VDI
setting.
In addition to the Authentication, Authorization and Accounting (AAA) controls, the following are important
considerations.
•
Management ports must have banner messages officially notifying users of monitoring, lack of
privacy expectations, and civil and criminal responsibilities for malicious or damaging behavior,
regardless of intent.
•
Default or well-known accounts with a management port must be removed since they provide an
attacker an advantage in attempts to compromise the device.
•
Management ports must be configured to require strong passwords to prevent an attacker from
deciphering the password.
•
Management ports must be configured with a relatively short connection timeout period to
minimize the risk from session hijacking.
•
Standard operations hygiene must be applied on the systems hosting management applications.
For example, anti-virus, backups, and patching should all be configured. Note that Dell EMC
Support has special guidance regarding operating system patching.
9 | Security strategies
Change and configuration management
Change and configuration management processes are important when using a Converged System.
Anything that can impact the either Dell EMC Support Service Level Agreements (SLAs) or any relevant
customer SLAs should be considered as part of change and configuration management.
Dell EMC provides the Release Certification Matrix (RCM) that documents software and firmware
versions that have been tested by Dell EMC and are known to interoperate properly.
Patch and update practices
Scheduled and emergency patches and updates protect systems from security vulnerabilities and help
ensure performance stability.
Use the Release Certification Matrix (RCM) process for your Converged System as the basis of a patch
management program. You can also apply emergency patching to address emerging security threats.
Application of critical security updates should be undertaken carefully and with close
coordination with the Dell EMC account team, Customer Advocate, and Dell EMC Support to
minimize the risk of unscheduled downtime or other negative business impact.
Just as with other systems and devices in the enterprise, you must maintain Converged Systems updated
to latest patch levels to ensure the integrity and availability of the platform and its hosted systems. The
patch and update process should include the following practices:
•
Document the version of each hardware and software component
•
Document risk acceptances for patches delayed or not installed
•
Research mitigating controls to reduce risk when patches cannot be installed
•
Follow change management plans to ensure appropriate documentation and approvals
•
Establish regular patch cycles for high and for low priority patches (for example, weekly and
monthly)
•
Establish and test processes for emergency out-of-cycle patching
•
Ensure that the patch update cycle satisfies regulatory requirements prior to being audited
•
Ensure that virtualized systems are re-patched if rolled back prior to scheduled patch date
Security strategies | 10
VxRack System FLEX security baseline
In this document, specific configuration guidance on how to mitigate security vulnerabilities and risks is
presented using the following parameters:
Control
description
General description of the problem area
Risk and
vulnerability
Explanation of the actual risk
Dell EMC
The specific applicable hardening standard(s).
security standard
The following sections provide detail about baseline security practices for each VxRack System
component:
•
Compute layer
•
Network layer
•
Storage layer
•
Virtualization layer
•
Management layer
Compute layer security baseline
VxRack Compute nodes
VxRack Compute - Default Passwords Change
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure that passwords are rotated for built-in account administrator.
VxRack Compute - Disable Telnet
Control description
Disable telnet
Risk and
vulnerability
Telnet is not a secure protocol, as it transmits data in clear text.
Dell EMC security
standard
Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet,
and click Apply.
11 | VxRack System FLEX security baseline
VxRack Compute - Disable SSH
Control description
Disable SSH
Risk and
vulnerability
Removing any unnecessary services, protocols and scripts reduces the attack vectors a
potential hacker would exploit to gain access to sensitive information.
Dell EMC security
standard
Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and
click Apply.
VxRack Compute - Disable IPMI over LAN
Control description
Disable IPMI over LAN
Risk and
vulnerability
Intelligent Platform Mangement Interface (IPMI) v2.0 has multiple vulnerabilities, and
currently there are no patches to fix them. A potential attacker could exploit these
vulnerabilities remotely to obtain hashed password for root user, and use an offline
password cracking tool to discover the password.
Dell EMC security
standard
Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.
This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled
Enable IPMI over LAN, and click Apply.
VxRack Compute - Server access using HTTPS
Control description
To remotely access Dell servers, use secure communication – HTTPS (TCP port 443).
Risk and
vulnerability
For any activity conducted remotely, the use of secure protocols adds layers of protection to
the transmission of data for those sessions.
Dell EMC security
standard
HTTPS is enabled by default and TLS 1.2 Only is selected by default.
In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is
enabled and that TLS 1.2 Only is selected.
VxRack Compute - Strong community strings
Control description
Define strong, non-trivial community strings where SNMP required.
Risk and
vulnerability
By not changing the default community string, attackers can more easily discover and
potentially exploit or compromise the devices.
Dell EMC security
standard
Ensure that the read-only community string is changed from "Public."
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new
SNMP Community Name, and click Apply.
VxRack Compute - Use SNMP V3
Control description
Use SNMP v3
Risk and
vulnerability
SNMP v3 improves security by introducing encryption, integrity check, and improved user
authentication model.
VxRack System FLEX security baseline | 12
Dell EMC security
standard
Ensure that SNMP v3 is selected.
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP
v3, and click Apply.
VxRack Compute - Disable VNC
Control description
Disable VNC
Risk and
vulnerability
Disable VNC to reduce attack surface.
Dell EMC security
standard
Ensure VNC is disabled.
In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the
box for Enable VNC Server, and click Apply.
VxRack Compute - Disable XML
Control description
Disable XML configure file import directly from the USB port.
Risk and
vulnerability
The USB port allows iDRAC management access from a laptop or tablet connected to the
USB port. An attacker could potentially upload an arbitrary configuration file to the server, or
apply an XML configuration file directly to the server.
Dell EMC security
standard
Ensure that USB XML configuration is disabled in the iDRAC web UI.
Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB
XML Configuration, and select Disabled.
VxRack Compute - Configure syslogs
Control description
Centralization of logs increases administration and security investigation capabilities. By
configuring hosts to use a central logging server, aggregate analysis and searches become
possible and provide visibility into events impacting multiple hosts.
Risk and
vulnerability
Operational or security-related alerts and events may be missed when logs are not centrally
managed.
Dell EMC security
standard
Ensure that remote syslog setting are configured to send log entries to syslog-capable
network management systems.
Under iDRAC Settings > Server > Logs, check Remote Syslog Settings, and define up
to three syslog server IP addresses.
VxRack Compute - Configure NTP
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized
source to systems on a network. Setting all Vblock System components to the same time
source ensures system stability and accuracy of log time stamps.
Risk and
vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult
and may be inaccurate.
Dell EMC security
standard
Ensure NTP configuration is updated with valid NTP time sources.
In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP)
box, define up to three NTP server IP addresses, and click Apply.
13 | VxRack System FLEX security baseline
VxRack Compute - Disable USB ports
Control description
USB ports should be used only on an as needed basis and should be disabled otherwise.
Risk and
vulnerability
An attacker could use USB port to introduce malware to the server.
Dell EMC security
standard
In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port,
and set it to off.
VxRack Compute - Disable remote RACADM
Control description
The RACADM provides CLI scripting capability to control and configure the servers. The
Remote RACADM allows RACADM tool run on a workstation to remotely execute
commands against the server's iDRAC interface. It uses SSL for communications between
the workstation and the iDRAC interface.
Risk and
vulnerability
Disable remote RACADM if this feature is not required to reduce attack surface to prevent
an attacker to remotely issue commands against the server, such as power operations,
configuration changes.
Dell EMC security
standard
This feature is enabled by default. Disable it.
In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click
Apply.
VxRack Compute - Disable IDRAC over SOL
Control description
iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the
server using SSH, then connect to server serial ports (com1 or com2, depending on BIOS
setting) and run iDRAC commands.
Risk and
vulnerability
Disable iDRAC over SOL to reduce attack surface and prevent an attacker to remotely
issue commands against the server, such as power operations, configuration changes.
Dell EMC security
standard
To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over
LAN, click Apply.
Network layer security baseline
Cisco NX-OS devices
Cisco NX-OS: NXOS.strong.passwords
Control description
Ensure the Cisco NX-OS device requires the use of strong passwords.
VxRack System FLEX security baseline | 14
Risk and
vulnerability
Dell EMC security
standard
Passwords must be of sufficient length and meet complexity requirements to not only meet
policy and regulatory requirements, but to help mitigate guessing or cracking of credentials.
When enabled, the password strength check feature rejects any password that does not
meet the following requirements:
•
•
Must contain a minimum of 8 characters and a maximum of 64 characters
•
Must not contain a character that is repeated more than three times consecutively,
such as aaabbb
•
•
•
Must not be identical to the username or the reverse of the username
•
Must not contain the following symbols: $ (dollar sign), ? (question mark), and =
(equals sign)
•
Should not be blank for local user and admin accounts
Must contain at least three of the following: Lower case letters, upper case letters,
digits, special characters
Must not be identical to the username or the reverse of the username
Must pass a password dictionary check; for example, the password must not be based
on a standard dictionary word
Ensure the Cisco NX-OS device requires the use of strong passwords.
Cisco NX-OS: NXOS.CDP.disable
Control description
Ensure that the Cisco Discovery Protocol (CDP) is disabled.
Risk and
vulnerability
Cisco Discovery Protocol (CDP) is a network protocol used to discover other CDP-enabled
devices for neighbor adjacency and network topology. CDP can be used by Network
Management Systems (NMS) or during troubleshooting. CDP must be disabled on all
interfaces connected to untrusted networks. This is accomplished with the no CDP
enable interface command. Alternatively, CDP can be disabled globally with the no CDP
run global configuration command. Note that CDP might be used by a malicious user for
reconnaissance and network mapping.
Dell EMC security
standard
Ensure that the CDP is disabled.
Cisco NX-OS: NXOS.Telnet.disable
Control description
Ensure that Telnet is disabled.
Risk and
vulnerability
The account credentials or commands being passed during a Telnet session might be
compromised, as Telnet provides no encryption.
Dell EMC security
standard
Ensure that Telnet is disabled.
Cisco NX-OS: NXOS.banner.message
Control description
Configure the Cisco Nexus device to display a warning banner at log on.
15 | VxRack System FLEX security baseline
Risk and
vulnerability
In some legal jurisdictions, you cannot prosecute or legally monitor malicious users unless
they have been notified that they are not permitted to use the system. One way to provide
this notification is to place this information in a banner message that is configured with the
Cisco NX-OS banner log on command. From a security perspective, a log on banner
should not contain any specific information about the router name, model, software, or
ownership. This information might be abused by malicious users.
Dell EMC security
standard
Configure the Cisco Nexus device to display a warning banner at log on.
Cisco NX-OS: NXOS.SSH.enable
Control description
Configure Cisco Nexus device to permit Secure Shell (SSH) connections.
Risk and
vulnerability
As information can be disclosed during an interactive management session, this traffic must
be encrypted so that a malicious user cannot gain access to the data being transmitted.
Encrypting the traffic allows a secure remote access connection to the device. If the traffic
for a management session is sent over the network in clear text, an attacker might obtain
sensitive information about the device and the network.
Dell EMC security
standard
Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.
Cisco NX-OS: NXOS.SCP.enable
Control description
Ensure SCP is enabled to provide for secure file system transfers.
Risk and
vulnerability
By not using SCP, sensitive information might be viewed and/or manipulated by an attacker.
Dell EMCDell EMC
security standard
Ensure SCP is enabled to provide for secure file system transfers.
Cisco NX-OS: NXOS.SFTP.enable
Control description
Ensure SFTP is enabled to provide for secure file system transfers.
Risk and
vulnerability
By not using SFTP, sensitive information might be viewed and/or manipulated by an
attacker.
Dell EMC security
standard
Ensure SFTP is enabled to provide for secure file system transfers.
Cisco NX-OS: NXOS.console.exec.timeout
Control description
Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to
close active sessions after 15 minutes of inactivity (or less).
Risk and
vulnerability
To set the interval that the exec command interpreter waits for user input before it
terminates a session, run the exec-timeout line configuration command. This command
must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle
(inactive). If a user forgets to log out of an exec session, the connection might remain idle
but still active, increasing the potential for someone to gain privileged access to the host.
Dell EMC security
standard
Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to
close active sessions after 15 minutes of inactivity (or less).
VxRack System FLEX security baseline | 16
Cisco NX-OS: NXOS.vty.exec.timeout
Control description
Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to
close active sessions after 15 minutes of inactivity (or less).
Risk and
vulnerability
To set the interval that the exec command interpreter waits for user input before it
terminates a session, run the exec-timeout line configuration command. This command
must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle
(inactive). If a user forgets to log out of an exec session, the connection might remain idle
but still active, increasing the potential for someone to gain privileged access to the host.
Dell EMC security
standard
Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to
close active sessions after 15 minutes of inactivity (or less).
Cisco NX-OS: NXOS.SNMP.disable
Control description
Ensure that Simple Network Management Protocol (SNMP) is disabled unless required.
Risk and
vulnerability
SNMP provides a standardized framework and a common language used for the monitoring
and management of devices in a network. It provides valuable system and event
information and therefore should be enabled throughout the network infrastructure. SNMP
might also be used by attackers for network reconnaissance in preparing for an attack. If
SNMP access is not required, make sure it is disabled.
Dell EMC security
standard
Ensure that SNMP is disabled unless required.
Cisco NX-OS: NXOS.SNMP.ro.config
Control description
Ensure that the default read-only community string is changed from Public to a unique
value.
Risk and
vulnerability
Simple Network Management Protocol (SNMP) provides a standardized framework and a
common language used for the monitoring and management of devices in a network. It
provides valuable system and event information and therefore should be enabled
throughout the network infrastructure. SNMP might also be used by attackers for network
reconnaissance in preparing for an attack. If SNMP access is not required, make sure it is
disabled.
Dell EMC security
standard
Ensure that the default read-only community string is are changed from Public to a
unique value.
Cisco NX-OS: NXOS.SNMP.rw.config
Control description
Ensure that the read-write community string is changed from the default value of Private
if Simple Network Management Protocol (SNMP) is used in the environment.
Risk and
vulnerability
SNMP provides a standardized framework and a common language used for the monitoring
and management of devices in a network. It provides valuable system and event
information and therefore should be enabled throughout the network infrastructure. SNMP
might also be used by attackers for network reconnaissance in preparing for an attack. If
SNMP access is not required, make sure it is disabled.
Dell EMC security
standard
Ensure that the read-write community string is changed from Private to a non-trivial,
customer-provided value.
17 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.remote.syslog.enable
Control description
Ensure customer-defined remote syslog server is set.
Risk and
vulnerability
Remote logging to a central log host provides a secure, centralized store for logs.
Gathering host log files onto a central host makes it easy to monitor all hosts with a single
tool. You can also do aggregate analysis and search to look for such things as coordinated
attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log
tampering and also provides a long-term audit record.
Dell EMC security
standard
Ensure a customer-defined remote syslog server is set. In the absence of a customerdefined remote syslog server, Dell EMC sets the Vision™ Intelligent Operations appliance to
collect syslog messages.
Cisco NX-OS: NXOS.disable.ICMP.redirect
Control description
Ensure ICMP redirects are disabled on IOS devices.
Risk and
vulnerability
ICMP redirects are used to inform a network device of a better path to an IP destination. In
some situations, it might be possible for an attacker to cause the Cisco device to send
many ICMP redirect messages, which results in an elevated CPU load. For this reason, it is
recommended that the transmission of ICMP redirects be disabled.
Dell EMC security
standard
Ensure that ICMP redirect messages are disabled.
Cisco NX-OS: NXOS.ICMP.unreachable
Control description
Ensure that ICMP unreachable messages are disabled.
Risk and
vulnerability
ICMP messages might be used by an attacker to map a network in preparation for an
attack. This behavior allows the sender to bypass the router and forward future packets
directly to the destination (or to a router closer to the destination).
Dell EMC security
standard
Ensure that ICMP unreachable messages are disabled.
Cisco NX-OS: NXOS.disable.unused.interfaces
Control description
Ensure that unused switch interfaces are explicitly disabled.
Risk and
vulnerability
An unused switch interface might be physically connected and become a point of misuse or
exploitation.
Dell EMC security
standard
Ensure that unused switch interfaces are explicitly disabled.
Cisco NX-OS: NXOS.NTP.enable
Control description
Ensure that the Cisco Nexus device is configured with a centralized time source to ensure
consistency and accuracy.
VxRack System FLEX security baseline | 18
Risk and
vulnerability
Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded
service can represent an attack vector. If using NTP, be sure to explicitly configure a trusted
time source and use proper authentication. Accurate and reliable time can be very useful
for logging purposes, such as for forensic investigations of potential attacks. Configuring
NTP authentication provides assurance that NTP messages are exchanged between
trusted NTP peers. You should enable authentication for NTP if at all possible. Additionally,
for precision and redundancy purposes, you should configure multiple NTP server time
sources on the Cisco NX-OS device acting as an NTP client.
Dell EMC security
standard
Ensure the Cisco Nexus device is configured with a centralized time source to ensure
consistency and accuracy.
Cisco NX-OS: NXOS.disable.ip.source.routing
Control description
Ensure that IP source routing is disabled.
Risk and
vulnerability
IP source routing uses the loose source route and record route options in tandem or the
strict source route along with the record route option to enable the source of the IP
datagram to specify the network path that a packet takes. This function might be used in
attempts to route traffic around security controls in the network.
Dell EMC security
standard
Ensure that IP source routing is disabled.
Cisco NX-OS: NXOS.disable.ip.directed.broadcasts
Control description
Ensure that the IP directed broadcast feature is disabled on Cisco Nexus devices.
Risk and
vulnerability
IP directed broadcast makes it possible to send an IP broadcast packet to a remote IP
subnet. Once it reaches the remote network, the forwarding IP device sends the packet as
a Layer 2 broadcast to all stations on the subnet. This directed broadcast functionality has
been leveraged as an amplification and reflection aid in several attacks, including the smurf
attack.
Current versions of Cisco NX-OS have this function disabled by default; however, it can be
enabled with the ip directed-broadcast interface configuration command.
Dell EMC security
standard
Ensure that IP directed broadcast is disabled on Cisco Nexus devices.
Cisco NX-OS: NXOS.ip.source.guard.enable
Control description
Ensure that IP Source Guard is enabled.
Risk and
vulnerability
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP
address and MAC address of each packet matches one of two sources of IP and MAC
address bindings:
•
•
Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table
Static IP source entries that you configure
Filtering based on trusted IP and MAC address bindings helps prevent attacks that rely on
spoofing attacks, in which an attacker uses the IP address of a valid host to gain
unauthorized network access. To circumvent IP Source Guard, an attacker would have to
spoof both the IP address and the MAC address of a valid host.
Dell EMC security
standard
Ensure that IP Source Guard is enabled.
19 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.HTTP_Server.disable
Control description
Disable HTTP Server.
Risk and
vulnerability
Removing any unnecessary services, protocols, and scripts reduces the attack vectors a
potential hacker might exploit to gain access to sensitive information.
Dell EMC security
standard
Ensure HTTP Server is disabled.
Cisco NX-OS: NXOS.password.strength-check
Control description
Do not disable password strength check. This feature is enabled by default.
Risk and
vulnerability
Disabling the password strength check does not enforce password complexity for local
accounts. Cisco NX-OS can optionally enforce strong password checking when a password
is set or entered. This feature is enabled by default and it ensures a password must:
•
•
•
•
•
•
•
Dell EMC security
standard
Be at least eight characters long.
Not contain many consecutive characters (abcde, lmnopq, and so forth)
Not contain dictionary words (English dictionary)
Not contain many repeating characters (aaabbb, tttttyyyy, and so forth)
Not contain common proper names (John, Mary, Joe, Cisco, and so forth)
Contain both uppercase and lowercase letters
Contain numbers
Ensure that password strength checking is enabled.
Cisco NX-OS: NXOS.SSH.key.length
Control description
Ensure that Secure Shell (SSH) is enabled and configured to use a strong 2048 bit RSA
key.
Risk and
vulnerability
As information can be disclosed during an interactive management session, this traffic must
be encrypted so that a malicious user cannot gain access to the data being transmitted.
Encrypting the traffic allows a secure remote access connection to the device. If the traffic
for a management session is sent over the network in clear text, an attacker might obtain
sensitive information about the device and the network.
Dell EMC security
standard
Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.
Cisco NX-OS: NXOS.LoggingTimestamp.configure
Control description
Configure logging timestamp with millisecond precision.
Risk and
vulnerability
Configuring logging timestamps helps correlate events across network devices. It is
important to implement a correct and consistent logging timestamp configuration to help
ensure that you can correlate logging data. Logging timestamps should be configured to
include millisecond precision.
Dell EMC security
standard
Ensure configuration of logging timestamp with millisecond precision.
VxRack System FLEX security baseline | 20
Cisco NX-OS: NXOS.UnusedServices.disable
Control description
Disable unused services for Cisco NX-OS devices.
Risk and
vulnerability
As a general security best practice, disable any unnecessary services. By default, Cisco
NX-OS does not run any of the typical Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) small servers often found in Cisco IOS software or other network
operating systems. As a result, these services do not need to be explicitly disabled. Cisco
NX-OS is designed to not run remotely-accessible services or protocols by default without
explicit configuration. Secure Shell (SSH), Simple Network Management Protocol (SNMP),
and Network Time Protocol (NTP) are essential services for running and managing a
network. These services are enabled by default. If needed, they can be individually
disabled. During initial setup, Cisco NX-OS offers the option to enable Telnet. Note that this
service does not load or run at restart time if it is not enabled during this initial setup. If this
service is not enabled when the setup script is run, it can be added manually later if
needed. Cisco recommends using SSH instead of Telnet for security reasons.
Dell EMC security
standard
Ensure that CDP, Telnet, and any other unused services (such as TCP small servers) are
disabled.
Cisco NX-OS: NXOS.SSH.Retry limit
Control description
Secure Shell (SSH) provides a secure, encrypted channel for communication with remote
terminals. SSH can be configured to limit the number of authentication attempts in a given
time period.
Risk and
vulnerability
By not configuring SSH authentication parameters, attackers might repeatedly attempt
authentication.
Dell EMC security
standard
Ensure that SSH is configured to allow only three authentication attempts in any one
minute.
Cisco NX-OS: NXOS.DHCP.disable
Control description
Ensure Dynamic Host Control Protocol (DHCP) services are disabled if not required.
Risk and
vulnerability
Dynamic Host Control Protocol (DHCP) provides a framework for passing configuration
information dynamically to hosts on a TCP/IP network. A DHCP client is a host that uses
DHCP to obtain configuration parameters such as an IP address, DNS server, and so forth.
Due to the nature of DHCP and the services it provides, potential attackers might exploit
DHCP functionality as a means or reconnaissance in preparation for an attack. It is also a
risk that a rogue DHCP server could be deployed to provide malicious IP or DNS
configurations to hosts. DHCP services should be disabled if not required.
Dell EMC security
standard
Ensure DHCP services are disabled if not required.
Cisco NX-OS: NXOS.DNS.Resolution.Lookups.disable
Control description
The DNS Resolution Lookup automatically tries to resolve unrecognized commands to local
host names.
Risk and
vulnerability
Mistyping a command results in delays as the device attempts to resolve the name.
Dell EMC security
standard
Ensure domain-lookup feature is disabled.
21 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure all default passwords are changed to sufficiently complex values.
Cisco NX-OS: NXOS.VLAN.Segmentation
Control description
Use separate VLANs to isolate sensitive data transmissions.
Risk and
vulnerability
Without proper identification, documentation, and segmentation of VLANs, network traffic
might be viewed from unauthorized sources. Some examples of VLAN best practices are:
•
•
•
•
Dell EMC security
standard
Ensure that vSphere management traffic is on a restricted network.
Ensure that VLAN 1 is not used for in-band management and pruned from all trunks
and from all access ports.
Ensure that vMotion traffic is isolated.
Ensure IP-based storage traffic is isolated.
Ensure that management and system hosts are placed on separate VLANs.
Storage layer security baseline
ScaleIO
For detailed ScaleIO security configuration information, refer to the following Dell EMC resources,
available at support.emc.com:
•
ScaleIO Security Configuration Guide
•
ScaleIO User Guide
ScaleIO: ScaleIO.Passwords.Change
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords might be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure that passwords are rotated for all built-in accounts.
ScaleIO: ScaleIO.SNMP.Trap.Configure
Control description
ScaleIO supports sending Simple Network Management Protocol (SNMP) traps to an
SNMP server.
VxRack System FLEX security baseline | 22
Risk and
vulnerability
Defining an incorrect SNMP trap receiver could expose system information to a potential
attacker or a rogue trap receiver.
Dell EMC security
standard
Ensure a correct SNMP trap receiver is configured according to customer requirements.
ScaleIO: ScaleIO.Logging.Configure
Control description
Log all successful interactive device management access using centralized syslog.
Risk and
vulnerability
Logging all successful interactive device management access enables the correlation of
events to be viewed when a device is accessed by a host. Not having this in place can
negatively impact log review or correlation of events.
Dell EMC security
standard
Define a syslog server for centralized event monitoring.
Virtualization layer security baseline
Management Virtual Machines
Management VM: VM.disable-disk-shrinking-shrink
Control description
Disable disk shrinking feature for virtual disks for normal operations.
Risk and
vulnerability
Shrinking a virtual disk reclaims unused space in it. The shrinking process itself, which
takes place on the host, reduces the size of the disk's files by the amount of disk space
reclaimed in the wipe process. If there is empty space in the disk, this process reduces the
amount of space the virtual disk occupies on the host drive. Normal users and processes –
that is, users and processes without root or administrator privileges – in virtual machines
have the capability to invoke this procedure. A non-root user cannot erase the parts of the
virtual disk that require root-level permissions. However, if this is done repeatedly, the
virtual disk can become unavailable while this shrinking is being performed, effectively
causing a denial of service. In most datacenter environments, disk shrinking is not done, so
you should disable this feature. Repeated disk shrinking can make a virtual disk
unavailable. Limited capability is available to non-administrative users in the guest.
Dell EMC security
standard
Ensure the shrinking of virtual disks is restricted.
Management VM: VM.limit-console-connections-one
Control description
Limit sharing of console connections.
23 | VxRack System FLEX security baseline
Risk and
vulnerability
By default, more than one user at a time can connect to remote console sessions. When
multiple sessions are activated, each terminal window gets a notification about the new
session. If an administrator in the virtual machine logs in using a VMware remote console
during their session, a non-administrator in the virtual machine can connect to the console
and observe the administrator's actions. Also, this could result in an administrator losing
console access to a virtual machine. For example if a jump box is being used for an open
console session and the administrator loses connection to that box, the console session
remains open. Allowing two console sessions permits debugging using a shared session.
For highest security, allow only one remote console session at a time.
Dell EMC security
standard
Ensure only a single connection, at maximum, is allowed to a remote session.
Management VM: VM.disable-console-drag-n-drop
Control description
Explicitly disable copy/paste operations.
Risk and
vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during
console sessions. Copy and paste operations are disabled by default. However, if you
explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security
standard
Ensure clipboard information (for example, using cut and paste) is not shareable between
the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-copy
Control description
Explicitly disable copy/paste operations.
Risk and
vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during
console sessions. Copy and paste operations are disabled by default. However, if you
explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security
standard
Ensure clipboard information (for example, using cut and paste) is not shareable between
the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-paste
Control description
Explicitly disable copy/paste operations.
Risk and
vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during
console sessions. Copy and paste operations are disabled by default. However, if you
explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security
standard
Ensure clipboard information (for example, using cut and paste) is not shareable between
the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-gui-options
Control description
Explicitly disable copy/paste operations.
Risk and
vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during
console sessions. Copy and paste operations are disabled by default. However, if you
explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security
standard
Ensure clipboard information (for example, using cut and paste) is not shareable between
the virtual machines and the computers running the remote console session.
VxRack System FLEX security baseline | 24
Management VM: VM.disconnect-devices-floppy
Control description
Disconnect unused/unauthorized devices.
Risk and
vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be
used to compromise a system. Ensure that no device is connected to a virtual machine if it
is not required. For example, serial and parallel ports are rarely used for virtual machines in
a datacenter environment, and CD/DVD drives are usually connected only temporarily
during software installation. For less commonly used devices that are not required, either
the parameter should not be present or its value must be set to False. The parameters
listed are not sufficient to ensure that a device is usable; other required parameters specify
how each device is instantiated. Any enabled or connected device represents a potential
attack channel. When set to False, functionality is disabled; however, the device might
still show up in the guest operating system.
Dell EMC security
standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-serial
Control description
Disconnect unused/unauthorized devices.
Risk and
vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be
used to compromise a system. Ensure that no device is connected to a virtual machine if it
is not required. For example, serial and parallel ports are rarely used for virtual machines in
a datacenter environment, and CD/DVD drives are usually connected only temporarily
during software installation. For less commonly used devices that are not required, either
the parameter should not be present or its value must be set to False. The parameters
listed are not sufficient to ensure that a device is usable; other required parameters specify
how each device is instantiated. Any enabled or connected device represents a potential
attack channel. When set to False, functionality is disabled; however, the device might
still show up in the guest operating system.
Dell EMC security
standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-parallel
Control description
Disconnect unused/unauthorized devices.
Risk and
vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be
used to compromise a system. Ensure that no device is connected to a virtual machine if it
is not required. For example, serial and parallel ports are rarely used for virtual machines in
a datacenter environment, and CD/DVD drives are usually connected only temporarily
during software installation. For less commonly used devices that are not required, either
the parameter should not be present or its value must be set to False. The parameters
listed are not sufficient to ensure that a device is usable; other required parameters specify
how each device is instantiated. Any enabled or connected device represents a potential
attack channel. When set to False, functionality is disabled; however, the device might
still show up in the guest operating system.
Dell EMC security
standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
25 | VxRack System FLEX security baseline
Management VM: VM.disconnect-devices-usb
Control description
Disconnect unused/unauthorized devices.
Risk and
vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be
used to compromise a system. Ensure that no device is connected to a virtual machine if it
is not required. For example, serial and parallel ports are rarely used for virtual machines in
a datacenter environment, and CD/DVD drives are usually connected only temporarily
during software installation. For less commonly used devices that are not required, either
the parameter should not be present or its value must be set to False. The parameters
listed are not sufficient to ensure that a device is usable; other required parameters specify
how each device is instantiated. Any enabled or connected device represents a potential
attack channel. When set to False, functionality is disabled; however, the device might
still show up in the guest operating system.
Dell EMC security
standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-ide
Control description
Disconnect unused/unauthorized devices.
Risk and
vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be
used to compromise a system. Ensure that no device is connected to a virtual machine if it
is not required. For example, serial and parallel ports are rarely used for virtual machines in
a datacenter environment, and CD/DVD drives are usually connected only temporarily
during software installation. For less commonly used devices that are not required, either
the parameter should not be present or its value must be set to False. The parameters
listed are not sufficient to ensure that a device is usable; other required parameters specify
how each device is instantiated. Any enabled or connected device represents a potential
attack channel. When set to False, functionality is disabled; however, the device might
still show up in the guest operating system.
Dell EMC security
standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.prevent-device-interaction-connect
Control description
Prevent unauthorized removal, connection, and modification of devices.
Risk and
vulnerability
Non-administrative users can reconnect a disconnected CD-ROM drive and access
mounted information. Non-administrative users can disconnect or change network adaptor
settings and disrupt service to the virtual machine. In a virtual machine, users and
processes without root or administrator privileges can connect or disconnect devices, such
as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual
machine settings editor or configuration editor to remove unneeded or unused hardware
devices. If you want to use the device again, you can prevent a user or running process in
the virtual machine from connecting, disconnecting, or modifying a device from in the guest
operating system. By default, a rogue user with non-administrator privileges in a virtual
machine can:
Dell EMC security
standard
•
Connect a disconnected CD-ROM drive and access sensitive information on the media
left in the drive
•
Disconnect a network adaptor to isolate the virtual machine from its network, which is a
denial of service
Ensure that virtual devices cannot be disconnected or edited to prevent disruption of
services.
VxRack System FLEX security baseline | 26
Management VM: VM.prevent-device-interaction-edit
Control description
Prevent unauthorized removal, connection, and modification of devices.
Risk and
vulnerability
Non-administrative users can reconnect a disconnected CD-ROM drive and access
mounted information. Non-administrative users can disconnect or change network adaptor
settings and disrupt service to the virtual machine In a virtual machine, users and
processes without root or administrator privileges can connect or disconnect devices, such
as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual
machine settings editor or configuration editor to remove unneeded or unused hardware
devices. If you want to use the device again, you can prevent a user or running process in
the virtual machine from connecting, disconnecting, or modifying a device from in the guest
operating system. By default, a rogue user with non-administrator privileges in a virtual
machine can:
Dell EMC security
standard
•
Connect a disconnected CD-ROM drive and access sensitive information on the media
left in the drive
•
Disconnect a network adaptor to isolate the virtual machine from its network, which is a
denial of service
Ensure that virtual devices cannot be disconnected or edited to prevent disruption of
services.
Management VM: VM.limit-log-size
Control description
Limit virtual machine logging. Check virtual machine configuration settings and verify that
log.rotateSize is set to 100000.
Risk and
vulnerability
Normally a new log file is created only when a host is restarted, so the file can grow to be
quite large. Use log settings to limit the total size and number of log files. You can limit the
maximum log file size to ensure that new log files are created more frequently.
To restrict the total size of logging data, VMware recommends saving 10 log files, each one
limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB,
so a size limit too far below this size would result in unnecessary storage usage. Each time
an entry is written to the log, the log size is checked; if it is over the limit, the next entry is
written to a new log. If the maximum number of log files already exists, the oldest log file is
deleted when a new one is created. A denial-of-service attack that avoids these limits might
be attempted by writing an enormous log entry. However, each log entry is limited to 4 KB,
so no log files are ever more than 4 KB larger than the configured limit.
Another option is to disable logging for the virtual machine, making troubleshooting
challenging and support difficult. Do not consider disabling logging unless the log file
rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due
to the datastore being filled.
Dell EMC security
standard
Ensure that only the last 10 virtual machine log files are saved, with each restricted to 1 MB
in size.
Management VM: VM.limit-log-number
Control description
Limit virtual machine logging. Check virtual machine configuration settings and verify that
log.keepOld is set to 10.
27 | VxRack System FLEX security baseline
Risk and
vulnerability
Normally a new log file is created only when a host is restarted, so the file can grow to be
quite large. Use log settings to limit the total size and number of log files. You can limit the
maximum log file size to ensure that new log files are created more frequently.
To restrict the total size of logging data, VMware recommends saving 10 log files, each one
limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB,
so a size limit too far below this size would result in unnecessary storage usage. Each time
an entry is written to the log, the log size is checked; if it is over the limit, the next entry is
written to a new log. If the maximum number of log files already exists, the oldest log file is
deleted when a new one is created. A denial-of-service attack that avoids these limits might
be attempted by writing an enormous log entry. But each log entry is limited to 4 KB, so no
log files are ever more than 4 KB larger than the configured limit.
Another option is to disable logging for the virtual machine, making troubleshooting
challenging and support difficult. Do not consider disabling logging unless the log file
rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due
to the datastore being filled.
Dell EMC security
standard
Ensure that only the last 10 virtual machine log files are saved with each restricted to 1 MB
in size.
Management VM: VM.limit-setinfo-size
Control description
Limit informational messages from the virtual machine to the VMX file.
Risk and
vulnerability
The configuration file containing the name-value pairs is limited to a size of 1 MB. This
capacity should be sufficient for most cases, but you can change this value if necessary.
You might increase this value if large amounts of custom information are being stored in the
configuration file. The default limit is 1 MB. This limit is applied even when the sizeLimit
parameter is not listed in the VMX file. Uncontrolled size for the VMX file can lead to denial
of service if the datastore is filled.
Dell EMC security
standard
Ensure the VMware VMX configuration file is explicitly configured for 1 MB size restriction.
Management VM: vCenter.restrict-guest-control
Control description
Restrict unauthorized VMware vSphere users from being able to execute commands in the
guest virtual machine.
Risk and
vulnerability
By default, VMware vCenter Server administrator role allows users to interact with files and
programs inside a virtual machine's guest operating system, which can lessen guest data
confidentiality, availability, or integrity. Least Privilege requires that this privilege should not
be granted to any users who are not authorized. A non-guest access administrator role
should be created with these privileges removed. This role allows administrator privileges
excluding those allowing file and program interaction in the guests.
Dell EMC security
standard
Create a new role for administration that does not allow interaction with guest operating
system files or programs.
Management VM: VM.restrict-host-info
Control description
Do not send host information to guests.
VxRack System FLEX security baseline | 28
Risk and
vulnerability
By enabling a virtual machine to get detailed information about the physical host, an
adversary could potentially use this information to inform further attacks on the host. If set
to True, a virtual machine can obtain detailed information about the physical host. The
default value for the parameter is False. This setting should not be True unless a
particular virtual machine requires this information for performance monitoring.
Check virtual machine configuration settings and verify that tools.guestlib.enableHostInfo is
set to False.
Dell EMC security
standard
Ensure that information pertaining to the physical host cannot be obtained by the virtual
machines.
Management VM: VM.disable-unexposed-features-getcreds
Control description
Disable unnecessary features or services.
Risk and
vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual
machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it
reduces the number of ways in which a guest might affect the host.
Dell EMC security
standard
Ensure that configuration settings and parameters are explicitly set to disabled if not
required.
Management VM: VM.disable-unexposed-features-unitypush
Control description
Disable unnecessary features or services.
Risk and
vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual
machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it
reduces the number of ways in which a guest might affect the host.
Dell EMC security
standard
Ensure that configuration settings and parameters are explicitly set to disabled if not
required.
Management VM: VM.disable-unexposed-features-launchmenu
Control description
Disable unnecessary features or services.
Risk and
vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual
machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it
reduces the number of ways in which a guest might affect the host.
Dell EMC security
standard
Ensure that configuration settings and parameters are explicitly set to disabled if not
required.
Management VM: VM.disable-unexposed-features-memsfss
Control description
Disable unnecessary features or services.
29 | VxRack System FLEX security baseline
Risk and
vulnerability
As VMware virtual machines are designed to work on both vSphere as well as hosted
virtualization platforms such as Workstation and Fusion, there are some VMX parameters
that do not apply when running on vSphere. Although the functionality governed by these
parameters is not exposed on ESX, explicitly disabling them reduces the potential for
vulnerabilities. Disabling these features reduces the number of vectors through which a
guest can attempt to influence the host, and thus might help prevent successful exploits.
Dell EMC security
standard
Ensure that configuration settings and parameters are explicitly set to disabled if not
required.
Management VM: VM.disable-independent-nonpersistent
Control description
Avoid using independent non-persistent disks.
Risk and
vulnerability
With non-persistent disk mode, successful attackers, with a simple shutdown or restart,
might undo or remove any traces that they were ever on the machine. To safeguard against
this risk, production virtual machines should be set to use persistent disk mode.
Additionally, make sure that activity in the virtual machine is logged remotely on a separate
server, such as a syslog server or equivalent Windows-based event collector. Without a
persistent record of activity on a virtual machine, administrators might never know whether
they have been attacked or hacked.
Dell EMC security
standard
Ensure that configuration settings and parameters are explicitly set to desired values; in this
case, scsiX:Y.mode = Not present OR not set to independent
nonpersistent.
Management VM: VM.isolation.tools.autoInstall.disable
Control description
Disable tools that require automatic restarting after installation.
Risk and
vulnerability
Tools auto install can initiate an automatic restart. Disabling this option prevents tools from
being installed automatically and prevents automatic machine restarts.
For Linux-based operating systems, Open VM Tools is widely available as a distributionbased package. Consider using this method to manage VM Tools installation. If you do this,
disable VM Tools auto-install using this guideline.
Dell EMC security
standard
Check virtual machine configuration settings to verify that isolation.tools.autoinstall.disable
is set to True.
Management VM: VM.HostGuestFileSystem.disable
Control description
Disable Host Guest File System transfers.
Risk and
vulnerability
Certain automated tools use a hypervisor component Host Guest File System. An attacker
might potentially use this to transfer files inside the guest operating system.
Dell EMC security
standard
Disable Host Guest File System transfers.
Management VM: VM.MonitorControl.disable
Control description
Disable VM Monitor Control to further hide system information.
VxRack System FLEX security baseline | 30
Risk and
vulnerability
Virtual machines running on a hypervisor are "aware" that they are running in a virtual
environment and this information is available to tools inside the guest operating system.
This can give attackers information about the platform on which they are run.
Dell EMC security
standard
Disable VM Monitor Control to further hide system information.
Management VM: VM.host-performance-info.disable
Control description
This setting, if enabled, allows the virtual machine to obtain detailed information about the
physical host.
Risk and
vulnerability
Information gained about the physical host might be used to assist in subsequent attacks
against the physical host.
Dell EMC security
standard
Ensure this setting is disabled.
Management VM: VM.Unecessary-Services.disable
Control description
Disable any unnecessary functions inside virtual machines.
Risk and
vulnerability
Disabling unnecessary system components not needed to support the application or
service running on the system reduces the number of attack vectors.
Dell EMC security
standard
Disable any unnecessary functions inside virtual machines.
Management VM: VM.DefaultPasswords.modify
Control description
Remove default accounts and passwords.
Risk and
vulnerability
During installation, the default password is not changed. This must be done manually.
Dell EMC security
standard
Remove default accounts and passwords.
Management VM: VM.ToolsAutoInstall.Disable
Control description
Disable tools that require automatic restarting after installation.
Risk and
vulnerability
Tools that auto-install might initiate an automatic restart that disrupts the current
environment.
Dell EMC security
standard
Disable tools that require automatic restarting after installation.
Management VM: VM.Passwords.Modify
Control description
Remove default accounts and passwords.
Risk and
vulnerability
During installation of the vCenter Server Appliance (VCSA), the default password is not
changed. This must be done manually.
VDell EMCCE
security standard
Remove default accounts and passwords.
31 | VxRack System FLEX security baseline
Management VM: VM.Configure.NTP
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized
source to systems on a network.
According to VMware best practices related to time synchronization, configuration of virtual
machine time synchronization should be implemented using the native OS tools on the VM.
See VMware KB 1318 for more information concerning best practices for Windows:
https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1318
See VMware KB 1006427 for more information concerning best practices for Linux:
https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1006427
Risk and
vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult
and may be inaccurate.
VDell EMCCE
security standard
NTP is used to synchronize time updates from a centralized source to systems on a
network. Setting all Converged System components to the same time source ensures
system stability and accuracy of log timestamps.
VMware ESXi
VMware ESXi: ESXi.enable-remote-syslog
Control description
Configure remote logging for VMware vSphere ESXi hosts.
Risk and
vulnerability
Remote logging to a central log host provides a secure, centralized store for VMware
vSphere ESXi logs. By gathering host log files onto a central host, you can more easily
monitor all hosts with a single tool. You can also do aggregate analysis and searching to
look for such things as coordinated attacks on multiple hosts. Logging to a secure,
centralized log server helps prevent log tampering and also provides a long-term audit
record. To facilitate remote logging, VMware provides the vSphere Syslog Collector.
Dell EMC security
standard
Ensure remote Syslog is configured to centralize alert and event logging.
VMware ESXi: ESXi.config-ntp
Control description
Configure Network Time Protocol (NTP) time synchronization.
Risk and
vulnerability
Ensuring that all systems use the same relative time source (including the relevant
localization offset) and that the relative time source can be correlated to an agreed-upon
time standard (such as Coordinated Universal Time – UTC), makes it simpler to track and
correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings
can make it difficult to inspect and correlate log files to detect attacks, and can make
auditing inaccurate.
Dell EMC security
standard
Ensure a centralized time source is used to ensure consistency.
VxRack System FLEX security baseline | 32
VMware ESXi: ESXi.enable-normal-lockdown-mode
Control description
Enable Normal Lockdown Mode to restrict access.
Risk and
vulnerability
Enabling lockdown mode disables direct access to a VMware vSphere ESXi host requiring
the host be managed remotely from vCenter Server. This is done to ensure the roles and
access controls implemented in vCenter are always enforced and users cannot bypass
them by logging into a host directly. Forcing all interaction to occur through vCenter Server
greatly reduces the risk of someone inadvertently attaining elevated privileges or
performing tasks that are not properly audited. Lockdown mode does not apply to users
who log in using authorized keys. When you use an authorized key file for root user
authentication, root users are not prevented from accessing a host with SSH even when the
host is in lockdown mode. Users listed in the DCUI.Access list for each host are allowed to
override lockdown mode and log on to the Direct Console User Interface (DCUI). By
default, the root user is the only user listed in the DCUI.Access list.
Dell EMC security
standard
Enable lockdown mode for all VMware vSphere ESXi host systems, use DCUI for
administration or authorized keys for Secure Shell (SSH) access where required.
VMware ESXi: ESXi.config-persistent-logs
Control description
Configure persistent logging for all VMware vSphere ESXi hosts.
Risk and
vulnerability
VMware vSphere ESXi can be configured to store log files on an in-memory file system.
This occurs when the host's /scratch directory is linked to /tmp/scratch. When this
is done, only a single day's worth of logs are stored at any time. In addition log files are
reinitialized upon each restart. This presents a security risk as user activity logged on the
host is only stored temporarily and does not persistent across restarts. This can also
complicate auditing and make it harder to monitor events and diagnose issues. ESXi host
logging should always be configured to a persistent datastore.
Dell EMC security
standard
VMware vSphere ESXi host logging should always be configured to a persistent datastore.
VMware ESXi: vNetwork.reject-mac-changes
Control description
Ensure that the MAC Address Changes policy is set to Reject.
Risk and
vulnerability
If the virtual machine operating system changes the MAC address, it can send frames with
an impersonated source MAC address at any time. This allows an operating system to
stage malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network. This prevents virtual machines from changing their
effective MAC address. It affects applications that require this functionality; for example,
Microsoft Clustering, which requires systems to effectively share a MAC address. This also
affects how a layer 2 bridge operates and affects applications that require a specific MAC
address for licensing. An exception should be made for the port groups to which these
applications connect.
Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can
override switch level settings at the Portgroup level.
Dell EMC security
standard
Ensure that the MAC Address Changes policy is set to Reject.
VMware ESXi: vNetwork.reject-forged-transmit
Control description
Ensure that the Forged Transmits policy is set to Reject.
33 | VxRack System FLEX security baseline
Risk and
vulnerability
If the virtual machine operating system changes the MAC address, the operating system
can send frames with an impersonated source MAC address at any time. This allows an
operating system to stage malicious attacks on the devices in a network by impersonating a
network adaptor authorized by the receiving network.
Forged transmissions is set to Accept by default. This means the virtual switch does
not compare the source and effective MAC addresses.
To protect against MAC address impersonation, all virtual switches should have forged
transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the
Portgroup level. You can override switch level settings at the Portgroup level.
Dell EMC security
standard
Ensure that the Forged Transmits policy is set to Reject.
VMware ESXi: ESXi.disable-mob
Control description
Disable Managed Object Browser (MOB).
Risk and
vulnerability
The Managed Object Browser (MOB) provides a way to explore the object model used by
the VMkernel to manage the host. It also enables configurations to be changed. This
interface is meant to be used primarily for debugging the VMware vSphere SDK. In
vSphere 6.0 this is disabled by default.
Dell EMC security
standard
Ensure MOB is disabled.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on
the host.
Risk and
vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside
attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only
allow access from authorized networks.
Dell EMC security
standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate
firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on
the host. Firewall exception is enabled for SSH client.
Risk and
vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside
attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only
allow access from authorized networks.
Dell EMC security
standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate
firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on
the host. Firewall exception enabled for NTP client.
VxRack System FLEX security baseline | 34
Risk and
vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside
attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only
allow access from authorized networks.
Dell EMC security
standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate
firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on
the host. Firewall exception is enabled for syslog.
Risk and
vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside
attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only
allow access from authorized networks.
Dell EMC security
standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate
firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on
the host. Firewall is enabled for netdump.
Risk and
vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside
attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only
allow access from authorized networks.
Dell EMC security
standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate
firewall rulesets.
VMware ESXi: ESXi.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure that passwords are rotated for built-in accounts.
VMware ESXi: ESXI.ShellTimeout.config
Control description
Configure session timeout to 15 minutes for the Unisphere console.
Risk and
vulnerability
Establishing a timeout policy for idle sessions mitigates the risk of an unauthorized user
performing unauthorized tasks on a host.
Dell EMC security
standard
Ensure that idle ESXi Shell and Secure Shell (SSH) sessions timeouts are set to 15
minutes.
VMware ESXi: ESXI.CommandShell.disable
Control description
Disable ESXi Shell unless needed for diagnostics or troubleshooting.
35 | VxRack System FLEX security baseline
Risk and
vulnerability
The ESXi Shell bypasses VMware vCenter role-based access control (RBAC) and audit
controls. Disabling this feature allows for a centralized audit system controlled by vCenter.
Only enable this feature to troubleshoot or resolve problems that cannot be fixed through
the VMware vSphere client or vCLI.
Dell EMC security
standard
Ensure that ESXi Shell is disabled unless needed for diagnostics or troubleshooting.
VMware ESXi: ESXi.SNMP.CommunityString
Control description
Define strong, non-trivial community strings where Simple Network Management Protocol
(SNMP) is required.
Risk and
vulnerability
By not changing the default community string, attackers can easily discover and potentially
exploit or compromise the devices.
Dell EMC security
standard
Ensure that the SNMP community strings are changed from the default to a non-trivial,
customer-provided value.
VMware ESXi: ESXi.UnusedServices.disable
Control description
VMware vSphere ESXi is based on a hardened hypervisor operating system that is
designed with minimum attack surface. However, the ESXi configuration should be
reviewed to ensure that only required services are enabled in order to further reduce attack
surface.
Risk and
vulnerability
Unused services might provide system information or other functions that can be exploited
to attempt to gain access to the system. Services that are nor required should be disabled.
For example, If Simple Network Management Protocol (SNMP) is not used in the
environment, it should be disabled.
Dell EMC security
standard
Ensure that unused services are disabled.
VMware ESXi: ESXI.Auto-Password-Change-Policy.configure
Control description
A timer controls how often the vpxuser password must be changed.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure that vpxuser auto-password change is set to automatically change by VMware
vCenter every 30 days.
VMware ESXi: ESXi.Password.Complexity
Control description
Ensure that passwords meet complexity requirements.
VxRack System FLEX security baseline | 36
Risk and
vulnerability
To mitigate the risk of gaining unauthorized access, it is important to use passwords that
are not easily guessed and that are difficult for password generators to determine. Starting
with vSphere 6.0, user passwords must meet the following requirements:
•
•
Dell EMC security
standard
Must contain characters from at least three character classes
Passwords containing characters from three character classes must be at least seven
characters long
•
Passwords containing characters from all four character classes must be at least
seven characters long
•
Cannot contain a dictionary word or part of a dictionary word
Ensure that passwords meet complexity requirements.
VMware vCenter Single Sign On (SSO)
VMware SSO: SSO.verify-SSO-Password-policy
Control description
Sample password policy:
•
•
Minimum password length of eight characters
•
•
•
Minimum of three characters that were not in the previous password
Maximum of three attempts to define a new password of acceptable value before the
command fails
Minimum of one numeral in the new password
Configure default password expiration period for 90 days
Risk and
vulnerability
To mitigate the risk of gaining unauthorized access, it is important to use passwords that
are not easily guessed and that are difficult for password brute-force tools to determine.
Dell EMC security
standard
Ensure that complex password policy is set for administrative accounts, particularly for
administrator@vsphere.local or accounts that are members of the Administrators group in
vCenter.
VMware vSphere Update Manager
VMware vSphere Update Manager: VUM.audit-vum-login
Control description
Ensure VMware vSphere Update Manager administrator account passwords are changed
from system build defaults.
37 | VxRack System FLEX security baseline
Risk and
vulnerability
Once someone logs on to vSphere Update Manager, it becomes more difficult to prevent
what they can do. In general, log on to the Update Manager system should be limited to
very privileged administrators, and then only for the purpose of administering vSphere
Update Manager or the host operating system. Anyone logged on to the Update Manager
can potentially cause harm, either intentionally or unintentionally, by altering settings and
modifying processes.
To run and use Update Manager, you must use a local system account for the machine on
which Update Manager is installed. (Refer to http://pubs.vmware.com/vsphere-60/
index.jsp#com.vmware.vsphere.update_manager.doc/GUID-3632A492-0462-47CF-BC70C636544F800D.html.)
Note that in VUM60u1, the plugin for Web client is automatically installed and all
functionality for VUM is available. http://pubs.vmware.com/Release_Notes/en/vsphere/60/
vsphere-update-manager-60u1-release-notes.html
Dell EMC security
standard
Ensure that the administrator account password for vSphere Update Manager is changed
to a unique, sufficiently complex value.
VMware vSphere Update Manager: VUM.NTP.config
Control description
Ensure VMware vSphere Update Manager system components are configured to
synchronize with a trusted Network Time Protocol (NTP) time source.
Risk and
vulnerability
Ensuring that all systems use the same relative time source (including the relevant
localization offset) and that the relative time source can be correlated to an agreed-upon
time standard (such as Coordinated Universal Time—UTC), makes it simpler to track and
correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings
can make it difficult to inspect and correlate log files to detect attacks, and can make
auditing inaccurate. Incorrect time settings can also introduce log on issues and certificate
issues with the Platform Services Controller, as all components rely on coordinated time.
Native time synchronization software, such as NTP is typically more accurate than VMware
Tools periodic time synchronization and is therefore preferred.
Dell EMC security
standard
Ensure that a trusted NTP time source is configured using a customer-provided NTP
source.
VMware vCenter Server Appliance (VCSA)
VMware Virtual Center Server Appliance: VCSA.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system. For VMware vCenter Server Appliance (VCSA), two accounts in particular to audit
are the root account of the virtual appliance (based on hardened SUSE Linux OS) and the
vCenter SSO administrator account administrator@vsphere.local (or other accounts in the
Administrator group).
For the vCenter Server Appliance (VCSA) 6.0 releases, enforce local account
password expiration after 90 days by default. This policy locks out the root
account when the password expiration date is reached. For more information,
see https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=2069041
VxRack System FLEX security baseline | 38
Dell EMC security
standard
Ensure that passwords are rotated for built-in accounts.
VMware Virtual Center Server Appliance: VCSA.SNMP.CommunityString
Control description
Define strong, non-trivial community strings where Simple Network Management Protocol
(SNMP) is required.
Risk and
vulnerability
By not changing the default community string, attackers can easily discover and potentially
exploit or compromise the devices.
Dell EMC security
standard
Ensure that the default community strings are changed from Public and Private to
unique non-trivial values.
VMware Virtual Center Server Appliance: VCSA.Logging.config
Control description
Log all successful interactive device management access using centralized syslog.
Risk and
vulnerability
Logging all successful interactive device management access enables the correlation of
events to be viewed when a device is accessed by a host. Not having this in place can
negatively impact log review or correlations of events.
Dell EMC security
standard
Ensure customer-defined remote syslog server is set. In the absence of a customer-defined
remote syslog server, Dell EMC sets the Vision™ Intelligent Operations appliance to collect
syslog messages.
VMware Virtual Center Server Appliance: VCSA.NTP.Config
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized
source to systems on a network. Setting all Converged System components to the same
time source ensures system stability and accuracy of log timestamps.
Risk and
vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult
and may be inaccurate.
Dell EMC security
standard
NTP is used to synchronize time updates from a centralized source to systems on a
network. Setting all Converged System components to the same time source ensures
system stability and accuracy of log timestamps.
VMware Virtual Center Server Appliance: VCSA.Unused-Services.Disable
Control description
Simple Network Management Protocol (SNMP) is used for managing devices on an IP
network. SNMP can be used to only read information as well as set (write) information.
Risk and
vulnerability
If SNMP is not used in the environment, it cannot be exploited.
Dell EMC security
standard
SNMP is used for managing devices on an IP network. SNMP can be used to only read
information as well as set (write) information.
VMware vNetwork
39 | VxRack System FLEX security baseline
VMware vNetwork: vNetwork.Forged-MAC-address.policy
Control description
By default, forged transmissions are accepted on standard virtual switches and rejected on
distributed virtual switches. When accepted, the virtual switch does not compare source
and effective MAC addresses. This allows frames with different source and effective MAC
addresses to be transmitted.
Risk and
vulnerability
Effective MAC addresses might be changed to impersonate other network devices.
Dell EMC security
standard
Set to Reject.
VMware vNetwork: vNetwork.PromiscuousMode.config
Control description
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to
the dvPortgroup have the potential to read all packets across that network. By default,
promiscuous mode is set to Reject on standard virtual switches and distributed virtual
switches.
Risk and
vulnerability
Any user logged in to a virtual machine connected to the same dvPort can potentially view
traffic destined for other guest or host operating systems.
Dell EMC security
standard
Set to Reject.
VMware vNetwork: vNetwork.Mgt-Segmentation.config
Control description
Management interfaces provide access to the VMware vSphere components. Access to
these interfaces are not required for normal users to use virtual machines.
Risk and
vulnerability
VMware management interfaces might be attacked and exploited if connected to noncontrolled networks. This can be mitigated by ensuring management traffic is on a restricted
network.
Dell EMC security
standard
Management interfaces provide access to the vSphere components. Access to these
interfaces are not required for normal users to use virtual machines.
VMware vNetwork: vNetwork-Management Network-Access Control.config
Control description
Strictly control access to management network to specific hosts.
Risk and
vulnerability
The management network is necessary for administration and support purposes and needs
to be secured on par with the most secure virtual machine running on a host/cluster.
Dell EMC security
standard
Strictly control access to management network to specific hosts.
VMware vNetwork: vNetwork-Network configuration.verify
Control description
Ensure that all virtual switch VLANs are fully documented and have only required VLAN on
trunks.
Risk and
vulnerability
Use best practices to restrict the VLANs required on the VLAN trunk link to only the
required VLANs and document accordingly. Unneeded VLANs might enable an
administrator to either accidentally or maliciously connect a virtual machine to an
unauthorized VLAN.
VxRack System FLEX security baseline | 40
Dell EMC security
standard
Ensure that all virtual switch VLANs are fully documented and have only required VLAN on
trunks.
VMware vNetwork: vNetwork.Reject.MAC-address-changes.Config
Control description
Each virtual network adaptor has an effective MAC address that filters out incoming
network traffic with a destination address different from the effective address. By default,
requests to change the effective MAC address are set to Accept and MAC address
changes are set to Accept on standard virtual switches and Reject on distributed
virtual switches.
Risk and
vulnerability
By changing the effective MAC address, the virtual network adapter can pass frames with
an impersonated source MAC address and perform network-based attacks by
impersonating an authorized network adaptor.
Dell EMC security
standard
Set to Reject.
VMware vSphere Distributed Switch and DVS networking
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-mgmt-network-vlan
Control description
Ensure that VMware vSphere management traffic is on a restricted network.
Risk and
vulnerability
The VMware vSphere management network provides access to the vSphere management
interface on each component. Services running on the management interface provide an
opportunity for an attacker to gain privileged access to the systems. Any remote attack
most likely would begin with gaining entry to this network.
Dell EMC security
standard
Ensure that management interfaces and traffic are restricted to controlled managementspecific networks.
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-vmotion-network-vlan
Control description
Ensure that VMware vMotion traffic is isolated.
Risk and
vulnerability
VMware vMotion migrations transmit information in plain text that can be viewed by anyone
with access to the network over which this information flows. Potential attackers might
intercept vMotion traffic to obtain memory contents of a virtual machine. They might also
potentially stage a man-in-the-middle attack in which the contents are modified during
migration. Ensure that vMotion traffic is separate from production traffic on an isolated
network. This network should be non-routable (no layer-3 router spanning this and other
networks), which prevents any outside access to the network.
Dell EMC security
standard
Ensure that VMware vMotion traffic is isolated and restricted to prevent exposure and
compromise.
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-storage-network-vlan
Control description
Ensure IP-based storage traffic is isolated.
41 | VxRack System FLEX security baseline
Risk and
vulnerability
Virtual machines might share virtual switches and VLANs with the IP-based storage
configurations. IP-based storage includes iSCSI and NFS. This type of configuration might
expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage
frequently is not encrypted. It can be viewed by anyone with access to this network. To
restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage
network should be logically separated from the production traffic. Configuring the IP-based
storage adaptors on separate VLANs or network segments from the VMkernel
management and service console network limits unauthorized users from viewing the
traffic.
Dell EMC security
standard
Ensure that IP-base storage traffic is isolated and restricted to prevent exposure and
compromise.
VMware vSphere Web Client
VMware vSphere Web Client: vCenter.web-client-timeout
Control description
Ensure VMware vSphere Web Client session setting is modified to terminate idle Web
sessions that have been inactive for 15 minutes.
Risk and
vulnerability
By configuring session timeouts to 15 minutes, administrator sessions are terminated if idle
and are disconnected thus reducing the risk of unauthorized access to the vSphere Web
Client and its managed resources.
Dell EMC security
standard
Ensure vSphere Web Client session setting is set to terminate idle Web sessions that have
been inactive for 15 minutes.
Management layer security baseline
VxRack Controller nodes
VxRack Controller - Default Passwords Change
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Ensure that passwords are rotated for built-in account administrator.
VxRack Controller - Disable Telnet
Control description
Disable Telnet
Risk and
vulnerability
Telnet is not a secure protocol, as it transmits data in clear text.
VxRack System FLEX security baseline | 42
Dell EMC security
standard
Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet,
and click Apply.
VxRack Controller - Disable SSH
Control description
Disable SSH
Risk and
vulnerability
Removing any unnecessary services, protocols and scripts reduces the attack vectors a
potential hacker would exploit to gain access to sensitive information.
Dell EMC security
standard
Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and
click Apply.
VxRack Controller - Disable IPMI over LAN
Control description
Disable IPMI over LAN.
Risk and
vulnerability
IPMI v2.0 has multiple high vulnerabilities, and currently there are no patches to fix them. A
potential attacker could exploit these vulnerabilities remotely to obtain hashed password for
root user, and use an offline password cracking tool to discover the password.
Dell EMC security
standard
Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.
This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled
Enable IPMI Over LAN, and click Apply.
VxRack Controller - Server access using HTTPS
Control description
To remotely access Dell server use secure communication:
• HTTPS (TCP port 443)
Risk and
vulnerability
For any activity conducted remotely, the use of secure protocols adds layers of protection to
the transmission of data for those sessions.
Dell EMC security
standard
HTTPS is enabled by default and TLS 1.2 Only is selected by default.
In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is
enabled and that TLS 1.2 Only is selected.
VxRack Controller - Strong community strings
Control description
Define strong, non-trivial community strings where SNMP required.
Risk and
vulnerability
By not changing the default community string, attackers can more easily discover and
potentially exploit or compromise the devices.
Dell EMC security
standard
Ensure that the read-only community string is changed from "Public."
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new
SNMP Community Name, and click Apply.
43 | VxRack System FLEX security baseline
VxRack Controller - Use SNMP V3
Control description
Use SNMP v3
Risk and
vulnerability
SNMP v3 improves security by introducing encryption, integrity check, and improved user
authentication model.
Dell EMC security
standard
Make sure SNMP v3 is selected.
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP
v3, and click Apply.
VxRack Controller - Disable VNC
Control description
Disable VNC
Risk and
vulnerability
Disable VNC to reduce attack surface.
Dell EMC security
standard
Select make sure VNC is unchecked under iDRAC web UI,
In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the
box for Enable VNC Server, and click Apply.
VxRack Controller - Disable XML
Control description
Disable XML configure file import directly from the USB port.
Risk and
vulnerability
The USB port allows iDRAC management access from a laptop or tablet connected to the
USB port, or apply XML config file directly to the server. An attacker could potentially
upload arbitary config file to the server.
Dell EMC security
standard
Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB
XML Configuration, and select Disabled.
VxRack Controller - Configure syslogs
Control description
Centralization of logs increases administration and security investigation capabilities. By
configuring hosts to use a central logging server, aggregate analysis and searches become
possible and provide visibility into events impacting multiple hosts.
Risk and
vulnerability
Operational or security-related alerts and events may be missed when logs are not centrally
managed.
Dell EMC security
standard
Under iDRAC UI > Logs > Settings, check Remote Syslog Settings, and define up to
three syslog server IP addresses.
VxRack Controller - Configure NTP
Control description
Network Time Protocol (NTP) is used to syncronize time updates from a centralized source
to systems on a network. Setting all Vblock System components to the same time source
ensures system stability and accuracy of log time stamps.
Risk and
vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult
and may be inaccurate.
Dell EMC security
standard
In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP)
box, define up to three NTP server IP addresses, and click Apply.
VxRack System FLEX security baseline | 44
VxRack Controller - Disable USB ports
Control description
The build-in USB ports should be used based on "as needed" basis.
Risk and
vulnerability
An attacker could use USB port to introduce malware to the server.
Dell EMC security
standard
In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port,
and set it to off.
VxRack Controller - Disable remote RACADM
Control description
The RACADM provides CLI scripting capability to control and configure the servers. The
Remote RACADM allows RACADM tool run on a workstation to remotely execute
commands against the server's iDRAC interface. It uses SSL for communications between
the workstation and the iDRAC interface.
Risk and
vulnerability
If this feature is not required, disable remote RACADM to reduce attack surface and
prevent an attacker from remotely issuing commands against the server, such as power
operations, configuration changes.
Dell EMC security
standard
This feature is enabled by default. Make sure it is disabled.
In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click
Apply.
VxRACK Controller - Disable IDRAC over SOL SEC302014.1
Control description
iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the
server using SSH and connection to the server serial ports (com1 or com2, depending on
BIOS setting) and run iDRAC commands.
Risk and
vulnerability
Disable iDRAC over SOL to reduce attack surface and prevent an attacker from remotely
issuing commands against the server, such as power operations or configuration changes.
Dell EMC security
standard
To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over
LAN, click Apply.
System infrastructure security baseline
Panduit Power Distribution Unit (PDU)
Panduit PDU: Panduit.Passwords.Modify
Control description
Change the passwords for all default accounts.
Risk and
vulnerability
Default accounts and passwords can be configured by the vendor or during the initial
system build. Such accounts and passwords might be used to compromise the production
system.
Dell EMC security
standard
Change the passwords for all default accounts.
45 | VxRack System FLEX security baseline
Panduit PDU: Panduit.NTP.Configure
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized
source to systems on a network. Setting all Converged System components to the same
time source ensures system stability and accuracy of log timestamps.
Risk and
vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult
and may be inaccurate.
Dell EMC security
standard
NTP is used to synchronize time updates from a centralized source to systems on a
network. Setting all Converged System components to the same time source ensures
system stability and accuracy of log timestamps.
Panduit PDU: Panduit.SNMPCommunityString.Configure
Control description
Define PDU traps and strong, non-trivial community strings where Simple Network
Management Protocol (SNMP) is required.
Risk and
vulnerability
By not changing the default community string, attackers can easily discover and potentially
exploit or compromise the devices.
Dell EMC security
standard
Define PDU traps and strong, non-trivial community strings where SNMP is required.
Panduit PDU: Panduit.Unused-Services.Disable
Control description
Simple Network Management Protocol (SNMP) is used for managing devices on an IP
network. SNMP can be used to only read information as well as set (write) information.
Risk and
vulnerability
If SNMP is not used in the environment, it might be exploited.
Dell EMC security
standard
SNMP is used for managing devices on an IP network. SNMP can be used to only read
information as well as set (write) information.
Panduit PDU: Panduit.Logging.Configure
Control description
Log all successful interactive device management access using centralized syslog.
Risk and
vulnerability
Logging all successful interactive device management access enables the correlation of
events to be viewed when a device is accessed by a host. Not having this in place can
negatively impact log review or correlation of events.
Dell EMC security
standard
Log all successful interactive device management access using centralized syslog.
Panduit PDU: Panduit.Administrative-Access.Configure
Control description
Use secure protocols such as HTTPS instead of HTTP.
Risk and
vulnerability
Using encrypted protocols for device management prevents transmission of authentication
credentials in clear text.
Dell EMC security
standard
Use secure protocols such as HTTPS instead of HTTP.
VxRack System FLEX security baseline | 46
Log management
This section describes the locations for internal component log files and managing remote system log
files.
Internal component log file locations
Operating system
File path
Linux
/opt/emc/scaleio/mdm/logs
Windows
C:\Program Files\emc\scaleio\mdm\logs
Operating system
File path
Linux
/opt/emc/scaleio/gateway/logs
Windows
C:\Program Files\emc\scaleio\gateway
\logs
Operating system
File path
Linux
/opt/emc/scaleio/gateway/logs
Windows
C:\Program Files\emc\scaleio\gateway
\logs
Configuring an external syslog server for remote logging
Syslog servers are configured and managed using the following CLI commands:
•
To configure the server and start remote logging:
scli -start_remote_syslog -remote_syslog_server_IP <IP> --remote_syslog_server_port
<PORT> --syslog_facility <FACILITY>
where:
•
—
IP is the IP address of the remote server.
—
PORT is the port number for the remote server.
—
FACILITY is a value from 0-23 and is assigned to identify the source of a message from a
server.
To stop remote logging:
scli -stop_remote_syslog -remote_syslog_server_ip <IP>
47 | Log management
Certificate management
Communications between Meta Data Manager (MDM) and external components (such as IM client, CLI
client, GUI client, vSphere plug-in and ScaleIO gateway) are encrypted using TLSv1.
Certificates for MDM and ScaleIO Data Server (SDS) are generated during installation. New certificates
can be generated using the following CLI commands:
•
For MDM: generate_mdm_certificate
•
For SDS: generate_certificate
Certificate management | 48
Operationalizing Converged Systems
This section describes procedures for operationalizing Converged Systems.
Integrating a new Converged System into a live environment
Converged Systems represent an easy transition to converged infrastructure and virtualization. The rapid
and straightforward deployment of Converged Systems should not preclude you from applying company
standards. Consider that the Converged System is a new piece in your environment that requires many of
the same policies applied to it as your existing infrastructure. The following are some suggestions for
integrating new Converged Systems.
•
Apply your existing security policies to the Converged System
•
Use the settings referenced in this document as a starting point
•
Ensure appropriate training of your technical support personnel
•
Leverage Vision Intelligent Operations for assessment and compliance of system configuration
against Converged System benchmarks (or custom-tailored Vision software compliance
benchmarks)
Ongoing security administration
Converged Systems ship with a default hardened configuration on all components, but these are not
intended to be a complete security solution.
Dell EMC security baselines provide a starting point from which you can build a comprehensive security
solution that can be managed as part of your existing infrastructure. Make sure the security
considerations covered in this document, such as change management, patch management, monitoring,
are applied to your Converged System.
To assist in managing your Converged System, Dell EMC releases a new Release Certification Matrix
(RCM) each month. This document describes currently supported versions of hardware and software, and
contains information about code revisions and why they were chosen. Regularly review this document to
help keep your Converged System current.
As with any new system, ensure it is integrated into your existing security architecture.
•
Integrate the Converged System into your log management system or Security Information &
Event Management (SIEM) .
•
Ensure appropriate coverage by your intrusion detection/prevention systems.
•
Ensure your security and compliance and internal audit departments are familiar with the
Converged System and its components and related operational processes.
Leverage available Dell EMC documentation that detail s system components and
subsequent expansions, upgrades, and extensions, as well as Vision Intelligent
Operations compliance reporting capabilities.
49 | Operationalizing Converged Systems
•
Ensure administrative and guest workloads have malware protection and are fully incorporated
into patch monitoring and application process, subject to the constraints of the RCM.
Operational checklist
The following list details activities to further secure your Converged System and fully integrate it into your
existing architecture. This is a starting point for securing Converged Systems; a more extensive checklist
is required for broader security strategies.
•
Configure centralized Authentication, Authorization and Accounting (AAA) and use Role Based
Access Controls (RBAC).
•
Incorporate multi-factor authentication (for example, with RSA SecurID) if required by your
security policy.
•
Configure and verify log collection for all event sources in your environment. If no syslog
preference is defined, all logs are forwarded to Vision Intelligent Operations. By centrally
collecting all Converged System events, all logs can be easily integrated into an existing, onsite
event management system.
•
Configure/verify that Network Time Protocol (NTP) is configured properly for your environment. It
is preferable to use authenticated NTP where possible.
•
Change default, self-signed certificates on all devices to those provided by a third party certificate
authority.
•
Disable unneeded services on network equipment and in operating systems per your current
policies.
•
Enable additional protections for networking systems per vendor recommendations.
•
Apply additional VMware hardening guidelines that might apply to your specific environment.
•
Deploy additional protections such as perimeter firewalls, virtual firewalls, IDS/IPS, SIEM per
security policy.
•
Socialize the Converged System with your computer security incident response team so that the
appropriate response plans can be updated.
•
Per your security policy, run system vulnerability assessments to understand specific areas of
concern.
•
Snapshot existing system configurations in order to track configuration drift.
•
Arrange disaster recovery (DR) capabilities for administrative VMs and for key supporting
systems. Depending on the organization’s risk profile, the DR plans may require a geographical
element.
Operationalizing Converged Systems | 50
Converged System password management
This section contains instructions for modifying the default administrator and/or root accounts and
passwords for Converged System components.
Default accounts and passwords are configured by the vendor or during the initial Dell EMC
manufacturing build. Such accounts and passwords, if not changed, could be used to compromise the
system in production. Modifying the default passwords enhances customer security and facilitates
handing over credentials modification from Dell EMC manufacturing to the customer.
Compute
Changing the VxRack System FLEX enclosure password
Use the iDRAC Web console to change the root password.
Procedure
1
Open a Web browser. Type: http://<ip_address_of_iDRAC> .
2
Log on as root.
3
Expand iDRAC Settings.
4
Select User Authentication.
5
Select User ID 2.
ID 2 is the root user.
6
Enable Configure User and click Next.
7
Change the password.
a
Enable Change Password.
b
In New Password, type the new password.
c
In Confirm New Password, re-type the new password.
d
Click Apply.
Storage
51 | Converged System password management
ScaleIO default accounts
The following are default accounts for ScaleIO:
Account
Details
Installation Manager (IM) admin
•
•
•
Light Installation Agent (LIA)
account
Download IM CLI file
Issue installation commands in IM CLI or IM Web client
Used for communication between SVM/MDM and SIO-GW
SVM root
•
Full administration privileges to all configuration and monitoring activities
through the VMware vSphere plug-in
MDM admin
•
Full administration privileges to all configuration and monitoring activities
through the CLI and GUI
When changing default account passwords, passwords must meet the following criteria:
•
Between 6 and 31 characters
•
Include at least three of the following groups:
•
—
[a-z]
—
[A-Z]
—
[0-9]
—
Special characters (!@#$...)
No white spaces
Changing the Installation Manager admin password
Procedure
1
Log on to the Installation Manager Web client user admin account.
2
Click Download CLI. Save the file install-CLI.jar on the local machine running the Web
client.
3
Use SSH to log on to the IM/GW VM as root.
4
Use SCP to copy the install-CLI.jar file to /opt/emc/scaleio/gateway folder.
5
Type /opt/emc/scaleio/gateway/java -jar install-CLI.jar to load the EMC
ScaleIO Installation Manager CLI shell.
6
Type the following IM CLI: im generate_password --im_password <ADMIN_PASSWORD>
--config_file "<CONFIG_FILE_FULL_PATH>"
The configuration file gatewayUser.properties location for Linux OS is under /opt/emc/
scaleio/gateway/webapps/ROOT/WEB-INF/classes/
Converged System password management | 52
7
Type quit to exit the ScaleIO IM shell.
8
Type service scaleio-gateway restart to restart the gateway service.
9
Log on to the Web client with the new password.
Changing the Light Installation Agent password
About this task
Light Installation Agent (LIA) establishes trust with the Installation Manager through a configurable token.
The LIA token is stored in /opt/emc/scaleio/lia/cfg/conf.txt on each SVM. The password is
set at initial installation.
During installation, the IM password and the LIA token are stored in hashed format.
Before you begin
To change the token after LIA runs, you must change the line in the configuration file and restart LIA.
Procedure
1
Write the password (or token) in plaintext in LIA conf file /opt/emc/scaleio/lia/cfg/
conf.txt ("lia_token=XXX")
2
Restart the LIA service.
3
After the restart, on the first startup, the LIA applies hash to the password and rewrites the
conf.txt file token with the hashed value.
Changing the SVM root password
Procedure
1
Use SSH to connect to the EMC ScaleIO SVM and log on as root.
2
Type passwd and press Enter.
3
Type the new password and press Enter.
4
Retype the password and press Enter.
Changing the default admin MDM password
Procedure
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: # scli --set_password
4 Type the old password and press Enter.
53 | Converged System password management
5
Type the new password and press Enter.
6
Re-type the new password and press Enter.
What to do next
After the MDM admin password is changed, log on to VMware vCenter using the VMware vSphere Web
Client and open the EMC ScaleIO plug-in.
1
Click Scale IO Systems. The cluster state shows as Disconnected-Invalid credentials.
2
Select the ScaleIO cluster. Click Actions and select Update system credentials.
3
In the User name field, type admin. In the Password field, type the new password defined
above. Click OK.
4
Go back to the Cluster Status window. The cluster status shows as Normal.
ScaleIO user-defined accounts
Additional user accounts can be added to the ScaleIO MDM. A user role must be assigned.
User role
Query
Configuration parameters
Configuration user credentials
Monitor
Yes
No
No
Configurator
Yes
Yes
No
Backend Configurator
Yes
Yes (backend operations
only)
No
Frontend Configurator
Yes
Yes (frontend operations
only)
No
Administrator
Yes
Yes
May configure Configurator and
Monitor users
Security Role
No
No
May define Administrator users
and control LDAP
Super User
Yes
Yes
Yes
Only one
Super User is
allowed per
system and it
must be a
local user.
Adding a user
To add a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
Converged System password management | 54
3
Type the following command: scli --add_user --username <NAME> --user_role
<Monitor|Configure|Administrator>
Modifying a user
To modify a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --modify_user --username <NAME> --user_role
<Monitor|Configure|Administrator>
Deleting a user
To delete a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --delete_user --username <NAME>
Displaying users and roles
To display users and roles:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --query_users
4
Type the following command: scli --query_user --user_id <ID> | --username
<NAME>
Generating a hashed password
To generate a hashed password for an MDM user on the ScaleIO Gateway, type the following command:
im generate_mdm_password --mdm_password <PASSWORD> --config_file /opt/emc/
scaleio/gateway/webapps/ROOT/WEB-INF/classes/gatewayUser.properties file
Virtualization
Changing a VMware ESXi host root password
For security reasons it might be necessary to change the password for the root user on a VMware ESXi
host after installation.
55 | Converged System password management
Use any of the following methods to change the root password for the VMware ESXi host:
•
vSphere Client
•
ESXi shell command
•
ESXi host System Customization menu
Changing the password using VMware vSphere Client
Before you begin
Log on to the ESXi host service console as root user.
Procedure
1
Log on to VMware vSphere Client.
2
Click Home > Inventory.
3
In the left pane, select the ESXi server name or IP address. Tabs for the server appear in the right
pane.
4
Select the Local Users & Groups tab.
5
Double-click the root user.
6
Select Change password.
7
In the Edit User - root dialog box, enter and confirm a new password.
8
Click OK.
Changing the password using the ESXi shell command
Before you begin
Log on to the ESXi host service console as root user.
You can also acquire root privileges by executing the su command.
Procedure
1
When prompted, type the current password.
2
To change the root password, type: passwd root.
3
Type the new root password. Press Enter.
4
Verify the password by typing it again.
Converged System password management | 56
Changing the password using the ESXi host System Customization menu
Before you begin
Log on to the ESXi host service console as root user.
You can also acquire root privileges by executing the su command.
Procedure
1
From the System Customization menu of the ESXi host, use the keyboard arrows to select
Configure Password. Press Enter.
2
In the Configure Password dialog box, fill in the required fields to change the password:
a
Type the Old Password of the ESXi host.
b
Type the new root password in the New Password field. Re-type it in the Confirm Password
field.
c
Press Enter.
Modifying the VMware vCenter Server Single Sign On password
Use this procedure to change the default password for the VMware vCenter Single Sign On administrator
account.
Before you begin
Log on to the VMware vSphere Web Client and connect to vCenter.
Access the Web Client using either of the following methods:
•
Open the browser and type the following URL: https://vcenterlp:9443/vsphere-client
•
From the Start menu, choose All Programs > VMware > VMware vSphere Webclient.
Procedure
1
In the left pane, select Administration.
2
Under Administration, select SSO Users and Groups. The admin user displays in the right pane.
3
On the Users tab, right-click the admin user.
4
Set and confirm the password for the admin user account. Be sure to use a strong password as
the system validates the password before accepting it.
5
Click OK.
57 | Converged System password management
Changing virtual machine operating system administrative passwords
Use this procedure to change the virtual machine operating system server administrator password in
Windows 2008 R2 and Windows 2012.
Changing the server administrator password in Windows 2008 R2
Use this procedure to change the server administrator password in a Windows 2008 R2 environment.
Procedure
1
Log in to the server using the Administrator account.
2
From the Start menu, select Control Panel > User Accounts > User Accounts.
3
Under Make changes to your user account, select Change your password.
4
Type your password in Current password.
5
In New password, type a new password.
6
Retype the password in Confirm new password.
7
In Type a password hint, provide a word or phrase to remind you of your password. This is
optional.
8
Click Change password.
Changing the server administrator password in Windows 2012
Use this procedure to change the server administrator password in a Windows 2012 environment.
Procedure
1
Log in to the server using Remote Desktop.
2
Press the Windows key. Type Administrative tools.
3
Double-click Computer Management.
4
Expand Local Users and Groups. Select Users.
5
Right-click Administrator and choose Set Password.
6
Click Proceed.
7
Enter and confirm the new password.
8
Click OK.
Management
The VxRack System management software is installed on the VxRack Controller.
Converged System password management | 58
Changing the VxRack Controller password
Use the iDRAC Web console to change the root password.
Procedure
1
Open a Web browser. Type: https://<ip_address_of_iDRAC>.
2
Log on as root.
3
Expand iDRAC Settings.
4
Select User Authentication.
5
Select User ID 2.
ID 2 is the root user.
6
Enable Configure User and click Next.
7
Change the password.
a
Enable Change Password.
b
In New Password, type the new password.
c
In Confirm New Password, re-type the new password.
d
Click Apply.
Vision software credentials
Managing credentials involves changing the default passwords for Vision software to comply with your
organization's security policies. It also involves changing access credentials for Converged System
components.
When logging on to the VCE Vision dashboard, administrators are notified if any default passwords for
Vision software are still in use and are prompted to change them.
Changing the default password for the root and vision accounts
The Vision Core virtual machine and the MSM virtual machine run on CentOS Linux and have a root
user. You should change the default password for the root user on both VMs when you first start using
Vision software.
About this task
You can also follow these steps to change the password for the vision user on the MSM virtual
machine.
59 | Converged System password management
Before you begin
Start an SSH session to the VM and log on.
Procedure
1
Run the following command:
passwd
2
Enter and then confirm the new password when prompted. The following is example output for a
successful password change:
[root@hostname ~]# passwd
Changing password for user username.
New password:
Retype new password:
passwd: all authentication tokens updated successfully
You must also update the MSM credential manager service with the new password.
3
Use one of the following steps, depending on whether the password was changed on the Vision
Core virtual machine or the MSM virtual machine.
—
MSM virtual machine:
a
Run the following command to change the MSM password for credential manager to
match the password changed with the passwd command.
/opt/vce/credential-management/bin/credential-manager-cli create -credentialprotocol
SSH -credential-right ADMINISTRATOR -credential-type MSM -host-address MSM-IP
-username <username>
where:
MSM-IP is the IP address for the MSM virtual machine.
newpassword is the new password. This must be the same as the new password
provided on the passwd command.
username is either root or vision, depending on the account you are changing.
If the password for the MSM admin user account has been changed in a
clustered environment, this command fails if the password is not synchronized
with the other MSM nodes in the cluster.
The script prompts you for the new password.
b
Enter the new password.
When the password change is complete, the script returns the following message:
Converged System password management | 60
Successfully created credential for 'root' @ '10.11.12.13'
—
Vision Core virtual machine:
a
Log on to the MSM virtual machine as the root user.
b
Type the following command to change the Vision Core virtual machine root user
password for MSM:
/opt/vce/multivbmgmt/install/addSlibHost.sh <core_IPaddress>
where core_IPaddress is the IP address for the Vision Core virtual machine where the
password was changed.
The script prompts you to update the configuration:
Would you like to update existing configuration? (yes/no) [Default = no]:
c
Respond by entering yes. The script prompts you for the root credentials:
Enter the SSH credentials for System Library host 10.20.30.40 (attempt 1 of 3).
User name [Default: root]:
d
Enter the root (or press Enter) for the username.
e
Type the new password for the Vision Core virtual machine.
The script continues processing with a series of messages. When it has finished, the
following message is displayed:
Vision System Library Host(s) at 10.20.30.40 have been added successfully!
The new password for the Vision Core virtual machine is picked up by the MSM virtual
machine during the next collection cycle.
What to do next
You can optionally specify a password aging policy with the following command:
chage
Run the following command to view help usage:
chage -h
Changing the password for the vision-integration user
The vision-integration user authenticates REST API calls internally to the Vision Core virtual machine to
facilitate integration between some services. The default password is a complex, encrypted string that
61 | Converged System password management
does not need to be known. However, you can change the default password by providing the password
for the CAS admin user using a built-in script.
About this task
If you change the password for the vision-integration user, Vision software also updates the password in
the necessary properties file.
Before you begin
•
•
Determine a new password, understanding that the CAS password:
—
Is case sensitive.
—
Must be between 8 and 20 characters in length.
—
Must include one uppercase letter, one digit, and one special character.
—
Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |
Connect to the Vision Core virtual machine
Procedure
1
Run /opt/vce/fm/bin/integrationChangepw.sh.
The following message displays:
Warning: This script will restart Asset Manager service.
Please ensure that a maintenance window has been scheduled,
and there is no active upgrade session going on.
Do you want to continue ([y/n])?
2
Enter y to continue. The script then prompts you with the following:
Please enter current admin password:
3
Enter the current Central Authentication Service (CAS) administrator password.
4
Enter the new password for the vision-integration user and then confirm it when prompted.
The script restarts the tomcat-asset-mgr service and displays the following message:
CAS password has been changed for vision-integration user.
Changing the Central Authentication Service (CAS) password for the admin user
Vision software uses a Central Authentication Service (CAS) for authentication to web services. As a best
practice, you should change the default password for the admin user, which has full administrator
privileges.
Converged System password management | 62
About this task
Changing the CAS password involves running a script on the Vision Core virtual machine that updates the
password, encrypts it, and then saves it internally. After this password is changed, any client applications
that are configured with it must be updated, including the Plug-in for vCenter.
Before you begin
•
•
Determine a new password, understanding that the CAS password:
—
Is case sensitive.
—
Must be between 8 and 20 characters in length.
—
Must include one uppercase letter, one digit, and one special character.
—
Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |
Connect to the Vision Core virtual machine
Procedure
1
Run /opt/vce/fm/bin/slibCasChangepw.sh
The script prompts you with the following message:
Warning: This script will restart JBoss, Vision FM Agent and other services.
Please ensure that a maintenance window has been scheduled,
and there is no active upgrade session going on.
Do you want to continue ([y/n])?
2
Enter y to continue. The script then prompts you with the following:
Please enter current user password:
3
Enter the current password for the admin user.
The script then prompts you with the following:
Please enter new password(Press Ctrl C to exit):
4
Enter the new password for the admin user and then confirm it when prompted.
The script restarts services and displays the following message:
CAS password has been changed for admin user.
Please update vCenter plugin Administration Settings and any other client applications
using this password.
63 | Converged System password management
Ports and protocols
ScaleIO ports and authentication
This section contains ScaleIO ports and authentication.
Port
Protocol
Description
443
TCP
Used to perform installations using Installation
Manager.
443
TCP
REST. Used to query a ScaleIO cluster or
perform operations on a cluster.
6611, 9011
TCP
Used to provision or query ScaleIO system.
7072
TCP
SDCs connect through this port fro data
communication and on the MDM for metadata
communication.
9099
TCP
Installation Manager connects to the Light
Installation Agent to perform installation-related
operations.
162
UDP
SNMP traps for system alerts are sent to a trap
receiver using this port.
VMware vSphere 6.0 ports and authentication
This section lists ports required for communication between components by VMware vSphere 6.0.
In Microsoft Windows Server 2008, a firewall is enabled by default.
Table 1:
Port
Protocol
Description
22
TCP/UDP
System port for SSHD. This port is used only by the vCenter Server Appliance.
80
TCP
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects
requests to HTTPS port 443. This redirection is useful if you accidentally use
http://server instead of https://server.
WS-Management (also requires port 443 to be open).
If using a Microsoft SQL database that is stored on the same virtual machine or
physical server as vCenter Server, port 80 is used by the SQL Reporting
Service.
When installing or upgrading vCenter Server, the installer prompts you to
change the HTTP port for vCenter Server. Change the vCenter Server HTTP
port to a custom value to ensure a successful installation or upgrade.
88
TCP
VMware key distribution center port.
Ports and protocols | 64
Table 1:
Port
Protocol
Description
389
TCP/UDP
This port must be open on the local and all remote instances of vCenter Server.
This is the LDAP port number for the Directory Services for the vCenter Server
group.
If another service is running on this port, it might be preferable to remove the
service or change its port number. You can run the LDAP service on any port
from 1025 through 65535.
If this instance is serving as the Microsoft Windows Active Directory, change the
port number from 389 to an available port from 1025 through 65535.
443
TCP
The default port that the vCenter Server system uses to listen for connections
from the vSphere Client. To enable the vCenter Server system to receive data
from the vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to monitor data transfer from
SDK clients.
Port 443 is also used for these services:
•
•
•
WS-Management (also requires port 80 to be open)
Third-party network management client connections to vCenter Server
Third-party network management clients access to hosts
514
UDP
vSphere Syslog Collector port for vCenter Server on Windows and vSphere
Syslog Service port for vCenter Server Appliance.
636
TCP
For vCenter Server Enhanced Linked Mode, this is the SSL port of the local
instance. If another service is running on this port, it may be preferable to
remove it or change its port number.
You can run the SSL service on any port from 1025 through 65535.
902
TCP/UDP
The default port that the vCenter Server system uses to send data to managed
hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the
vCenter Server system.
This port must not be blocked by firewalls between the server and the hosts or
between hosts.
Port 902 must not be blocked between the vSphere Client and the hosts. The
vSphere Client uses this port to display virtual machine consoles
1514
TCP/UDP
vSphere Syslog Collector TLS port for vCenter Server on Windows and vSphere
Syslog Service TLS port for vCenter Server Appliance.
2012
TCP
Control interface RPC for vCenter Single Sign-On (SSO).
2014
TCP
RPC port for all VMCA (VMware Certificate Authority) APIs.
2020
TCP/UDP
Authentication framework management.
6500
TCP/UDP
ESXi Dump Collector port.
6501
TCP
Auto Deploy service.
6502
TCP
Auto Deploy management.
7444
TCP
Secure Token Service.
8088
TCP
Workflow Management Service.
9433
TCP
vSphere Web Client HTTPS.
11711
TCP
VMware Directory service (vmdir) LDAP.
65 | Ports and protocols
Table 1:
Port
Protocol
Description
11712
TCP
VMware Directory service (vmdir) LDAPS.
5480
TCP
vCenter Server Appliance Web Console (VAMI)
For Appliance based vCenter server, port info table below:
Port
Protoc
ol
Description
22
TCP
System port for SSHD
80
TCP
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to
HTTPS port 443. This redirection is useful if you accidentally use http://server/ instead
of https://server/.
135
TCP
Active Directory authentication
443
TCP
vCenter Server uses port 443 to:
•
•
•
Listen for connections from the vSphere Client.
Receive data from the vSphere Client, after it is enabled.
Monitor data transfer from SDK clients.
If you use another port number for HTTPS, use ip-address:port when you log on to the vCenter
Server system.
514
UDP
vSphere Syslog Collector server
902
TCP/U
DP
•
•
•
This is the default port used by vCenter Server to:
—
Send data to managed hosts
—
Display virtual machine consoles
Managed hosts send a regular heartbeat over UDP port 902 to the vCenter Server system.
This port must not be blocked by firewalls between the server and hosts, or between hosts.
8080
TCP
Web Services HTTP. Used for the VMware VirtualCenter Management Web Services
8090
TCP
TCP connects to the local port to provide SOAP web services
8085
TCP
Internal Service Diagnostics/SDK
8089
TCP
SDK Tunneling Port
7444
TCP
vCenter Single Sign-On - VMware Secure Token Service
8443
TCP
Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services
10080
TCP
vCenter Inventory Service HTTP
10443
TCP
vCenter Inventory Service HTTPS
10109
TCP
vCenter Inventory Service database
21000
TCP
VMware vSphere Profile-Driven Storage Service HTTP
21100
TCP
VMware vSphere Profile-Driven Storage Service HTTPS
1514
TCP
vSphere Syslog Collector server (SSL)
6500
TCP
Network coredump server (UDP)
6501
TCP
Auto Deploy service
Ports and protocols | 66
Port
Protoc
ol
Description
6502
TCP
Auto Deploy management
9090
TCP
vSphere Web Client HTTP
9443
TCP
vSphere Web Client HTTPS
5480
TCP
vCenter Server Appliance Web user interface HTTPS
5489
TCP
vCenter Server Appliance Web user interface CIM service
22000
TCP
vCenter Server Storage Monitoring Service HTTP
22100
TCP
vCenter Server Storage Monitoring Service HTTPS
12443
TCP
Log Browser
11711
TCP
vCenter Single Sign-On VMware Directory Service (LDAP)
11712
TCP
vCenter Single Sign-On VMware Directory Service (LDAPS)
8190
TCP
Storage Policy Server HTTP
8191
TCP
Storage Policy Server HTTPS
7331
TCP
HTML5 remote console for virtual machines
7343
TCP
HTML5 remote console for virtual machines, HTTPS
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This
redirection is useful if you accidentally use http://server/ instead of https://server/.
Vision Intelligent Operations ports and protocols
Review ports and protocols for communicating with Vision software.
Communication with Vision software occurs through northbound traffic over an external network and
through southbound traffic to Converged System components.
Review the ports and protocols to help troubleshoot issues after installation.
Open port assignments
The MSM virtual machine runs a number of small services on various ports. Not all ports on the MSM
virtual machine are opened through the firewall. The following ports are available from outside of the
MSM virtual machine.
Port
Protocol
Linux Application
Usage
Source
22
TCP
SSH
Secure shell (SSH)
Vision software
80
UDP
Apache HTTP
Web server providing
access to the Vision
dashboard and all Vision
REST APIs. Requests are
redirected to Port 443
67 | Ports and protocols
Port
Protocol
Linux Application
Usage
443
TCP
Apache HTTP
HTTPS access to the
dashboard and all Vision
REST APIs
5672
TCP
RabbitMQ
Message service used by
Vision software
7000
TCP
SSL
Cassandra SSL inter-node
communication
9042
TCP, UDP
Cassandra
Cassandra native client
port
9160
TCP
Cassandra
Cassandra thrift client port
9301
TCP
Elasticsearch
Elasticsearch node-to-node
communication
Source
If the port 9301 is not open:
1
In the command line interface, type vi /etc/sysconfig/iptables.
2
Add the following line:
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9301 -j ACCEPT
3
Type service iptables save.
4
Type service iptables restart.
5
Type netstat -l | grep 9301 to check the status of the port.
LISTEN indicates that the port is open.
Ports and protocols | 68
Northbound ports and protocols
The third party applications and network management systems (NMS) can use northbound ports and
protocols to communicate with Vision software.
Port
Protoc
ol
Usage
Source
Destination
Direction
80
TCP
HTTP
TCP
HTTPS
RCM content distribution
network (CDN) destination
addresses that include the
following:
Outbound
443
Vision
software
Outbound
*.flexnetoperations
.com
•
updates.flexneto
perations.com
•
vce.flexnetopera
tions.com
•
vceesdie.flexnetoperat
ions.com
22
TCP
Secure shell (SSH)
Any IP address
Inbound
8443
TCP
•
•
Any client or application that
uses these APIs.
Inbound
API for System Library
API for Vision Security
18443
TCP
Inventory Manager
Any client or application that
uses this feature.
Inbound
4369
TCP
AMQP messaging
Any application that
subscribes to the Vision
software messaging service.
Outbound
5672
TCP
AMQP messaging
Any application that
subscribes to the Vision
software messaging service
Inbound
161
UDP
General SNMP messages
SNMP client or NMS
Inbound
SNMP trap messages
SNMP client or NMS
Inbound
Default Port
UDP
162.This port is
configurable.
Refer to the Vision Intelligent Operations Integration Guide for SNMP for instructions on
configuring Port 162 for SNMP trap messages.
69 | Ports and protocols
Southbound ports and protocols
Vision software uses specific ports and protocols for southbound communication with Converged System
components.
Port Proto
col
Usage
Source
69
UDP
TFTP traffic from the Configuration Collector to Converged System
back up Converged System component
components
configuration
162
UDP
SNMP trap messages
514
UDP
syslog messages
Destination
Vision software
Compute components
Review the ports and protocols that Vision software uses for communication with compute components.
Dell iDRAC
Port
Protocol
Usage
Source
443
TCP
iDRAC accesses this port Vision software
using the RedFish API
Destination
iDRAC
Network components
Review the ports and protocols that Vision software uses for communication with network switches,
including physical and virtual switches.
Port
Protocol
Usage
22
TCP
Secure shell (SSH)
161
UDP
General SNMP messages
Source
Destination
Vision software
Network switches
Storage components
Review the ports and protocols that Vision software uses for communication with various storage
components.
ScaleIO
Port
Protocol
Usage
Source
Destination
443
TCP
REST API
Vision software
ScaleIO
Ports and protocols | 70
Management components
Vision software communicates with management components using certain ports and protocols.
Port
Protocol
Usage
Source
Destination
161
TCP
SNMP
Vision software
IPI appliance
Virtualization components
Review the ports and protocols that Vision software uses for communication with virtualization
components.
Port
Protocol
Usage
Source
Destination
443
TCP
XML API
Vision software
VMware vCenter Server
71 | Ports and protocols
References
This section contains links for additional security hardening information.
Component
Link
Cisco Nexus
http://www.cisco.com/c/en/us/about/security-center/securing-nx-os.html
ScaleIO
https://support.emc.com/docu67402_ScaleIO-2.0-Security-ConfigurationGuide.pdf?language=en_US
VMware components
https://www.vmware.com/security/hardening-guides
References | 72
The information in this publication is provided "as is." Dell Inc. makes no representations or warranties of any kind with
respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness
for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2016-2018 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are
trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published
in the USA in February 2018.
Dell EMC believes the information in this document is accurate as of its publication date. The information is subject to
change without notice.
73 | Copyright
Download PDF