advertisement
Dell EMC
VxRack
™
System FLEX
Security Configuration Guide
Document revision 1.5
February 2018
Revision history
Date
February 2018
Document revision
1.5
October 2017
August 2017
June 2017
October 2016
May 2016
1.4
1.3
1.2
1.1
1.0
Description of changes
•
Removed control ID information
•
Removed Security control identifier numbering section
•
Removed non-Dell procedures and references
•
Added Log Management
•
Added Certificate Management
Minor edits
Minor edits
Updated the compute layer security baseline for
Controller and Management nodes
•
Updated management software information
•
Added reference information for EMC ScaleIO
2.0 features
•
Updated EMC ScaleIO user accounts
Initial release
Revision history | 2
Contents
3 | Contents
Contents | 4
Introduction
This guide focuses on the hardening practices implemented by Dell EMC for VxRack System components and provides specific configuration guidance to help mitigate security vulnerabilities and risks. It also provides information on additional security topics related to VxRack Systems.
This document refers to VxRack Systems as Converged Systems.
When reading this guide, consider the following:
•
Use this guide as a starting point for configuration security. The security controls presented provide a baseline to build on to meet the specific security needs of your organization.
•
As a baseline, this guide minimizes the operational impacts of security, working with feature sets such as VMware Tools rather than eliminating them, as more secure environments might do.
•
Dell EMC encourages customers to employ a risk-based approach when hardening Converged
Systems to ensure an appropriate balance between security and manageability.
•
This guide does not focus on a specific security compliance target.
Audience
The intended audience for this guide includes those who are planning, implementing, administering, or auditing security controls in environments containing Converged Systems. The primary audience is technical, but the document addresses the needs of a range of security program professionals.
Customers and partners are expected consumers of this guide.
Prerequisites
Readers of this guide should have a reasonable understanding of the architecture for their Converged
System, particularly the management infrastructure. Refer to the appropriate Dell EMC architecture overview for your product for more information.
Additional information
Dell EMC provides other assistance that might be useful in assisting with security or compliance-related issues, such as:
•
Converged Systems guidance for addressing multi-tenant concerns
•
Protection of management interfaces with enhanced separation of duties, identification, authorization, auditing, and access control
•
Integrating common security technologies with Converged Systems
•
Guidance related to specific compliance frameworks and outcomes (for example, PCI, HIPAA,
FISMA, and so forth)
•
Guidance related to advanced cloud solutions, such as Enterprise Hybrid Cloud solutions
The Glossary provides Converged Systems-specific terms and definitions.
5 | Introduction
Disclaimer
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." Dell EMC MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN
THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
CERTAIN COMMERCIAL ENTITIES, EQUIPMENT, OR MATERIALS MAY BE IDENTIFIED IN THIS
DOCUMENT IN ORDER TO DESCRIBE AN EXPERIMENTAL PROCEDURE OR CONCEPT
ADEQUATELY. SUCH IDENTIFICATION IS NOT INTENDED TO IMPLY RECOMMENDATION OR
ENDORSEMENT BY Dell EMC, NOR IS IT INTENDED TO IMPLY THAT THE ENTITIES, MATERIALS,
OR EQUIPMENT ARE NECESSARILY THE BEST AVAILABLE FOR THE PURPOSE.
NOTHING IN THIS DOCUMENT SHOULD BE TAKEN TO CONTRADICT STANDARDS AND
GUIDELINES MADE MANDATORY AND BINDING BY LAWS OR RULES OF GOVERNMENTAL
AGENCIES.
Disclaimer | 6
Security strategies
Converged Systems are deployed in a wide range of circumstances and need to address a range of risk conditions. Dell EMC chose to implement a security baseline suitable for the more common, simpler security needs. Dell EMC also tries to ensure that the products can be configured in environments with more challenging security, compliance, and/or operational requirements.
Creating and maintaining the security baseline is a process that is generally aligned with the Risk
Management Framework ( RMF - NIST Special Publication SP 800-37 ).
The methodology for controlling risk and the improving processes includes:
•
Secure development life cycle
•
Risk assessment processes
Between them, these processes yield, among other things:
•
Best practices incorporated into code and architecture
•
Component-level hardening guidelines
•
Coding improvements
•
Risks identified so mitigating options can be proactively surfaced
The primary focus of this document is on component-level controls because the other considerations have been incorporated into the Dell EMC product architecture and software. This section briefly surveys some threats at a system level and provides insight into alternate risk mitigations.
The Dell EMC account team is available to discuss risks falling outside the baseline scenarios.
Secure development
The Dell EMC Secure Development Life cycle (SDL) is a repeatable and measurable process that enables Dell EMC to meet customers’ expectations by:
•
Ensuring that product engineering organizations optimally apply security controls during their product development life cycle
•
Providing product groups with the capability and the information needed to fully assume accountability for the security of the products they ship
•
Assisting Dell EMC customers in understanding and assessing the overall security posture of the product
Threat landscape and security considerations
Dell EMC takes certain precautions in designing and building Converged Systems to ensure that significant security vulnerabilities are minimized.
Dell EMC also recommends additional controls, but does not implement them in the building process due to variances in customer environments and differing customer security policies.
7 | Security strategies
The security baseline contains more information on security considerations for your Converged System.
Administrative control
Dell EMC takes the precaution of changing all default administrator passwords and following a policy of creating complex passwords for all accounts controlling the management interfaces.
In addition, Dell EMC uses a more secure password storage option whenever possible. In addition to these changes to the default settings in administrative access control, Dell EMC recommends employing the following additional security counter measures, provided they do not conflict with your organization’s security policy:
Threat
Counter measures
Administrator impersonation or privilege abuse
•
Use Lightweight Directory Access Protocol (LDAP) server or Windows Active Directory
(AD) authentication for all Converged System components to mitigate password-related threats with password policies and to facilitate entitlements audit.
•
Use low-level privilege roles for all Converged System components.
•
Use separation of duties to the greatest extent feasible when administering Converged
System components.
•
Minimize the use of shared credentials. In particular, minimize the use of the default super user accounts.
•
Capture all event logs with an Secure Information and Event Management (SIEM) system. Audit privilege and role change activity, and set up alerts for this activity.
•
Use strong authentication such as RSA SecurID for administration of Converged
Systems.
•
Use Converged System-aware Identity and Audit Management (IAM) auditing and compliance tool to validate the consistent and appropriate application of privileges and entitlements.
Network connectivity
As with other network environments, Converged Systems need to be protected from network attacks such as spoofing, traffic sniffing, and traffic tampering. All Converged System components are configured to use secure administrative interfaces that are authenticated and encrypted. Non-secure versions of these interfaces are disabled to mitigate network attacks. Converged Systems authenticate, encrypt, and segregate traffic on the management, control, and data planes.
The default Converged System architecture separates traffic creating distinct, dedicated network zones for control, data, VMware vMotion, backup, and other purposes. Converged System network design incorporates security best practices from the component manufacturers for both physical and virtual network components. For example, console interfaces are connected to a control plane that should not be directly accessible to end users.
Connectivity between the planes is regulated by devices outside of the Converged System.
Discuss plane separation with a Dell EMC VMware vArchitect and with Professional
Services before connecting your Converged System into your routing infrastructure.
Threat
Network attacks, including spoofing, sniffing, denial of service, repudiation, man in the middle, and tampering.
Security strategies | 8
Counter measures
•
Enable secure network protocol options only (for example, HTTPS and Secure
Shell (SSH).
•
Avoid autonomous certificate deployments to ones that are fully integrated with site trust infrastructures and train people to not accept self-signed certificates.
•
Disable unused and non-secure network protocols and services.
•
Separate management and control traffic from production application traffic. You can provide this separation by using VLANs.
•
Separate VMware vMotion traffic from production traffic.
•
Separate data protection (backup, BC/DR) traffic from production traffic.
If network segmentation beyond VLANs is required, Converged Systems can be configured to provide enhanced physical or logical separation of network zones. Some configuration options can be supported in the standard product, such as network Access Control Lists (ACLs) on Cisco Nexus switches or
VMware ESXi host firewall rule configuration. Other deployment options might require additional hardware, software, or entitlements (such as Converged Technology Extensions or partner ecosystem solutions). For example, although not part of the standard product architecture, compatible physical or virtual firewall technology can be introduced at critical network boundaries where required, to achieve the required level of security and access control.
Consult with the Dell EMC account team to learn more about options for network segmentation and security.
Management systems
Management system security is vital to the protection of the Converged System and its managed components and resource pools. When a Converged System hosts multiple environments (for example, multiple "tenants" or workloads with distinct security or compliance requirements), the management environment tends to inherit the peak sensitivities of those environments. For example, it accrues the security and compliance obligations (PCI CDE status) or the operational/availability obligations in a VDI setting.
In addition to the Authentication, Authorization and Accounting (AAA) controls, the following are important considerations.
•
Management ports must have banner messages officially notifying users of monitoring, lack of privacy expectations, and civil and criminal responsibilities for malicious or damaging behavior, regardless of intent.
•
Default or well-known accounts with a management port must be removed since they provide an attacker an advantage in attempts to compromise the device.
•
Management ports must be configured to require strong passwords to prevent an attacker from deciphering the password.
•
Management ports must be configured with a relatively short connection timeout period to minimize the risk from session hijacking.
•
Standard operations hygiene must be applied on the systems hosting management applications.
For example, anti-virus, backups, and patching should all be configured. Note that Dell EMC
Support has special guidance regarding operating system patching.
9 | Security strategies
Change and configuration management
Change and configuration management processes are important when using a Converged System.
Anything that can impact the either Dell EMC Support Service Level Agreements (SLAs) or any relevant customer SLAs should be considered as part of change and configuration management.
Dell EMC provides the Release Certification Matrix (RCM) that documents software and firmware versions that have been tested by Dell EMC and are known to interoperate properly.
Patch and update practices
Scheduled and emergency patches and updates protect systems from security vulnerabilities and help ensure performance stability.
Use the Release Certification Matrix (RCM) process for your Converged System as the basis of a patch management program. You can also apply emergency patching to address emerging security threats.
Application of critical security updates should be undertaken carefully and with close coordination with the Dell EMC account team, Customer Advocate, and Dell EMC Support to minimize the risk of unscheduled downtime or other negative business impact.
Just as with other systems and devices in the enterprise, you must maintain Converged Systems updated to latest patch levels to ensure the integrity and availability of the platform and its hosted systems. The patch and update process should include the following practices:
•
Document the version of each hardware and software component
•
Document risk acceptances for patches delayed or not installed
•
Research mitigating controls to reduce risk when patches cannot be installed
•
Follow change management plans to ensure appropriate documentation and approvals
•
Establish regular patch cycles for high and for low priority patches (for example, weekly and monthly)
•
Establish and test processes for emergency out-of-cycle patching
•
Ensure that the patch update cycle satisfies regulatory requirements prior to being audited
•
Ensure that virtualized systems are re-patched if rolled back prior to scheduled patch date
Security strategies | 10
VxRack System FLEX security baseline
In this document, specific configuration guidance on how to mitigate security vulnerabilities and risks is presented using the following parameters:
Control description
Risk and vulnerability
General description of the problem area
Explanation of the actual risk
Dell EMC security standard
The specific applicable hardening standard(s).
The following sections provide detail about baseline security practices for each VxRack System component:
•
Compute layer
•
Network layer
•
Storage layer
•
Virtualization layer
•
Management layer
Compute layer security baseline
VxRack Compute nodes
VxRack Compute - Default Passwords Change
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure that passwords are rotated for built-in account administrator.
VxRack Compute - Disable Telnet
Control description
Disable telnet
Risk and vulnerability
Dell EMC security standard
Telnet is not a secure protocol, as it transmits data in clear text.
Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet, and click Apply.
11 | VxRack System FLEX security baseline
VxRack Compute - Disable SSH
Control description
Disable SSH
Risk and vulnerability
Removing any unnecessary services, protocols and scripts reduces the attack vectors a potential hacker would exploit to gain access to sensitive information.
Dell EMC security standard
Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and click Apply.
VxRack Compute - Disable IPMI over LAN
Control description
Disable IPMI over LAN
Risk and vulnerability
Intelligent Platform Mangement Interface (IPMI) v2.0 has multiple vulnerabilities, and currently there are no patches to fix them. A potential attacker could exploit these vulnerabilities remotely to obtain hashed password for root user, and use an offline password cracking tool to discover the password.
Dell EMC security standard
Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.
This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled
Enable IPMI over LAN, and click Apply.
VxRack Compute - Server access using HTTPS
Control description
To remotely access Dell servers, use secure communication – HTTPS (TCP port 443).
Risk and vulnerability
For any activity conducted remotely, the use of secure protocols adds layers of protection to the transmission of data for those sessions.
Dell EMC security standard
HTTPS is enabled by default and TLS 1.2 Only is selected by default.
In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is enabled and that TLS 1.2 Only is selected.
VxRack Compute - Strong community strings
Control description
Define strong, non-trivial community strings where SNMP required.
Risk and vulnerability
By not changing the default community string, attackers can more easily discover and potentially exploit or compromise the devices.
Dell EMC security standard
Ensure that the read-only community string is changed from "Public."
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new
SNMP Community Name, and click Apply.
VxRack Compute - Use SNMP V3
Control description
Use SNMP v3
Risk and vulnerability
SNMP v3 improves security by introducing encryption, integrity check, and improved user authentication model.
VxRack System FLEX security baseline | 12
Dell EMC security standard
Ensure that SNMP v3 is selected.
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP v3, and click Apply.
VxRack Compute - Disable VNC
Control description
Disable VNC
Risk and vulnerability
Dell EMC security standard
Disable VNC to reduce attack surface.
Ensure VNC is disabled.
In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the box for Enable VNC Server, and click Apply.
VxRack Compute - Disable XML
Control description
Disable XML configure file import directly from the USB port.
Risk and vulnerability
The USB port allows iDRAC management access from a laptop or tablet connected to the
USB port. An attacker could potentially upload an arbitrary configuration file to the server, or apply an XML configuration file directly to the server.
Dell EMC security standard
Ensure that USB XML configuration is disabled in the iDRAC web UI.
Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB
XML Configuration, and select Disabled.
VxRack Compute - Configure syslogs
Control description
Centralization of logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis and searches become possible and provide visibility into events impacting multiple hosts.
Risk and vulnerability
Operational or security-related alerts and events may be missed when logs are not centrally managed.
Dell EMC security standard
Ensure that remote syslog setting are configured to send log entries to syslog-capable network management systems.
Under iDRAC Settings > Server > Logs, check Remote Syslog Settings, and define up to three syslog server IP addresses.
VxRack Compute - Configure NTP
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Vblock System components to the same time source ensures system stability and accuracy of log time stamps.
Risk and vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.
Dell EMC security standard
Ensure NTP configuration is updated with valid NTP time sources.
In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP) box, define up to three NTP server IP addresses, and click Apply.
13 | VxRack System FLEX security baseline
VxRack Compute - Disable USB ports
Control description
USB ports should be used only on an as needed basis and should be disabled otherwise.
Risk and vulnerability
Dell EMC security standard
An attacker could use USB port to introduce malware to the server.
In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port, and set it to off.
VxRack Compute - Disable remote RACADM
Control description
The RACADM provides CLI scripting capability to control and configure the servers. The
Remote RACADM allows RACADM tool run on a workstation to remotely execute commands against the server's iDRAC interface. It uses SSL for communications between the workstation and the iDRAC interface.
Risk and vulnerability
Disable remote RACADM if this feature is not required to reduce attack surface to prevent an attacker to remotely issue commands against the server, such as power operations, configuration changes.
Dell EMC security standard
This feature is enabled by default. Disable it.
In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click
Apply.
VxRack Compute - Disable IDRAC over SOL
Control description
iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the server using SSH, then connect to server serial ports (com1 or com2, depending on BIOS setting) and run iDRAC commands.
Risk and vulnerability
Disable iDRAC over SOL to reduce attack surface and prevent an attacker to remotely issue commands against the server, such as power operations, configuration changes.
Dell EMC security standard
To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over
LAN, click Apply.
Network layer security baseline
Cisco NX-OS devices
Cisco NX-OS: NXOS.strong.passwords
Control description
Ensure the Cisco NX-OS device requires the use of strong passwords.
VxRack System FLEX security baseline | 14
Risk and vulnerability
Dell EMC security standard
Passwords must be of sufficient length and meet complexity requirements to not only meet policy and regulatory requirements, but to help mitigate guessing or cracking of credentials.
When enabled, the password strength check feature rejects any password that does not meet the following requirements:
•
Must contain a minimum of 8 characters and a maximum of 64 characters
•
Must contain at least three of the following: Lower case letters, upper case letters, digits, special characters
•
Must not contain a character that is repeated more than three times consecutively, such as aaabbb
•
Must not be identical to the username or the reverse of the username
•
Must not be identical to the username or the reverse of the username
•
Must pass a password dictionary check; for example, the password must not be based on a standard dictionary word
•
Must not contain the following symbols: $ (dollar sign), ? (question mark), and =
(equals sign)
•
Should not be blank for local user and admin accounts
Ensure the Cisco NX-OS device requires the use of strong passwords.
Cisco NX-OS: NXOS.CDP.disable
Control description
Ensure that the Cisco Discovery Protocol (CDP) is disabled.
Risk and vulnerability
Cisco Discovery Protocol (CDP) is a network protocol used to discover other CDP-enabled devices for neighbor adjacency and network topology. CDP can be used by Network
Management Systems (NMS) or during troubleshooting. CDP must be disabled on all interfaces connected to untrusted networks. This is accomplished with the
no CDP enable
interface command. Alternatively, CDP can be disabled globally with the no CDP run global configuration command. Note that CDP might be used by a malicious user for reconnaissance and network mapping.
Dell EMC security standard
Ensure that the CDP is disabled.
Cisco NX-OS: NXOS.Telnet.disable
Control description
Ensure that Telnet is disabled.
Risk and vulnerability
The account credentials or commands being passed during a Telnet session might be compromised, as Telnet provides no encryption.
Dell EMC security standard
Ensure that Telnet is disabled.
Cisco NX-OS: NXOS.banner.message
Control description
Configure the Cisco Nexus device to display a warning banner at log on.
15 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
In some legal jurisdictions, you cannot prosecute or legally monitor malicious users unless they have been notified that they are not permitted to use the system. One way to provide this notification is to place this information in a banner message that is configured with the
Cisco NX-OS banner log on command. From a security perspective, a log on banner should not contain any specific information about the router name, model, software, or ownership. This information might be abused by malicious users.
Configure the Cisco Nexus device to display a warning banner at log on.
Cisco NX-OS: NXOS.SSH.enable
Control description
Configure Cisco Nexus device to permit Secure Shell (SSH) connections.
Risk and vulnerability
As information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted.
Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text, an attacker might obtain sensitive information about the device and the network.
Dell EMC security standard
Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.
Cisco NX-OS: NXOS.SCP.enable
Control description
Ensure SCP is enabled to provide for secure file system transfers.
Risk and vulnerability
Dell EMCDell EMC security standard
By not using SCP, sensitive information might be viewed and/or manipulated by an attacker.
Ensure SCP is enabled to provide for secure file system transfers.
Cisco NX-OS: NXOS.SFTP.enable
Control description
Ensure SFTP is enabled to provide for secure file system transfers.
Risk and vulnerability
By not using SFTP, sensitive information might be viewed and/or manipulated by an attacker.
Dell EMC security standard
Ensure SFTP is enabled to provide for secure file system transfers.
Cisco NX-OS: NXOS.console.exec.timeout
Control description
Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).
Risk and vulnerability
To set the interval that the exec command interpreter waits for user input before it terminates a session, run the exec-timeout line configuration command. This command must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle
(inactive). If a user forgets to log out of an exec session, the connection might remain idle but still active, increasing the potential for someone to gain privileged access to the host.
Dell EMC security standard
Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).
VxRack System FLEX security baseline | 16
Cisco NX-OS: NXOS.vty.exec.timeout
Control description
Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).
Risk and vulnerability
To set the interval that the exec command interpreter waits for user input before it terminates a session, run the exec-timeout line configuration command. This command must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle
(inactive). If a user forgets to log out of an exec session, the connection might remain idle but still active, increasing the potential for someone to gain privileged access to the host.
Dell EMC security standard
Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).
Cisco NX-OS: NXOS.SNMP.disable
Control description
Ensure that Simple Network Management Protocol (SNMP) is disabled unless required.
Risk and vulnerability
SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If
SNMP access is not required, make sure it is disabled.
Dell EMC security standard
Ensure that SNMP is disabled unless required.
Cisco NX-OS: NXOS.SNMP.ro.config
Control description
Ensure that the default read-only community string is changed from
Public
to a unique value.
Risk and vulnerability
Simple Network Management Protocol (SNMP) provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If SNMP access is not required, make sure it is disabled.
Dell EMC security standard
Ensure that the default read-only community string is are changed from unique value.
Public
to a
Cisco NX-OS: NXOS.SNMP.rw.config
Control description
Ensure that the read-write community string is changed from the default value of
Private
if Simple Network Management Protocol (SNMP) is used in the environment.
Risk and vulnerability
SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If
SNMP access is not required, make sure it is disabled.
Dell EMC security standard
Ensure that the read-write community string is changed from customer-provided value.
Private
to a non-trivial,
17 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.remote.syslog.enable
Control description
Ensure customer-defined remote syslog server is set.
Risk and vulnerability
Remote logging to a central log host provides a secure, centralized store for logs.
Gathering host log files onto a central host makes it easy to monitor all hosts with a single tool. You can also do aggregate analysis and search to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and also provides a long-term audit record.
Dell EMC security standard
Ensure a customer-defined remote syslog server is set. In the absence of a customerdefined remote syslog server, Dell EMC sets the Vision collect syslog messages.
™
Intelligent Operations appliance to
Cisco NX-OS: NXOS.disable.ICMP.redirect
Control description
Ensure ICMP redirects are disabled on IOS devices.
Risk and vulnerability
ICMP redirects are used to inform a network device of a better path to an IP destination. In some situations, it might be possible for an attacker to cause the Cisco device to send many ICMP redirect messages, which results in an elevated CPU load. For this reason, it is recommended that the transmission of ICMP redirects be disabled.
Dell EMC security standard
Ensure that ICMP redirect messages are disabled.
Cisco NX-OS: NXOS.ICMP.unreachable
Control description
Ensure that ICMP unreachable messages are disabled.
Risk and vulnerability
ICMP messages might be used by an attacker to map a network in preparation for an attack. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or to a router closer to the destination).
Dell EMC security standard
Ensure that ICMP unreachable messages are disabled.
Cisco NX-OS: NXOS.disable.unused.interfaces
Control description
Ensure that unused switch interfaces are explicitly disabled.
Risk and vulnerability
An unused switch interface might be physically connected and become a point of misuse or exploitation.
Dell EMC security standard
Ensure that unused switch interfaces are explicitly disabled.
Cisco NX-OS: NXOS.NTP.enable
Control description
Ensure that the Cisco Nexus device is configured with a centralized time source to ensure consistency and accuracy.
VxRack System FLEX security baseline | 18
Risk and vulnerability
Dell EMC security standard
Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack vector. If using NTP, be sure to explicitly configure a trusted time source and use proper authentication. Accurate and reliable time can be very useful for logging purposes, such as for forensic investigations of potential attacks. Configuring
NTP authentication provides assurance that NTP messages are exchanged between trusted NTP peers. You should enable authentication for NTP if at all possible. Additionally, for precision and redundancy purposes, you should configure multiple NTP server time sources on the Cisco NX-OS device acting as an NTP client.
Ensure the Cisco Nexus device is configured with a centralized time source to ensure consistency and accuracy.
Cisco NX-OS: NXOS.disable.ip.source.routing
Control description
Ensure that IP source routing is disabled.
Risk and vulnerability
IP source routing uses the loose source route and record route options in tandem or the strict source route along with the record route option to enable the source of the IP datagram to specify the network path that a packet takes. This function might be used in attempts to route traffic around security controls in the network.
Dell EMC security standard
Ensure that IP source routing is disabled.
Cisco NX-OS: NXOS.disable.ip.directed.broadcasts
Control description
Ensure that the IP directed broadcast feature is disabled on Cisco Nexus devices.
Risk and vulnerability
IP directed broadcast makes it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet. This directed broadcast functionality has been leveraged as an amplification and reflection aid in several attacks, including the smurf attack.
Current versions of Cisco NX-OS have this function disabled by default; however, it can be enabled with the ip directed-broadcast interface configuration command.
Dell EMC security standard
Ensure that IP directed broadcast is disabled on Cisco Nexus devices.
Cisco NX-OS: NXOS.ip.source.guard.enable
Control description
Ensure that IP Source Guard is enabled.
Risk and vulnerability
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:
•
Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table
•
Static IP source entries that you configure
Filtering based on trusted IP and MAC address bindings helps prevent attacks that rely on spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.
Dell EMC security standard
Ensure that IP Source Guard is enabled.
19 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.HTTP_Server.disable
Control description
Disable HTTP Server.
Risk and vulnerability
Removing any unnecessary services, protocols, and scripts reduces the attack vectors a potential hacker might exploit to gain access to sensitive information.
Dell EMC security standard
Ensure HTTP Server is disabled.
Cisco NX-OS: NXOS.password.strength-check
Control description
Do not disable password strength check. This feature is enabled by default.
Risk and vulnerability
Dell EMC security standard
Disabling the password strength check does not enforce password complexity for local accounts. Cisco NX-OS can optionally enforce strong password checking when a password is set or entered. This feature is enabled by default and it ensures a password must:
•
Be at least eight characters long.
•
Not contain many consecutive characters (abcde, lmnopq, and so forth)
•
Not contain dictionary words (English dictionary)
•
Not contain many repeating characters (aaabbb, tttttyyyy, and so forth)
•
Not contain common proper names (John, Mary, Joe, Cisco, and so forth)
•
Contain both uppercase and lowercase letters
•
Contain numbers
Ensure that password strength checking is enabled.
Cisco NX-OS: NXOS.SSH.key.length
Control description
Ensure that Secure Shell (SSH) is enabled and configured to use a strong 2048 bit RSA key.
Risk and vulnerability
As information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted.
Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text, an attacker might obtain sensitive information about the device and the network.
Dell EMC security standard
Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.
Cisco NX-OS: NXOS.LoggingTimestamp.configure
Control description
Configure logging timestamp with millisecond precision.
Risk and vulnerability
Configuring logging timestamps helps correlate events across network devices. It is important to implement a correct and consistent logging timestamp configuration to help ensure that you can correlate logging data. Logging timestamps should be configured to include millisecond precision.
Dell EMC security standard
Ensure configuration of logging timestamp with millisecond precision.
VxRack System FLEX security baseline | 20
Cisco NX-OS: NXOS.UnusedServices.disable
Control description
Disable unused services for Cisco NX-OS devices.
Risk and vulnerability
As a general security best practice, disable any unnecessary services. By default, Cisco
NX-OS does not run any of the typical Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) small servers often found in Cisco IOS software or other network operating systems. As a result, these services do not need to be explicitly disabled. Cisco
NX-OS is designed to not run remotely-accessible services or protocols by default without explicit configuration. Secure Shell (SSH), Simple Network Management Protocol (SNMP), and Network Time Protocol (NTP) are essential services for running and managing a network. These services are enabled by default. If needed, they can be individually disabled. During initial setup, Cisco NX-OS offers the option to enable Telnet. Note that this service does not load or run at restart time if it is not enabled during this initial setup. If this service is not enabled when the setup script is run, it can be added manually later if needed. Cisco recommends using SSH instead of Telnet for security reasons.
Dell EMC security standard
Ensure that CDP, Telnet, and any other unused services (such as TCP small servers) are disabled.
Cisco NX-OS: NXOS.SSH.Retry limit
Control description
Secure Shell (SSH) provides a secure, encrypted channel for communication with remote terminals. SSH can be configured to limit the number of authentication attempts in a given time period.
Risk and vulnerability
Dell EMC security standard
By not configuring SSH authentication parameters, attackers might repeatedly attempt authentication.
Ensure that SSH is configured to allow only three authentication attempts in any one minute.
Cisco NX-OS: NXOS.DHCP.disable
Control description
Ensure Dynamic Host Control Protocol (DHCP) services are disabled if not required.
Risk and vulnerability
Dynamic Host Control Protocol (DHCP) provides a framework for passing configuration information dynamically to hosts on a TCP/IP network. A DHCP client is a host that uses
DHCP to obtain configuration parameters such as an IP address, DNS server, and so forth.
Due to the nature of DHCP and the services it provides, potential attackers might exploit
DHCP functionality as a means or reconnaissance in preparation for an attack. It is also a risk that a rogue DHCP server could be deployed to provide malicious IP or DNS configurations to hosts. DHCP services should be disabled if not required.
Dell EMC security standard
Ensure DHCP services are disabled if not required.
Cisco NX-OS: NXOS.DNS.Resolution.Lookups.disable
Control description
The DNS Resolution Lookup automatically tries to resolve unrecognized commands to local host names.
Risk and vulnerability
Dell EMC security standard
Mistyping a command results in delays as the device attempts to resolve the name.
Ensure domain-lookup feature is disabled.
21 | VxRack System FLEX security baseline
Cisco NX-OS: NXOS.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure all default passwords are changed to sufficiently complex values.
Cisco NX-OS: NXOS.VLAN.Segmentation
Control description
Use separate VLANs to isolate sensitive data transmissions.
Risk and vulnerability
Dell EMC security standard
Without proper identification, documentation, and segmentation of VLANs, network traffic might be viewed from unauthorized sources. Some examples of VLAN best practices are:
•
Ensure that vSphere management traffic is on a restricted network.
•
Ensure that VLAN 1 is not used for in-band management and pruned from all trunks and from all access ports.
•
Ensure that vMotion traffic is isolated.
•
Ensure IP-based storage traffic is isolated.
Ensure that management and system hosts are placed on separate VLANs.
Storage layer security baseline
ScaleIO
For detailed ScaleIO security configuration information, refer to the following Dell EMC resources, available at support.emc.com
:
•
ScaleIO Security Configuration Guide
•
ScaleIO User Guide
ScaleIO: ScaleIO.Passwords.Change
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords might be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure that passwords are rotated for all built-in accounts.
ScaleIO: ScaleIO.SNMP.Trap.Configure
Control description
ScaleIO supports sending Simple Network Management Protocol (SNMP) traps to an
SNMP server.
VxRack System FLEX security baseline | 22
Risk and vulnerability
Dell EMC security standard
Defining an incorrect SNMP trap receiver could expose system information to a potential attacker or a rogue trap receiver.
Ensure a correct SNMP trap receiver is configured according to customer requirements.
ScaleIO: ScaleIO.Logging.Configure
Control description
Log all successful interactive device management access using centralized syslog.
Risk and vulnerability
Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlation of events.
Dell EMC security standard
Define a syslog server for centralized event monitoring.
Virtualization layer security baseline
Management Virtual Machines
Management VM: VM.disable-disk-shrinking-shrink
Control description
Disable disk shrinking feature for virtual disks for normal operations.
Risk and vulnerability
Shrinking a virtual disk reclaims unused space in it. The shrinking process itself, which takes place on the host, reduces the size of the disk's files by the amount of disk space reclaimed in the wipe process. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes – that is, users and processes without root or administrator privileges – in virtual machines have the capability to invoke this procedure. A non-root user cannot erase the parts of the virtual disk that require root-level permissions. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature. Repeated disk shrinking can make a virtual disk unavailable. Limited capability is available to non-administrative users in the guest.
Dell EMC security standard
Ensure the shrinking of virtual disks is restricted.
Management VM: VM.limit-console-connections-one
Control description
Limit sharing of console connections.
23 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the virtual machine logs in using a VMware remote console during their session, a non-administrator in the virtual machine can connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session and the administrator loses connection to that box, the console session remains open. Allowing two console sessions permits debugging using a shared session.
For highest security, allow only one remote console session at a time.
Ensure only a single connection, at maximum, is allowed to a remote session.
Management VM: VM.disable-console-drag-n-drop
Control description
Explicitly disable copy/paste operations.
Risk and vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during console sessions. Copy and paste operations are disabled by default. However, if you explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security standard
Ensure clipboard information (for example, using cut and paste) is not shareable between the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-copy
Control description
Explicitly disable copy/paste operations.
Risk and vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during console sessions. Copy and paste operations are disabled by default. However, if you explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security standard
Ensure clipboard information (for example, using cut and paste) is not shareable between the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-paste
Control description
Explicitly disable copy/paste operations.
Risk and vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during console sessions. Copy and paste operations are disabled by default. However, if you explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security standard
Ensure clipboard information (for example, using cut and paste) is not shareable between the virtual machines and the computers running the remote console session.
Management VM: VM.disable-console-gui-options
Control description
Explicitly disable copy/paste operations.
Risk and vulnerability
Information might be improperly disclosed if copy/paste operations are permitted during console sessions. Copy and paste operations are disabled by default. However, if you explicitly disable this feature, audit controls can check that this setting is correct.
Dell EMC security standard
Ensure clipboard information (for example, using cut and paste) is not shareable between the virtual machines and the computers running the remote console session.
VxRack System FLEX security baseline | 24
Management VM: VM.disconnect-devices-floppy
Control description
Disconnect unused/unauthorized devices.
Risk and vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to
False
. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to
False
, functionality is disabled; however, the device might still show up in the guest operating system.
Dell EMC security standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-serial
Control description
Disconnect unused/unauthorized devices.
Risk and vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to
False
. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to
False
, functionality is disabled; however, the device might still show up in the guest operating system.
Dell EMC security standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-parallel
Control description
Disconnect unused/unauthorized devices.
Risk and vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to
False
. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to
False
, functionality is disabled; however, the device might still show up in the guest operating system.
Dell EMC security standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
25 | VxRack System FLEX security baseline
Management VM: VM.disconnect-devices-usb
Control description
Disconnect unused/unauthorized devices.
Risk and vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to
False
. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to
False
, functionality is disabled; however, the device might still show up in the guest operating system.
Dell EMC security standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.disconnect-devices-ide
Control description
Disconnect unused/unauthorized devices.
Risk and vulnerability
Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to
False
. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to
False
, functionality is disabled; however, the device might still show up in the guest operating system.
Dell EMC security standard
Ensure that virtual devices are disabled so as to eliminate potential attack vectors.
Management VM: VM.prevent-device-interaction-connect
Control description
Prevent unauthorized removal, connection, and modification of devices.
Risk and vulnerability
Non-administrative users can reconnect a disconnected CD-ROM drive and access mounted information. Non-administrative users can disconnect or change network adaptor settings and disrupt service to the virtual machine. In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from in the guest operating system. By default, a rogue user with non-administrator privileges in a virtual machine can:
•
Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive
•
Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service
Dell EMC security standard
Ensure that virtual devices cannot be disconnected or edited to prevent disruption of services.
VxRack System FLEX security baseline | 26
Management VM: VM.prevent-device-interaction-edit
Control description
Prevent unauthorized removal, connection, and modification of devices.
Risk and vulnerability
Non-administrative users can reconnect a disconnected CD-ROM drive and access mounted information. Non-administrative users can disconnect or change network adaptor settings and disrupt service to the virtual machine In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from in the guest operating system. By default, a rogue user with non-administrator privileges in a virtual machine can:
•
Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive
•
Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service
Dell EMC security standard
Ensure that virtual devices cannot be disconnected or edited to prevent disruption of services.
Management VM: VM.limit-log-size
Control description
Limit virtual machine logging. Check virtual machine configuration settings and verify that log.rotateSize is set to
100000
.
Risk and vulnerability
Normally a new log file is created only when a host is restarted, so the file can grow to be quite large. Use log settings to limit the total size and number of log files. You can limit the maximum log file size to ensure that new log files are created more frequently.
To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB, so a size limit too far below this size would result in unnecessary storage usage. Each time an entry is written to the log, the log size is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, the oldest log file is deleted when a new one is created. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. However, each log entry is limited to 4 KB, so no log files are ever more than 4 KB larger than the configured limit.
Another option is to disable logging for the virtual machine, making troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastore being filled.
Dell EMC security standard
Ensure that only the last 10 virtual machine log files are saved, with each restricted to 1 MB in size.
Management VM: VM.limit-log-number
Control description
Limit virtual machine logging. Check virtual machine configuration settings and verify that log.keepOld is set to
10
.
27 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
Normally a new log file is created only when a host is restarted, so the file can grow to be quite large. Use log settings to limit the total size and number of log files. You can limit the maximum log file size to ensure that new log files are created more frequently.
To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB, so a size limit too far below this size would result in unnecessary storage usage. Each time an entry is written to the log, the log size is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, the oldest log file is deleted when a new one is created. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4 KB, so no log files are ever more than 4 KB larger than the configured limit.
Another option is to disable logging for the virtual machine, making troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastore being filled.
Ensure that only the last 10 virtual machine log files are saved with each restricted to 1 MB in size.
Management VM: VM.limit-setinfo-size
Control description
Limit informational messages from the virtual machine to the VMX file.
Risk and vulnerability
The configuration file containing the name-value pairs is limited to a size of 1 MB. This capacity should be sufficient for most cases, but you can change this value if necessary.
You might increase this value if large amounts of custom information are being stored in the configuration file. The default limit is 1 MB. This limit is applied even when the sizeLimit parameter is not listed in the VMX file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is filled.
Dell EMC security standard
Ensure the VMware VMX configuration file is explicitly configured for 1 MB size restriction.
Management VM: vCenter.restrict-guest-control
Control description
Restrict unauthorized VMware vSphere users from being able to execute commands in the guest virtual machine.
Risk and vulnerability
By default, VMware vCenter Server administrator role allows users to interact with files and programs inside a virtual machine's guest operating system, which can lessen guest data confidentiality, availability, or integrity. Least Privilege requires that this privilege should not be granted to any users who are not authorized. A non-guest access administrator role should be created with these privileges removed. This role allows administrator privileges excluding those allowing file and program interaction in the guests.
Dell EMC security standard
Create a new role for administration that does not allow interaction with guest operating system files or programs.
Management VM: VM.restrict-host-info
Control description
Do not send host information to guests.
VxRack System FLEX security baseline | 28
Risk and vulnerability
Dell EMC security standard
By enabling a virtual machine to get detailed information about the physical host, an adversary could potentially use this information to inform further attacks on the host. If set to
True
, a virtual machine can obtain detailed information about the physical host. The default value for the parameter is
False
. This setting should not be
True
unless a particular virtual machine requires this information for performance monitoring.
Check virtual machine configuration settings and verify that tools.guestlib.enableHostInfo is set to
False
.
Ensure that information pertaining to the physical host cannot be obtained by the virtual machines.
Management VM: VM.disable-unexposed-features-getcreds
Control description
Disable unnecessary features or services.
Risk and vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest might affect the host.
Dell EMC security standard
Ensure that configuration settings and parameters are explicitly set to disabled if not required.
Management VM: VM.disable-unexposed-features-unitypush
Control description
Disable unnecessary features or services.
Risk and vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest might affect the host.
Dell EMC security standard
Ensure that configuration settings and parameters are explicitly set to disabled if not required.
Management VM: VM.disable-unexposed-features-launchmenu
Control description
Disable unnecessary features or services.
Risk and vulnerability
Some VMX parameters do not apply on VMware vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and
Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest might affect the host.
Dell EMC security standard
Ensure that configuration settings and parameters are explicitly set to disabled if not required.
Management VM: VM.disable-unexposed-features-memsfss
Control description
Disable unnecessary features or services.
29 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
As VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them reduces the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus might help prevent successful exploits.
Ensure that configuration settings and parameters are explicitly set to disabled if not required.
Management VM: VM.disable-independent-nonpersistent
Control description
Avoid using independent non-persistent disks.
Risk and vulnerability
With non-persistent disk mode, successful attackers, with a simple shutdown or restart, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode.
Additionally, make sure that activity in the virtual machine is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a virtual machine, administrators might never know whether they have been attacked or hacked.
Dell EMC security standard
Ensure that configuration settings and parameters are explicitly set to desired values; in this case,
scsiX:Y.mode = Not present
OR not set to
independent nonpersistent
.
Management VM: VM.isolation.tools.autoInstall.disable
Control description
Disable tools that require automatic restarting after installation.
Risk and vulnerability
Tools auto install can initiate an automatic restart. Disabling this option prevents tools from being installed automatically and prevents automatic machine restarts.
For Linux-based operating systems, Open VM Tools is widely available as a distributionbased package. Consider using this method to manage VM Tools installation. If you do this, disable VM Tools auto-install using this guideline.
Dell EMC security standard
Check virtual machine configuration settings to verify that isolation.tools.autoinstall.disable
is set to
True
.
Management VM: VM.HostGuestFileSystem.disable
Control description
Disable Host Guest File System transfers.
Risk and vulnerability
Certain automated tools use a hypervisor component Host Guest File System. An attacker might potentially use this to transfer files inside the guest operating system.
Dell EMC security standard
Disable Host Guest File System transfers.
Management VM: VM.MonitorControl.disable
Control description
Disable VM Monitor Control to further hide system information.
VxRack System FLEX security baseline | 30
Risk and vulnerability
Dell EMC security standard
Virtual machines running on a hypervisor are "aware" that they are running in a virtual environment and this information is available to tools inside the guest operating system.
This can give attackers information about the platform on which they are run.
Disable VM Monitor Control to further hide system information.
Management VM: VM.host-performance-info.disable
Control description
This setting, if enabled, allows the virtual machine to obtain detailed information about the physical host.
Risk and vulnerability
Information gained about the physical host might be used to assist in subsequent attacks against the physical host.
Dell EMC security standard
Ensure this setting is disabled.
Management VM: VM.Unecessary-Services.disable
Control description
Disable any unnecessary functions inside virtual machines.
Risk and vulnerability
Disabling unnecessary system components not needed to support the application or service running on the system reduces the number of attack vectors.
Dell EMC security standard
Disable any unnecessary functions inside virtual machines.
Management VM: VM.DefaultPasswords.modify
Control description
Remove default accounts and passwords.
Risk and vulnerability
During installation, the default password is not changed. This must be done manually.
Dell EMC security standard
Remove default accounts and passwords.
Management VM: VM.ToolsAutoInstall.Disable
Control description
Disable tools that require automatic restarting after installation.
Risk and vulnerability
Tools that auto-install might initiate an automatic restart that disrupts the current environment.
Dell EMC security standard
Disable tools that require automatic restarting after installation.
Management VM: VM.Passwords.Modify
Control description
Remove default accounts and passwords.
Risk and vulnerability
During installation of the vCenter Server Appliance (VCSA), the default password is not changed. This must be done manually.
VDell EMCCE security standard
Remove default accounts and passwords.
31 | VxRack System FLEX security baseline
Management VM: VM.Configure.NTP
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network.
According to VMware best practices related to time synchronization, configuration of virtual machine time synchronization should be implemented using the native OS tools on the VM.
See VMware KB 1318 for more information concerning best practices for Windows: https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1318
See VMware KB 1006427 for more information concerning best practices for Linux: https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1006427
Risk and vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.
VDell EMCCE security standard
NTP is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.
VMware ESXi
VMware ESXi: ESXi.enable-remote-syslog
Control description
Configure remote logging for VMware vSphere ESXi hosts.
Risk and vulnerability
Remote logging to a central log host provides a secure, centralized store for VMware vSphere ESXi logs. By gathering host log files onto a central host, you can more easily monitor all hosts with a single tool. You can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and also provides a long-term audit record. To facilitate remote logging, VMware provides the vSphere Syslog Collector.
Dell EMC security standard
Ensure remote Syslog is configured to centralize alert and event logging.
VMware ESXi: ESXi.config-ntp
Control description
Configure Network Time Protocol (NTP) time synchronization.
Risk and vulnerability
Ensuring that all systems use the same relative time source (including the relevant localization offset) and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time – UTC), makes it simpler to track and correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.
Dell EMC security standard
Ensure a centralized time source is used to ensure consistency.
VxRack System FLEX security baseline | 32
VMware ESXi: ESXi.enable-normal-lockdown-mode
Control description
Enable Normal Lockdown Mode to restrict access.
Risk and vulnerability
Enabling lockdown mode disables direct access to a VMware vSphere ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. Forcing all interaction to occur through vCenter Server greatly reduces the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited. Lockdown mode does not apply to users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Users listed in the DCUI.Access list for each host are allowed to override lockdown mode and log on to the Direct Console User Interface (DCUI). By default, the root user is the only user listed in the DCUI.Access list.
Dell EMC security standard
Enable lockdown mode for all VMware vSphere ESXi host systems, use DCUI for administration or authorized keys for Secure Shell (SSH) access where required.
VMware ESXi: ESXi.config-persistent-logs
Control description
Configure persistent logging for all VMware vSphere ESXi hosts.
Risk and vulnerability
VMware vSphere ESXi can be configured to store log files on an in-memory file system.
This occurs when the host's
/scratch
directory is linked to
/tmp/scratch
. When this is done, only a single day's worth of logs are stored at any time. In addition log files are reinitialized upon each restart. This presents a security risk as user activity logged on the host is only stored temporarily and does not persistent across restarts. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.
Dell EMC security standard
VMware vSphere ESXi host logging should always be configured to a persistent datastore.
VMware ESXi: vNetwork.reject-mac-changes
Control description
Ensure that the MAC Address Changes policy is set to
Reject
.
Risk and vulnerability
If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This prevents virtual machines from changing their effective MAC address. It affects applications that require this functionality; for example,
Microsoft Clustering, which requires systems to effectively share a MAC address. This also affects how a layer 2 bridge operates and affects applications that require a specific MAC address for licensing. An exception should be made for the port groups to which these applications connect.
Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.
Dell EMC security standard
Ensure that the MAC Address Changes policy is set to
Reject
.
VMware ESXi: vNetwork.reject-forged-transmit
Control description
Ensure that the Forged Transmits policy is set to
Reject
.
33 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.
Forged transmissions is set to
Accept
by default. This means the virtual switch does not compare the source and effective MAC addresses.
To protect against MAC address impersonation, all virtual switches should have forged transmissions set to
Reject
. Reject Forged Transmit can be set at the vSwitch and/or the
Portgroup level. You can override switch level settings at the Portgroup level.
Ensure that the Forged Transmits policy is set to
Reject
.
VMware ESXi: ESXi.disable-mob
Control description
Disable Managed Object Browser (MOB).
Risk and vulnerability
The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host. It also enables configurations to be changed. This interface is meant to be used primarily for debugging the VMware vSphere SDK. In vSphere 6.0 this is disabled by default.
Dell EMC security standard
Ensure MOB is disabled.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host.
Risk and vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
Dell EMC security standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception is enabled for SSH client.
Risk and vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
Dell EMC security standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception enabled for NTP client.
VxRack System FLEX security baseline | 34
Risk and vulnerability
Dell EMC security standard
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception is enabled for syslog.
Risk and vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
Dell EMC security standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.
VMware ESXi: ESXi.firewall-enabled
Control description
Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall is enabled for netdump.
Risk and vulnerability
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.
Dell EMC security standard
Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.
VMware ESXi: ESXi.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure that passwords are rotated for built-in accounts.
VMware ESXi: ESXI.ShellTimeout.config
Control description
Configure session timeout to 15 minutes for the Unisphere console.
Risk and vulnerability
Establishing a timeout policy for idle sessions mitigates the risk of an unauthorized user performing unauthorized tasks on a host.
Dell EMC security standard
Ensure that idle ESXi Shell and Secure Shell (SSH) sessions timeouts are set to 15 minutes.
VMware ESXi: ESXI.CommandShell.disable
Control description
Disable ESXi Shell unless needed for diagnostics or troubleshooting.
35 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
The ESXi Shell bypasses VMware vCenter role-based access control (RBAC) and audit controls. Disabling this feature allows for a centralized audit system controlled by vCenter.
Only enable this feature to troubleshoot or resolve problems that cannot be fixed through the VMware vSphere client or vCLI.
Ensure that ESXi Shell is disabled unless needed for diagnostics or troubleshooting.
VMware ESXi: ESXi.SNMP.CommunityString
Control description
Define strong, non-trivial community strings where Simple Network Management Protocol
(SNMP) is required.
Risk and vulnerability
By not changing the default community string, attackers can easily discover and potentially exploit or compromise the devices.
Dell EMC security standard
Ensure that the SNMP community strings are changed from the default to a non-trivial, customer-provided value.
VMware ESXi: ESXi.UnusedServices.disable
Control description
VMware vSphere ESXi is based on a hardened hypervisor operating system that is designed with minimum attack surface. However, the ESXi configuration should be reviewed to ensure that only required services are enabled in order to further reduce attack surface.
Risk and vulnerability
Unused services might provide system information or other functions that can be exploited to attempt to gain access to the system. Services that are nor required should be disabled.
For example, If Simple Network Management Protocol (SNMP) is not used in the environment, it should be disabled.
Dell EMC security standard
Ensure that unused services are disabled.
VMware ESXi: ESXI.Auto-Password-Change-Policy.configure
Control description
A timer controls how often the vpxuser password must be changed.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure that vpxuser auto-password change is set to automatically change by VMware vCenter every 30 days.
VMware ESXi: ESXi.Password.Complexity
Control description
Ensure that passwords meet complexity requirements.
VxRack System FLEX security baseline | 36
Risk and vulnerability
Dell EMC security standard
To mitigate the risk of gaining unauthorized access, it is important to use passwords that are not easily guessed and that are difficult for password generators to determine. Starting with vSphere 6.0, user passwords must meet the following requirements:
•
Must contain characters from at least three character classes
•
Passwords containing characters from three character classes must be at least seven characters long
•
Passwords containing characters from all four character classes must be at least seven characters long
•
Cannot contain a dictionary word or part of a dictionary word
Ensure that passwords meet complexity requirements.
VMware vCenter Single Sign On (SSO)
VMware SSO: SSO.verify-SSO-Password-policy
Control description
Sample password policy:
•
Minimum password length of eight characters
•
Maximum of three attempts to define a new password of acceptable value before the command fails
•
Minimum of three characters that were not in the previous password
•
Minimum of one numeral in the new password
•
Configure default password expiration period for 90 days
Risk and vulnerability
To mitigate the risk of gaining unauthorized access, it is important to use passwords that are not easily guessed and that are difficult for password brute-force tools to determine.
Dell EMC security standard
Ensure that complex password policy is set for administrative accounts, particularly for [email protected] or accounts that are members of the Administrators group in vCenter.
VMware vSphere Update Manager
VMware vSphere Update Manager: VUM.audit-vum-login
Control description
Ensure VMware vSphere Update Manager administrator account passwords are changed from system build defaults.
37 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
Once someone logs on to vSphere Update Manager, it becomes more difficult to prevent what they can do. In general, log on to the Update Manager system should be limited to very privileged administrators, and then only for the purpose of administering vSphere
Update Manager or the host operating system. Anyone logged on to the Update Manager can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes.
To run and use Update Manager, you must use a local system account for the machine on which Update Manager is installed. (Refer to http://pubs.vmware.com/vsphere-60/ index.jsp#com.vmware.vsphere.update_manager.doc/GUID-3632A492-0462-47CF-BC70-
C636544F800D.html
.)
Note that in VUM60u1, the plugin for Web client is automatically installed and all functionality for VUM is available. http://pubs.vmware.com/Release_Notes/en/vsphere/60/ vsphere-update-manager-60u1-release-notes.html
Ensure that the administrator account password for vSphere Update Manager is changed to a unique, sufficiently complex value.
VMware vSphere Update Manager: VUM.NTP.config
Control description
Ensure VMware vSphere Update Manager system components are configured to synchronize with a trusted Network Time Protocol (NTP) time source.
Risk and vulnerability
Ensuring that all systems use the same relative time source (including the relevant localization offset) and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time—UTC), makes it simpler to track and correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. Incorrect time settings can also introduce log on issues and certificate issues with the Platform Services Controller, as all components rely on coordinated time.
Native time synchronization software, such as NTP is typically more accurate than VMware
Tools periodic time synchronization and is therefore preferred.
Dell EMC security standard
Ensure that a trusted NTP time source is configured using a customer-provided NTP source.
VMware vCenter Server Appliance (VCSA)
VMware Virtual Center Server Appliance: VCSA.DefaultPasswords.modify
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system. For VMware vCenter Server Appliance (VCSA), two accounts in particular to audit are the root account of the virtual appliance (based on hardened SUSE Linux OS) and the vCenter SSO administrator account [email protected] (or other accounts in the
Administrator group).
For the vCenter Server Appliance (VCSA) 6.0 releases, enforce local account password expiration after 90 days by default. This policy locks out the root account when the password expiration date is reached. For more information, see https://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=2069041
VxRack System FLEX security baseline | 38
Dell EMC security standard
Ensure that passwords are rotated for built-in accounts.
VMware Virtual Center Server Appliance: VCSA.SNMP.CommunityString
Control description
Define strong, non-trivial community strings where Simple Network Management Protocol
(SNMP) is required.
Risk and vulnerability
By not changing the default community string, attackers can easily discover and potentially exploit or compromise the devices.
Dell EMC security standard
Ensure that the default community strings are changed from unique non-trivial values.
Public
and
Private
to
VMware Virtual Center Server Appliance: VCSA.Logging.config
Control description
Log all successful interactive device management access using centralized syslog.
Risk and vulnerability
Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlations of events.
Dell EMC security standard
Ensure customer-defined remote syslog server is set. In the absence of a customer-defined remote syslog server, Dell EMC sets the Vision syslog messages.
™
Intelligent Operations appliance to collect
VMware Virtual Center Server Appliance: VCSA.NTP.Config
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.
Risk and vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.
Dell EMC security standard
NTP is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.
VMware Virtual Center Server Appliance: VCSA.Unused-Services.Disable
Control description
Simple Network Management Protocol (SNMP) is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.
Risk and vulnerability
Dell EMC security standard
If SNMP is not used in the environment, it cannot be exploited.
SNMP is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.
VMware vNetwork
39 | VxRack System FLEX security baseline
VMware vNetwork: vNetwork.Forged-MAC-address.policy
Control description
By default, forged transmissions are accepted on standard virtual switches and rejected on distributed virtual switches. When accepted, the virtual switch does not compare source and effective MAC addresses. This allows frames with different source and effective MAC addresses to be transmitted.
Risk and vulnerability
Dell EMC security standard
Effective MAC addresses might be changed to impersonate other network devices.
Set to
Reject
.
VMware vNetwork: vNetwork.PromiscuousMode.config
Control description
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential to read all packets across that network. By default, promiscuous mode is set to
Reject
on standard virtual switches and distributed virtual switches.
Risk and vulnerability
Any user logged in to a virtual machine connected to the same dvPort can potentially view traffic destined for other guest or host operating systems.
Dell EMC security standard
Set to
Reject
.
VMware vNetwork: vNetwork.Mgt-Segmentation.config
Control description
Management interfaces provide access to the VMware vSphere components. Access to these interfaces are not required for normal users to use virtual machines.
Risk and vulnerability
VMware management interfaces might be attacked and exploited if connected to noncontrolled networks. This can be mitigated by ensuring management traffic is on a restricted network.
Dell EMC security standard
Management interfaces provide access to the vSphere components. Access to these interfaces are not required for normal users to use virtual machines.
VMware vNetwork: vNetwork-Management Network-Access Control.config
Control description
Strictly control access to management network to specific hosts.
Risk and vulnerability
The management network is necessary for administration and support purposes and needs to be secured on par with the most secure virtual machine running on a host/cluster.
Dell EMC security standard
Strictly control access to management network to specific hosts.
VMware vNetwork: vNetwork-Network configuration.verify
Control description
Ensure that all virtual switch VLANs are fully documented and have only required VLAN on trunks.
Risk and vulnerability
Use best practices to restrict the VLANs required on the VLAN trunk link to only the required VLANs and document accordingly. Unneeded VLANs might enable an administrator to either accidentally or maliciously connect a virtual machine to an unauthorized VLAN.
VxRack System FLEX security baseline | 40
Dell EMC security standard
Ensure that all virtual switch VLANs are fully documented and have only required VLAN on trunks.
VMware vNetwork: vNetwork.Reject.MAC-address-changes.Config
Control description
Each virtual network adaptor has an effective MAC address that filters out incoming network traffic with a destination address different from the effective address. By default, requests to change the effective MAC address are set to
Accept
and MAC address changes are set to
Accept
on standard virtual switches and
Reject
on distributed virtual switches.
Risk and vulnerability
Dell EMC security standard
By changing the effective MAC address, the virtual network adapter can pass frames with an impersonated source MAC address and perform network-based attacks by impersonating an authorized network adaptor.
Set to
Reject
.
VMware vSphere Distributed Switch and DVS networking
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-mgmt-network-vlan
Control description
Ensure that VMware vSphere management traffic is on a restricted network.
Risk and vulnerability
The VMware vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.
Dell EMC security standard
Ensure that management interfaces and traffic are restricted to controlled managementspecific networks.
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-vmotion-network-vlan
Control description
Ensure that VMware vMotion traffic is isolated.
Risk and vulnerability
VMware vMotion migrations transmit information in plain text that can be viewed by anyone with access to the network over which this information flows. Potential attackers might intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a man-in-the-middle attack in which the contents are modified during migration. Ensure that vMotion traffic is separate from production traffic on an isolated network. This network should be non-routable (no layer-3 router spanning this and other networks), which prevents any outside access to the network.
Dell EMC security standard
Ensure that VMware vMotion traffic is isolated and restricted to prevent exposure and compromise.
VMware vSphere vSwitch and DVS networking: vNetwork.isolate-storage-network-vlan
Control description
Ensure IP-based storage traffic is isolated.
41 | VxRack System FLEX security baseline
Risk and vulnerability
Dell EMC security standard
Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network should be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network limits unauthorized users from viewing the traffic.
Ensure that IP-base storage traffic is isolated and restricted to prevent exposure and compromise.
VMware vSphere Web Client
VMware vSphere Web Client: vCenter.web-client-timeout
Control description
Ensure VMware vSphere Web Client session setting is modified to terminate idle Web sessions that have been inactive for 15 minutes.
Risk and vulnerability
By configuring session timeouts to 15 minutes, administrator sessions are terminated if idle and are disconnected thus reducing the risk of unauthorized access to the vSphere Web
Client and its managed resources.
Dell EMC security standard
Ensure vSphere Web Client session setting is set to terminate idle Web sessions that have been inactive for 15 minutes.
Management layer security baseline
VxRack Controller nodes
VxRack Controller - Default Passwords Change
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Ensure that passwords are rotated for built-in account administrator.
VxRack Controller - Disable Telnet
Control description
Disable Telnet
Risk and vulnerability
Telnet is not a secure protocol, as it transmits data in clear text.
VxRack System FLEX security baseline | 42
Dell EMC security standard
Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet, and click Apply.
VxRack Controller - Disable SSH
Control description
Disable SSH
Risk and vulnerability
Removing any unnecessary services, protocols and scripts reduces the attack vectors a potential hacker would exploit to gain access to sensitive information.
Dell EMC security standard
Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and click Apply.
VxRack Controller - Disable IPMI over LAN
Control description
Disable IPMI over LAN.
Risk and vulnerability
IPMI v2.0 has multiple high vulnerabilities, and currently there are no patches to fix them. A potential attacker could exploit these vulnerabilities remotely to obtain hashed password for root user, and use an offline password cracking tool to discover the password.
Dell EMC security standard
Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.
This is configured using the Dell iDRAC Web Console.
In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled
Enable IPMI Over LAN, and click Apply.
VxRack Controller - Server access using HTTPS
Control description
To remotely access Dell server use secure communication:
• HTTPS (TCP port 443)
Risk and vulnerability
For any activity conducted remotely, the use of secure protocols adds layers of protection to the transmission of data for those sessions.
Dell EMC security standard
HTTPS is enabled by default and TLS 1.2 Only is selected by default.
In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is enabled and that TLS 1.2 Only is selected.
VxRack Controller - Strong community strings
Control description
Define strong, non-trivial community strings where SNMP required.
Risk and vulnerability
By not changing the default community string, attackers can more easily discover and potentially exploit or compromise the devices.
Dell EMC security standard
Ensure that the read-only community string is changed from "Public."
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new
SNMP Community Name, and click Apply.
43 | VxRack System FLEX security baseline
VxRack Controller - Use SNMP V3
Control description
Use SNMP v3
Risk and vulnerability
SNMP v3 improves security by introducing encryption, integrity check, and improved user authentication model.
Dell EMC security standard
Make sure SNMP v3 is selected.
In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP v3, and click Apply.
VxRack Controller - Disable VNC
Control description
Disable VNC
Risk and vulnerability
Dell EMC security standard
Disable VNC to reduce attack surface.
Select make sure VNC is unchecked under iDRAC web UI,
In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the box for Enable VNC Server, and click Apply.
VxRack Controller - Disable XML
Control description
Disable XML configure file import directly from the USB port.
Risk and vulnerability
The USB port allows iDRAC management access from a laptop or tablet connected to the
USB port, or apply XML config file directly to the server. An attacker could potentially upload arbitary config file to the server.
Dell EMC security standard
Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB
XML Configuration, and select Disabled.
VxRack Controller - Configure syslogs
Control description
Centralization of logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis and searches become possible and provide visibility into events impacting multiple hosts.
Risk and vulnerability
Operational or security-related alerts and events may be missed when logs are not centrally managed.
Dell EMC security standard
Under iDRAC UI > Logs > Settings, check Remote Syslog Settings, and define up to three syslog server IP addresses.
VxRack Controller - Configure NTP
Control description
Network Time Protocol (NTP) is used to syncronize time updates from a centralized source to systems on a network. Setting all Vblock System components to the same time source ensures system stability and accuracy of log time stamps.
Risk and vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.
Dell EMC security standard
In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP) box, define up to three NTP server IP addresses, and click Apply.
VxRack System FLEX security baseline | 44
VxRack Controller - Disable USB ports
Control description
The build-in USB ports should be used based on "as needed" basis.
Risk and vulnerability
Dell EMC security standard
An attacker could use USB port to introduce malware to the server.
In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port, and set it to off.
VxRack Controller - Disable remote RACADM
Control description
The RACADM provides CLI scripting capability to control and configure the servers. The
Remote RACADM allows RACADM tool run on a workstation to remotely execute commands against the server's iDRAC interface. It uses SSL for communications between the workstation and the iDRAC interface.
Risk and vulnerability
If this feature is not required, disable remote RACADM to reduce attack surface and prevent an attacker from remotely issuing commands against the server, such as power operations, configuration changes.
Dell EMC security standard
This feature is enabled by default. Make sure it is disabled.
In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click
Apply.
VxRACK Controller - Disable IDRAC over SOL SEC302014.1
Control description
iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the server using SSH and connection to the server serial ports (com1 or com2, depending on
BIOS setting) and run iDRAC commands.
Risk and vulnerability
Disable iDRAC over SOL to reduce attack surface and prevent an attacker from remotely issuing commands against the server, such as power operations or configuration changes.
Dell EMC security standard
To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over
LAN, click Apply.
System infrastructure security baseline
Panduit Power Distribution Unit (PDU)
Panduit PDU: Panduit.Passwords.Modify
Control description
Change the passwords for all default accounts.
Risk and vulnerability
Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.
Dell EMC security standard
Change the passwords for all default accounts.
45 | VxRack System FLEX security baseline
Panduit PDU: Panduit.NTP.Configure
Control description
Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.
Risk and vulnerability
By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.
Dell EMC security standard
NTP is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.
Panduit PDU: Panduit.SNMPCommunityString.Configure
Control description
Define PDU traps and strong, non-trivial community strings where Simple Network
Management Protocol (SNMP) is required.
Risk and vulnerability
By not changing the default community string, attackers can easily discover and potentially exploit or compromise the devices.
Dell EMC security standard
Define PDU traps and strong, non-trivial community strings where SNMP is required.
Panduit PDU: Panduit.Unused-Services.Disable
Control description
Simple Network Management Protocol (SNMP) is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.
Risk and vulnerability
Dell EMC security standard
If SNMP is not used in the environment, it might be exploited.
SNMP is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.
Panduit PDU: Panduit.Logging.Configure
Control description
Log all successful interactive device management access using centralized syslog.
Risk and vulnerability
Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlation of events.
Dell EMC security standard
Log all successful interactive device management access using centralized syslog.
Panduit PDU: Panduit.Administrative-Access.Configure
Control description
Use secure protocols such as HTTPS instead of HTTP.
Risk and vulnerability
Using encrypted protocols for device management prevents transmission of authentication credentials in clear text.
Dell EMC security standard
Use secure protocols such as HTTPS instead of HTTP.
VxRack System FLEX security baseline | 46
Log management
This section describes the locations for internal component log files and managing remote system log files.
Internal component log file locations
Operating system
Linux
Windows
File path
/opt/emc/scaleio/mdm/logs
C:\Program Files\emc\scaleio\mdm\logs
Operating system
Linux
Windows
File path
/opt/emc/scaleio/gateway/logs
C:\Program Files\emc\scaleio\gateway
\logs
Operating system
Linux
Windows
File path
/opt/emc/scaleio/gateway/logs
C:\Program Files\emc\scaleio\gateway
\logs
Configuring an external syslog server for remote logging
Syslog servers are configured and managed using the following CLI commands:
•
To configure the server and start remote logging: scli -start_remote_syslog -remote_syslog_server_IP <IP> --remote_syslog_server_port
<PORT> --syslog_facility <FACILITY> where:
—
IP is the IP address of the remote server.
—
PORT is the port number for the remote server.
—
FACILITY is a value from 0-23 and is assigned to identify the source of a message from a server.
•
To stop remote logging: scli -stop_remote_syslog -remote_syslog_server_ip <IP>
47 | Log management
Certificate management
Communications between Meta Data Manager (MDM) and external components (such as IM client, CLI client, GUI client, vSphere plug-in and ScaleIO gateway) are encrypted using TLSv1.
Certificates for MDM and ScaleIO Data Server (SDS) are generated during installation. New certificates can be generated using the following CLI commands:
•
For MDM: generate_mdm_certificate
•
For SDS: generate_certificate
Certificate management | 48
Operationalizing Converged Systems
This section describes procedures for operationalizing Converged Systems.
Integrating a new Converged System into a live environment
Converged Systems represent an easy transition to converged infrastructure and virtualization. The rapid and straightforward deployment of Converged Systems should not preclude you from applying company standards. Consider that the Converged System is a new piece in your environment that requires many of the same policies applied to it as your existing infrastructure. The following are some suggestions for integrating new Converged Systems.
•
Apply your existing security policies to the Converged System
•
Use the settings referenced in this document as a starting point
•
Ensure appropriate training of your technical support personnel
•
Leverage Vision Intelligent Operations for assessment and compliance of system configuration against Converged System benchmarks (or custom-tailored Vision software compliance benchmarks)
Ongoing security administration
Converged Systems ship with a default hardened configuration on all components, but these are not intended to be a complete security solution.
Dell EMC security baselines provide a starting point from which you can build a comprehensive security solution that can be managed as part of your existing infrastructure. Make sure the security considerations covered in this document, such as change management, patch management, monitoring, are applied to your Converged System.
To assist in managing your Converged System, Dell EMC releases a new Release Certification Matrix
(RCM) each month. This document describes currently supported versions of hardware and software, and contains information about code revisions and why they were chosen. Regularly review this document to help keep your Converged System current.
As with any new system, ensure it is integrated into your existing security architecture.
•
Integrate the Converged System into your log management system or Security Information &
Event Management (SIEM) .
•
Ensure appropriate coverage by your intrusion detection/prevention systems.
•
Ensure your security and compliance and internal audit departments are familiar with the
Converged System and its components and related operational processes.
Leverage available Dell EMC documentation that detail s system components and subsequent expansions, upgrades, and extensions, as well as Vision Intelligent
Operations compliance reporting capabilities.
49 | Operationalizing Converged Systems
•
Ensure administrative and guest workloads have malware protection and are fully incorporated into patch monitoring and application process, subject to the constraints of the RCM.
Operational checklist
The following list details activities to further secure your Converged System and fully integrate it into your existing architecture. This is a starting point for securing Converged Systems; a more extensive checklist is required for broader security strategies.
•
Configure centralized Authentication, Authorization and Accounting (AAA) and use Role Based
Access Controls (RBAC).
•
Incorporate multi-factor authentication (for example, with RSA SecurID) if required by your security policy.
•
Configure and verify log collection for all event sources in your environment. If no syslog preference is defined, all logs are forwarded to Vision Intelligent Operations. By centrally collecting all Converged System events, all logs can be easily integrated into an existing, onsite event management system.
•
Configure/verify that Network Time Protocol (NTP) is configured properly for your environment. It is preferable to use authenticated NTP where possible.
•
Change default, self-signed certificates on all devices to those provided by a third party certificate authority.
•
Disable unneeded services on network equipment and in operating systems per your current policies.
•
Enable additional protections for networking systems per vendor recommendations.
•
Apply additional VMware hardening guidelines that might apply to your specific environment.
•
Deploy additional protections such as perimeter firewalls, virtual firewalls, IDS/IPS, SIEM per security policy.
•
Socialize the Converged System with your computer security incident response team so that the appropriate response plans can be updated.
•
Per your security policy, run system vulnerability assessments to understand specific areas of concern.
•
Snapshot existing system configurations in order to track configuration drift.
•
Arrange disaster recovery (DR) capabilities for administrative VMs and for key supporting systems. Depending on the organization’s risk profile, the DR plans may require a geographical element.
Operationalizing Converged Systems | 50
Converged System password management
This section contains instructions for modifying the default administrator and/or root accounts and passwords for Converged System components.
Default accounts and passwords are configured by the vendor or during the initial Dell EMC manufacturing build. Such accounts and passwords, if not changed, could be used to compromise the system in production. Modifying the default passwords enhances customer security and facilitates handing over credentials modification from Dell EMC manufacturing to the customer.
Compute
Changing the VxRack System FLEX enclosure password
Use the iDRAC Web console to change the root password.
Procedure
1
Open a Web browser. Type: http://<ip_address_of_iDRAC> .
2
Log on as root.
3
Expand iDRAC Settings.
4
Select User Authentication.
5
Select User ID 2.
ID 2 is the root user.
6
Enable Configure User and click Next.
7
Change the password.
a
Enable Change Password.
b
In New Password, type the new password.
c
In Confirm New Password, re-type the new password.
d
Click Apply.
Storage
51 | Converged System password management
ScaleIO default accounts
The following are default accounts for ScaleIO:
Account
Installation Manager (IM) admin
Details
•
Download IM CLI file
•
Issue installation commands in IM CLI or IM Web client
•
Used for communication between SVM/MDM and SIO-GW Light Installation Agent (LIA) account
SVM root
MDM admin
•
Full administration privileges to all configuration and monitoring activities through the VMware vSphere plug-in
•
Full administration privileges to all configuration and monitoring activities through the CLI and GUI
When changing default account passwords, passwords must meet the following criteria:
•
Between 6 and 31 characters
•
Include at least three of the following groups:
—
[a-z]
—
[A-Z]
—
[0-9]
—
Special characters (!@#$...)
•
No white spaces
Changing the Installation Manager admin password
Procedure
1
Log on to the Installation Manager Web client user admin account.
2
Click Download CLI. Save the file install-CLI.jar on the local machine running the Web client.
3
Use SSH to log on to the IM/GW VM as root.
4
Use SCP to copy the install-CLI.jar file to /opt/emc/scaleio/gateway folder.
5
Type /opt/emc/scaleio/gateway/java -jar install-CLI.jar to load the EMC
ScaleIO Installation Manager CLI shell.
6
Type the following IM CLI: im generate_password --im_password <ADMIN_PASSWORD>
--config_file "<CONFIG_FILE_FULL_PATH>"
The configuration file gatewayUser.properties location for Linux OS is under /opt/emc/ scaleio/gateway/webapps/ROOT/WEB-INF/classes/
Converged System password management | 52
7
Type quit to exit the ScaleIO IM shell.
8
Type service scaleio-gateway restart to restart the gateway service.
9
Log on to the Web client with the new password.
Changing the Light Installation Agent password
About this task
Light Installation Agent (LIA) establishes trust with the Installation Manager through a configurable token.
The LIA token is stored in /opt/emc/scaleio/lia/cfg/conf.txt on each SVM. The password is set at initial installation.
During installation, the IM password and the LIA token are stored in hashed format.
Before you begin
To change the token after LIA runs, you must change the line in the configuration file and restart LIA.
Procedure
1
Write the password (or token) in plaintext in LIA conf file /opt/emc/scaleio/lia/cfg/ conf.txt ("lia_token=XXX")
2
Restart the LIA service.
3
After the restart, on the first startup, the LIA applies hash to the password and rewrites the conf.txt file token with the hashed value.
Changing the SVM root password
Procedure
1
Use SSH to connect to the EMC ScaleIO SVM and log on as root.
2
Type passwd and press Enter.
3
Type the new password and press Enter.
4
Retype the password and press Enter.
Changing the default admin MDM password
Procedure
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: # scli --set_password
4
Type the old password and press Enter.
53 | Converged System password management
5
Type the new password and press Enter.
6
Re-type the new password and press Enter.
What to do next
After the MDM admin password is changed, log on to VMware vCenter using the VMware vSphere Web
Client and open the EMC ScaleIO plug-in.
1
Click Scale IO Systems. The cluster state shows as Disconnected-Invalid credentials.
2
Select the ScaleIO cluster. Click Actions and select Update system credentials.
3
In the User name field, type admin. In the Password field, type the new password defined above. Click OK.
4
Go back to the Cluster Status window. The cluster status shows as Normal.
ScaleIO user-defined accounts
Additional user accounts can be added to the ScaleIO MDM. A user role must be assigned.
User role
Monitor
Configurator
Backend Configurator
Frontend Configurator
Administrator
Security Role
Super User
Query
Yes
Yes
Yes
Yes
Yes
No
Yes
Configuration parameters Configuration user credentials
No No
Yes
Yes (backend operations only)
No
No
Yes (frontend operations only)
Yes
No
No
Yes
May configure Configurator and
Monitor users
May define Administrator users and control LDAP
Yes
Only one
Super User is allowed per system and it must be a local user.
Adding a user
To add a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
Converged System password management | 54
3
Type the following command: scli --add_user --username <NAME> --user_role
<Monitor|Configure|Administrator>
Modifying a user
To modify a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --modify_user --username <NAME> --user_role
<Monitor|Configure|Administrator>
Deleting a user
To delete a user:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --delete_user --username <NAME>
Displaying users and roles
To display users and roles:
1
Use SSH to log on as root user.
2
Type the following command: # scli --login --username admin
3
Type the following command: scli --query_users
4
Type the following command: scli --query_user --user_id <ID> | --username
<NAME>
Generating a hashed password
To generate a hashed password for an MDM user on the ScaleIO Gateway, type the following command: im generate_mdm_password --mdm_password <PASSWORD> --config_file /opt/emc/ scaleio/gateway/webapps/ROOT/WEB-INF/classes/gatewayUser.properties file
Virtualization
Changing a VMware ESXi host root password
For security reasons it might be necessary to change the password for the root user on a VMware ESXi host after installation.
55 | Converged System password management
Use any of the following methods to change the root password for the VMware ESXi host:
• vSphere Client
•
ESXi shell command
•
ESXi host System Customization menu
Changing the password using VMware vSphere Client
Before you begin
Log on to the ESXi host service console as root user.
Procedure
1
Log on to VMware vSphere Client.
2
Click Home > Inventory.
3
In the left pane, select the ESXi server name or IP address. Tabs for the server appear in the right pane.
4
Select the Local Users & Groups tab.
5
Double-click the root user.
6
Select Change password.
7
In the Edit User - root dialog box, enter and confirm a new password.
8
Click OK.
Changing the password using the ESXi shell command
Before you begin
Log on to the ESXi host service console as root user.
You can also acquire root privileges by executing the su command.
Procedure
1
When prompted, type the current password.
2
To change the root password, type: passwd root.
3
Type the new root password. Press Enter.
4
Verify the password by typing it again.
Converged System password management | 56
Changing the password using the ESXi host System Customization menu
Before you begin
Log on to the ESXi host service console as root user.
You can also acquire root privileges by executing the su command.
Procedure
1
From the System Customization menu of the ESXi host, use the keyboard arrows to select
Configure Password. Press Enter.
2
In the Configure Password dialog box, fill in the required fields to change the password:
a
Type the Old Password of the ESXi host.
b
Type the new root password in the New Password field. Re-type it in the Confirm Password field.
c
Press Enter.
Modifying the VMware vCenter Server Single Sign On password
Use this procedure to change the default password for the VMware vCenter Single Sign On administrator account.
Before you begin
Log on to the VMware vSphere Web Client and connect to vCenter.
Access the Web Client using either of the following methods:
•
Open the browser and type the following URL: https://vcenterlp:9443/vsphere-client
•
From the Start menu, choose All Programs > VMware > VMware vSphere Webclient.
Procedure
1
In the left pane, select Administration.
2
Under Administration, select SSO Users and Groups. The admin user displays in the right pane.
3
On the Users tab, right-click the admin user.
4
Set and confirm the password for the admin user account. Be sure to use a strong password as the system validates the password before accepting it.
5
Click OK.
57 | Converged System password management
Changing virtual machine operating system administrative passwords
Use this procedure to change the virtual machine operating system server administrator password in
Windows 2008 R2 and Windows 2012.
Changing the server administrator password in Windows 2008 R2
Use this procedure to change the server administrator password in a Windows 2008 R2 environment.
Procedure
1
Log in to the server using the Administrator account.
2
From the Start menu, select Control Panel > User Accounts > User Accounts.
3
Under Make changes to your user account, select Change your password.
4
Type your password in Current password.
5
In New password, type a new password.
6
Retype the password in Confirm new password.
7
In Type a password hint, provide a word or phrase to remind you of your password. This is optional.
8
Click Change password.
Changing the server administrator password in Windows 2012
Use this procedure to change the server administrator password in a Windows 2012 environment.
Procedure
1
Log in to the server using Remote Desktop.
2
Press the Windows key. Type Administrative tools.
3
Double-click Computer Management.
4
Expand Local Users and Groups. Select Users.
5
Right-click Administrator and choose Set Password.
6
Click Proceed.
7
Enter and confirm the new password.
8
Click OK.
Management
The VxRack System management software is installed on the VxRack Controller.
Converged System password management | 58
Changing the VxRack Controller password
Use the iDRAC Web console to change the root password.
Procedure
1
Open a Web browser. Type: https://<ip_address_of_iDRAC>.
2
Log on as root.
3
Expand iDRAC Settings.
4
Select User Authentication.
5
Select User ID 2.
ID 2 is the root user.
6
Enable Configure User and click Next.
7
Change the password.
a
Enable Change Password.
b
In New Password, type the new password.
c
In Confirm New Password, re-type the new password.
d
Click Apply.
Vision software credentials
Managing credentials involves changing the default passwords for Vision software to comply with your organization's security policies. It also involves changing access credentials for Converged System components.
When logging on to the VCE Vision dashboard, administrators are notified if any default passwords for
Vision software are still in use and are prompted to change them.
Changing the default password for the root and vision accounts
The Vision Core virtual machine and the MSM virtual machine run on CentOS Linux and have a root user. You should change the default password for the root user on both VMs when you first start using
Vision software.
About this task
You can also follow these steps to change the password for the vision user on the MSM virtual machine.
59 | Converged System password management
Before you begin
Start an SSH session to the VM and log on.
Procedure
1
Run the following command: passwd
2
Enter and then confirm the new password when prompted. The following is example output for a successful password change:
[root@hostname ~]# passwd
Changing password for user username.
New password:
Retype new password: passwd: all authentication tokens updated successfully
You must also update the MSM credential manager service with the new password.
3
Use one of the following steps, depending on whether the password was changed on the Vision
Core virtual machine or the MSM virtual machine.
—
MSM virtual machine: a
Run the following command to change the MSM password for credential manager to match the password changed with the passwd command.
/opt/vce/credential-management/bin/credential-manager-cli create -credentialprotocol
SSH -credential-right ADMINISTRATOR -credential-type MSM -host-address MSM-IP
-username <username> where:
MSM-IP is the IP address for the MSM virtual machine.
newpassword is the new password. This must be the same as the new password provided on the passwd command.
username is either root or vision, depending on the account you are changing.
If the password for the MSM admin user account has been changed in a clustered environment, this command fails if the password is not synchronized with the other MSM nodes in the cluster.
The script prompts you for the new password.
b
Enter the new password.
When the password change is complete, the script returns the following message:
Converged System password management | 60
Successfully created credential for 'root' @ '10.11.12.13'
—
Vision Core virtual machine: a
Log on to the MSM virtual machine as the root user.
b
Type the following command to change the Vision Core virtual machine root user password for MSM:
/opt/vce/multivbmgmt/install/addSlibHost.sh <core_IPaddress> where core_IPaddress is the IP address for the Vision Core virtual machine where the password was changed.
The script prompts you to update the configuration:
Would you like to update existing configuration? (yes/no) [Default = no]:
c
Respond by entering yes. The script prompts you for the root credentials:
Enter the SSH credentials for System Library host 10.20.30.40 (attempt 1 of 3).
User name [Default: root]:
d
Enter the root (or press Enter) for the username.
e
Type the new password for the Vision Core virtual machine.
The script continues processing with a series of messages. When it has finished, the following message is displayed:
Vision System Library Host(s) at 10.20.30.40 have been added successfully!
The new password for the Vision Core virtual machine is picked up by the MSM virtual machine during the next collection cycle.
What to do next
You can optionally specify a password aging policy with the following command: chage
Run the following command to view help usage: chage -h
Changing the password for the vision-integration user
The vision-integration user authenticates REST API calls internally to the Vision Core virtual machine to facilitate integration between some services. The default password is a complex, encrypted string that
61 | Converged System password management
does not need to be known. However, you can change the default password by providing the password for the CAS admin user using a built-in script.
About this task
If you change the password for the vision-integration user, Vision software also updates the password in the necessary properties file.
Before you begin
•
Determine a new password, understanding that the CAS password:
—
Is case sensitive.
—
Must be between 8 and 20 characters in length.
—
Must include one uppercase letter, one digit, and one special character.
—
Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |
•
Connect to the Vision Core virtual machine
Procedure
1
Run /opt/vce/fm/bin/integrationChangepw.sh.
The following message displays:
Warning: This script will restart Asset Manager service.
Please ensure that a maintenance window has been scheduled,
and there is no active upgrade session going on.
Do you want to continue ([y/n])?
2
Enter y to continue. The script then prompts you with the following:
Please enter current admin password:
3
Enter the current Central Authentication Service (CAS) administrator password.
4
Enter the new password for the vision-integration user and then confirm it when prompted.
The script restarts the tomcat-asset-mgr service and displays the following message:
CAS password has been changed for vision-integration user.
Changing the Central Authentication Service (CAS) password for the admin user
Vision software uses a Central Authentication Service (CAS) for authentication to web services. As a best practice, you should change the default password for the admin user, which has full administrator privileges.
Converged System password management | 62
About this task
Changing the CAS password involves running a script on the Vision Core virtual machine that updates the password, encrypts it, and then saves it internally. After this password is changed, any client applications that are configured with it must be updated, including the Plug-in for vCenter.
Before you begin
•
Determine a new password, understanding that the CAS password:
—
Is case sensitive.
—
Must be between 8 and 20 characters in length.
—
Must include one uppercase letter, one digit, and one special character.
—
Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |
•
Connect to the Vision Core virtual machine
Procedure
1
Run /opt/vce/fm/bin/slibCasChangepw.sh
The script prompts you with the following message:
Warning: This script will restart JBoss, Vision FM Agent and other services.
Please ensure that a maintenance window has been scheduled,
and there is no active upgrade session going on.
Do you want to continue ([y/n])?
2
Enter y to continue. The script then prompts you with the following:
Please enter current user password:
3
Enter the current password for the admin user.
The script then prompts you with the following:
Please enter new password(Press Ctrl C to exit):
4
Enter the new password for the admin user and then confirm it when prompted.
The script restarts services and displays the following message:
CAS password has been changed for admin user.
Please update vCenter plugin Administration Settings and any other client applications using this password.
63 | Converged System password management
Ports and protocols
ScaleIO ports and authentication
This section contains ScaleIO ports and authentication.
Port
443
Protocol
TCP
443 TCP
6611, 9011
7072
9099
162
TCP
TCP
TCP
UDP
Description
Used to perform installations using Installation
Manager.
REST. Used to query a ScaleIO cluster or perform operations on a cluster.
Used to provision or query ScaleIO system.
SDCs connect through this port fro data communication and on the MDM for metadata communication.
Installation Manager connects to the Light
Installation Agent to perform installation-related operations.
SNMP traps for system alerts are sent to a trap receiver using this port.
VMware vSphere 6.0 ports and authentication
This section lists ports required for communication between components by VMware vSphere 6.0.
In Microsoft Windows Server 2008, a firewall is enabled by default.
Table 1:
Port
22
80
88
Protocol
TCP/UDP
TCP
TCP
Description
System port for SSHD. This port is used only by the vCenter Server Appliance.
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server
instead of https://server
.
WS-Management (also requires port 443 to be open).
If using a Microsoft SQL database that is stored on the same virtual machine or physical server as vCenter Server, port 80 is used by the SQL Reporting
Service.
When installing or upgrading vCenter Server, the installer prompts you to change the HTTP port for vCenter Server. Change the vCenter Server HTTP port to a custom value to ensure a successful installation or upgrade.
VMware key distribution center port.
Ports and protocols | 64
Table 1:
Port
389
443
514
636
902
1514 TCP/UDP
2012
2014
2020
6500
6501
6502
7444
8088
9433
11711
65 | Ports and protocols
TCP
TCP
TCP/UDP
TCP/UDP
TCP
TCP
TCP
TCP
TCP
TCP
Protocol
TCP/UDP
TCP
UDP
TCP
TCP/UDP
Description
This port must be open on the local and all remote instances of vCenter Server.
This is the LDAP port number for the Directory Services for the vCenter Server group.
If another service is running on this port, it might be preferable to remove the service or change its port number. You can run the LDAP service on any port from 1025 through 65535.
If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535.
The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to monitor data transfer from
SDK clients.
Port 443 is also used for these services:
•
WS-Management (also requires port 80 to be open)
•
Third-party network management client connections to vCenter Server
•
Third-party network management clients access to hosts vSphere Syslog Collector port for vCenter Server on Windows and vSphere
Syslog Service port for vCenter Server Appliance.
For vCenter Server Enhanced Linked Mode, this is the SSL port of the local instance. If another service is running on this port, it may be preferable to remove it or change its port number.
You can run the SSL service on any port from 1025 through 65535.
The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system.
This port must not be blocked by firewalls between the server and the hosts or between hosts.
Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles vSphere Syslog Collector TLS port for vCenter Server on Windows and vSphere
Syslog Service TLS port for vCenter Server Appliance.
Control interface RPC for vCenter Single Sign-On (SSO).
RPC port for all VMCA (VMware Certificate Authority) APIs.
Authentication framework management.
ESXi Dump Collector port.
Auto Deploy service.
Auto Deploy management.
Secure Token Service.
Workflow Management Service.
vSphere Web Client HTTPS.
VMware Directory service (vmdir) LDAP.
Table 1:
Port
11712
5480
Protocol
TCP
TCP
Description
VMware Directory service (vmdir) LDAPS.
vCenter Server Appliance Web Console (VAMI)
For Appliance based vCenter server, port info table below:
Port
22
80
135
443
514
902
8080
8090
8085
8089
7444
8443 TCP
10080 TCP
10443 TCP
10109 TCP
21000 TCP
21100 TCP
1514
6500
6501
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Protoc ol
TCP
TCP
TCP
TCP
UDP
TCP/U
DP
Description
System port for SSHD vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to
HTTPS port 443. This redirection is useful if you accidentally use http://server/ instead of https://server/ .
Active Directory authentication vCenter Server uses port 443 to:
•
Listen for connections from the vSphere Client.
•
Receive data from the vSphere Client, after it is enabled.
•
Monitor data transfer from SDK clients.
If you use another port number for HTTPS, use ip-address:port when you log on to the vCenter
Server system.
vSphere Syslog Collector server
•
This is the default port used by vCenter Server to:
—
Send data to managed hosts
—
Display virtual machine consoles
•
Managed hosts send a regular heartbeat over UDP port 902 to the vCenter Server system.
•
This port must not be blocked by firewalls between the server and hosts, or between hosts.
Web Services HTTP. Used for the VMware VirtualCenter Management Web Services
TCP connects to the local port to provide SOAP web services
Internal Service Diagnostics/SDK
SDK Tunneling Port vCenter Single Sign-On - VMware Secure Token Service
Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services vCenter Inventory Service HTTP vCenter Inventory Service HTTPS vCenter Inventory Service database
VMware vSphere Profile-Driven Storage Service HTTP
VMware vSphere Profile-Driven Storage Service HTTPS vSphere Syslog Collector server (SSL)
Network coredump server (UDP)
Auto Deploy service
Ports and protocols | 66
Port
6502
9090
9443
5480
5489 TCP
22000 TCP
22100 TCP
12443 TCP
Protoc ol
TCP
TCP
TCP
TCP
11711 TCP
11712 TCP
8190
8191
TCP
TCP
7331
7343
TCP
TCP
Description
Auto Deploy management vSphere Web Client HTTP vSphere Web Client HTTPS vCenter Server Appliance Web user interface HTTPS vCenter Server Appliance Web user interface CIM service vCenter Server Storage Monitoring Service HTTP vCenter Server Storage Monitoring Service HTTPS
Log Browser vCenter Single Sign-On VMware Directory Service (LDAP) vCenter Single Sign-On VMware Directory Service (LDAPS)
Storage Policy Server HTTP
Storage Policy Server HTTPS
HTML5 remote console for virtual machines
HTML5 remote console for virtual machines, HTTPS vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server/
instead of https://server/
.
Vision Intelligent Operations ports and protocols
Review ports and protocols for communicating with Vision software.
Communication with Vision software occurs through northbound traffic over an external network and through southbound traffic to Converged System components.
Review the ports and protocols to help troubleshoot issues after installation.
Open port assignments
The MSM virtual machine runs a number of small services on various ports. Not all ports on the MSM virtual machine are opened through the firewall. The following ports are available from outside of the
MSM virtual machine.
Port Protocol
22 TCP
80 UDP
Linux Application
SSH
Apache HTTP
Usage
Secure shell (SSH)
Web server providing access to the Vision dashboard and all Vision
REST APIs. Requests are redirected to Port 443
Source
Vision software
67 | Ports and protocols
Port Protocol
443 TCP
5672 TCP
7000 TCP
9042 TCP, UDP
9160 TCP
9301 TCP
Linux Application
Apache HTTP
RabbitMQ
SSL
Cassandra
Cassandra
Elasticsearch
Usage
HTTPS access to the dashboard and all Vision
REST APIs
Message service used by
Vision software
Cassandra SSL inter-node communication
Cassandra native client port
Cassandra thrift client port
Elasticsearch node-to-node communication
Source
If the port 9301 is not open:
1
In the command line interface, type vi /etc/sysconfig/iptables.
2
Add the following line:
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9301 -j ACCEPT
3
Type service iptables save.
4
Type service iptables restart.
5
Type netstat -l | grep 9301 to check the status of the port.
LISTEN indicates that the port is open.
Ports and protocols | 68
Northbound ports and protocols
The third party applications and network management systems (NMS) can use northbound ports and protocols to communicate with Vision software.
Port
80
443
Protoc ol
TCP
TCP
Usage
HTTP
HTTPS
Source Destination Direction
22
8443
18443
4369
5672
TCP
TCP
TCP
TCP
TCP
161 UDP
Default Port
162.This port is configurable.
UDP
Secure shell (SSH)
•
API for System Library
•
API for Vision Security
Inventory Manager
AMQP messaging
AMQP messaging
General SNMP messages
SNMP trap messages
Vision software
RCM content distribution network (CDN) destination addresses that include the following:
*.flexnetoperations
.com
• updates.flexneto
perations.com
• vce.flexnetopera
tions.com
• vceesdie.flexnetoperat
ions.com
Any IP address
Any client or application that uses these APIs.
Outbound
Outbound
Inbound
Inbound
Any client or application that uses this feature.
Any application that subscribes to the Vision software messaging service.
Any application that subscribes to the Vision software messaging service
SNMP client or NMS
SNMP client or NMS
Inbound
Outbound
Inbound
Inbound
Inbound
Refer to the Vision Intelligent Operations Integration Guide for SNMP for instructions on configuring Port 162 for SNMP trap messages.
69 | Ports and protocols
Southbound ports and protocols
Vision software uses specific ports and protocols for southbound communication with Converged System components.
Port Proto col
69
Usage Source
UDP TFTP traffic from the Configuration Collector to back up Converged System component configuration
Converged System components
162 UDP SNMP trap messages
514 UDP syslog messages
Destination
Vision software
Compute components
Review the ports and protocols that Vision software uses for communication with compute components.
Dell iDRAC
Port
443
Protocol
TCP
Usage Source
iDRAC accesses this port using the RedFish API
Vision software
Destination
iDRAC
Network components
Review the ports and protocols that Vision software uses for communication with network switches, including physical and virtual switches.
Port
22
161
Protocol
TCP
UDP
Usage
Secure shell (SSH)
General SNMP messages
Source
Vision software
Destination
Network switches
Storage components
Review the ports and protocols that Vision software uses for communication with various storage components.
ScaleIO
Port
443
Protocol
TCP
Usage
REST API
Source
Vision software
Destination
ScaleIO
Ports and protocols | 70
Management components
Vision software communicates with management components using certain ports and protocols.
Port
161
Protocol
TCP
Usage
SNMP
Source
Vision software
Destination
IPI appliance
Virtualization components
Review the ports and protocols that Vision software uses for communication with virtualization components.
Port
443
Protocol
TCP
Usage
XML API
Source
Vision software
Destination
VMware vCenter Server
71 | Ports and protocols
References
This section contains links for additional security hardening information.
Component
Cisco Nexus
ScaleIO
VMware components
Link
http://www.cisco.com/c/en/us/about/security-center/securing-nx-os.html
https://support.emc.com/docu67402_ScaleIO-2.0-Security-Configuration-
Guide.pdf?language=en_US https://www.vmware.com/security/hardening-guides
References | 72
The information in this publication is provided "as is." Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright
©
2016-2018 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA in February 2018.
Dell EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice.
73 | Copyright
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 5 Introduction
- 6 Disclaimer
- 7 Security strategies
- 7 Secure development
- 7 Threat landscape and security considerations
- 8 Administrative control
- 8 Network connectivity
- 9 Management systems
- 10 Change and configuration management
- 10 Patch and update practices
- 11 VxRack System FLEX security baseline
- 11 Compute layer security baseline
- 11 VxRack Compute nodes
- 11 VxRack Compute - Default Passwords Change
- 11 VxRack Compute - Disable Telnet
- 12 VxRack Compute - Disable SSH
- 12 VxRack Compute - Disable IPMI over LAN
- 12 VxRack Compute - Server access using HTTPS
- 12 VxRack Compute - Strong community strings
- 12 VxRack Compute - Use SNMP V3
- 13 VxRack Compute - Disable VNC
- 13 VxRack Compute - Disable XML
- 13 VxRack Compute - Configure syslogs
- 13 VxRack Compute - Configure NTP
- 14 VxRack Compute - Disable USB ports
- 14 VxRack Compute - Disable remote RACADM
- 14 VxRack Compute - Disable IDRAC over SOL
- 14 Network layer security baseline
- 14 Cisco NX-OS devices
- 14 Cisco NX-OS: NXOS.strong.passwords
- 15 Cisco NX-OS: NXOS.CDP.disable
- 15 Cisco NX-OS: NXOS.Telnet.disable
- 15 Cisco NX-OS: NXOS.banner.message
- 16 Cisco NX-OS: NXOS.SSH.enable
- 16 Cisco NX-OS: NXOS.SCP.enable
- 16 Cisco NX-OS: NXOS.SFTP.enable
- 16 Cisco NX-OS: NXOS.console.exec.timeout
- 17 Cisco NX-OS: NXOS.vty.exec.timeout
- 17 Cisco NX-OS: NXOS.SNMP.disable
- 17 Cisco NX-OS: NXOS.SNMP.ro.config
- 17 Cisco NX-OS: NXOS.SNMP.rw.config
- 18 Cisco NX-OS: NXOS.remote.syslog.enable
- 18 Cisco NX-OS: NXOS.disable.ICMP.redirect
- 18 Cisco NX-OS: NXOS.ICMP.unreachable
- 18 Cisco NX-OS: NXOS.disable.unused.interfaces
- 18 Cisco NX-OS: NXOS.NTP.enable
- 19 Cisco NX-OS: NXOS.disable.ip.source.routing
- 19 Cisco NX-OS: NXOS.disable.ip.directed.broadcasts
- 19 Cisco NX-OS: NXOS.ip.source.guard.enable
- 20 Cisco NX-OS: NXOS.HTTP_Server.disable
- 20 Cisco NX-OS: NXOS.password.strength-check
- 20 Cisco NX-OS: NXOS.SSH.key.length
- 20 Cisco NX-OS: NXOS.LoggingTimestamp.configure
- 21 Cisco NX-OS: NXOS.UnusedServices.disable
- 21 Cisco NX-OS: NXOS.SSH.Retry limit
- 21 Cisco NX-OS: NXOS.DHCP.disable
- 21 Cisco NX-OS: NXOS.DNS.Resolution.Lookups.disable
- 22 Cisco NX-OS: NXOS.DefaultPasswords.modify
- 22 Cisco NX-OS: NXOS.VLAN.Segmentation
- 22 Storage layer security baseline
- 22 ScaleIO
- 22 EMC ScaleIO: ScaleIO.Passwords.Change
- 22 EMC ScaleIO: ScaleIO.SNMP.Trap.Configure
- 23 EMC ScaleIO: ScaleIO.Logging.Configure
- 23 Virtualization layer security baseline
- 23 Management Virtual Machines
- 23 Management VM: VM.disable-disk-shrinking-shrink
- 23 Management VM: VM.limit-console-connections-one
- 24 Management VM: VM.disable-console-drag-n-drop
- 24 Management VM: VM.disable-console-copy
- 24 Management VM: VM.disable-console-paste
- 24 Management VM: VM.disable-console-gui-options
- 25 Management VM: VM.disconnect-devices-floppy
- 25 Management VM: VM.disconnect-devices-serial
- 25 Management VM: VM.disconnect-devices-parallel
- 26 Management VM: VM.disconnect-devices-usb
- 26 Management VM VM.disconnect-devices-ide
- 26 Management VM: VM.prevent-device-interaction-connect
- 27 Management VM: VM.prevent-device-interaction-edit
- 27 Management VM: VM.limit-log-size
- 27 Management VM: VM.limit-log-number
- 28 Management VM: VM.limit-setinfo-size
- 28 Management VM: vCenter.restrict-guest-control
- 28 Management VM: VM.restrict-host-info
- 29 Management VM: VM.disable-unexposed-features-getcreds
- 29 Management VM: VM.disable-unexposed-features-unitypush
- 29 Management VM: VM.disable-unexposed-features-launchmenu
- 29 Management VM: VM.disable-unexposed-features-memsfss
- 30 Management VM: VM.disable-independent-nonpersistent
- 30 Management VM: VM.isolation.tools.autoInstall.disable
- 30 Management VM: VM.HostGuestFileSystem.disable
- 30 Management VM: VM.MonitorControl.disable
- 31 Management VM: VM.host-performance-info.disable
- 31 Management VM: VM.Unecessary-Services.disable
- 31 Management VM: VM.DefaultPasswords.modify
- 31 Management VM: VM.ToolsAutoInstall.Disable
- 31 Management VM: VM.Passwords.Modify
- 32 Management VM: VM.Configure.NTP
- 32 VMware ESXi
- 32 VMware ESXi: ESXi.enable-remote-syslog
- 32 VMware ESXi: ESXi.config-ntp
- 33 VMware ESXi: ESXi.enable-normal-lockdown-mode
- 33 VMware ESXi: ESXi.config-persistent-logs
- 33 VMware ESXi: vNetwork.reject-mac-changes
- 33 VMware ESXi: vNetwork.reject-forged-transmit
- 34 VMware ESXi: ESXi.disable-mob
- 34 VMware ESXi: ESXi.firewall-enabled
- 34 VMware ESXi: ESXi.firewall-enabled
- 34 VMware ESXi: ESXi.firewall-enabled
- 35 VMware ESXi: ESXi.firewall-enabled
- 35 VMware ESXi: ESXi.firewall-enabled
- 35 VMware ESXi: ESXi.DefaultPasswords.modify
- 35 VMware ESXi: ESXI.ShellTimeout.config
- 35 VMware ESXi: ESXI.CommandShell.disable
- 36 VMware ESXi: ESXi.SNMP.CommunityString
- 36 VMware ESXi: ESXi.UnusedServices.disable
- 36 VMware ESXi: ESXI.Auto-Password-Change-Policy.configure
- 36 VMware ESXi: ESXi.Password.Complexity
- 37 VMware vCenter Single Sign On (SSO)
- 37 VMware SSO: SSO.verify-SSO-Password-policy
- 37 VMware vSphere Update Manager
- 37 VMware vSphere Update Manager: VUM.audit-vum-login
- 38 Update Manager VUM.NTP.config SEC101356.1
- 38 VMware vCenter Server Appliance (VCSA)
- 38 VMware Virtual Center Server Appliance: VCSA.DefaultPasswords.modify
- 39 VMware Virtual Center Server Appliance: VCSA.SNMP.CommunityString
- 39 VMware Virtual Center Server Appliance: VCSA.Logging.config
- 39 VMware Virtual Center Server Appliance: VCSA.NTP.Config
- 39 VMware Virtual Center Server Appliance: VCSA.Unused-Services.Disable
- 39 VMware vNetwork
- 40 VMware vNetwork: vNetwork.Forged-MAC-address.policy
- 40 VMware vNetwork: vNetwork.PromiscuousMode.config
- 40 VMware vNetwork: vNetwork.Mgt-Segmentation.config
- 40 VMware vNetwork: vNetwork-Management Network-Access Control.config
- 40 VMware vNetwork: vNetwork-Network configuration.verify
- 41 VMware vNetwork: vNetwork.Reject.MAC-address-changes.Config
- 41 VMware vSphere Distributed Switch and DVS networking
- 41 VMware vSphere vSwitch and DVS networking: vNetwork.isolate-mgmt-network-vlan
- 41 VMware vSphere vSwitch and DVS networking: vNetwork.isolate-vmotion-network-vlan
- 41 VMware vSphere vSwitch and DVS networking: vNetwork.isolate-storage-network-vlan
- 42 VMware vSphere Web Client
- 42 VMware vSphere Web Client: vCenter.web-client-timeout
- 42 Management layer security baseline
- 42 VxRack Controller nodes
- 42 VxRack Controller Default-Passwords.Change
- 42 VxRack Controller - Disable Telnet
- 43 VxRack Controller - Disable SSH
- 43 VxRack Controller - Disable IPMI over LAN
- 43 VxRack Controller - Server access using HTTPS
- 43 VxRack Controller - Strong community strings
- 44 VxRack Controller - Use SNMP V3
- 44 VxRack Controller - Disable VNC
- 44 VxRack Controller - Disable XML
- 44 VxRack Controller - Configure syslogs
- 44 VxRack Controller - Configure NTP
- 45 VxRack Controller - Disable USB ports
- 45 VxRack Controller - Disable remote RACADM
- 45 VxRack Controller - Disable IDRAC over SOL
- 45 System infrastructure security baseline
- 45 Panduit Power Distribution Unit (PDU)
- 45 Panduit PDU: Panduit.Passwords.Modify
- 46 Panduit PDU: Panduit.NTP.Configure
- 46 Panduit PDU: Panduit.SNMPCommunityString.Configure
- 46 Panduit PDU: Panduit.Unused-Services.Disable
- 46 Panduit PDU: Panduit.Logging.Configure
- 46 Panduit PDU: Panduit.Administrative-Access.Configure
- 47 Log Management
- 47 Internal component log file locations
- 47 Configuring an external syslog server
- 48 Certificate management
- 49 Operationalizing Converged Systems
- 49 Integrating a new Converged System into a live environment
- 49 Ongoing security administration
- 50 Operational checklist
- 51 Converged System password management
- 51 Compute
- 51 Changing the VxRack System FLEX enclosure password
- 51 Storage
- 52 ScaleIO default accounts
- 52 Changing the Installation Manager admin password
- 53 Changing the Light Installation Agent password
- 53 Changing the SVM root password
- 53 Changing the default admin MDM password
- 54 ScaleIO user-defined accounts
- 55 Virtualization
- 55 Changing a VMware ESXi host root password
- 56 Changing the password using VMware vSphere Client
- 56 Changing the password using the ESXi shell command
- 57 Changing the password using the ESXi host System Customization menu
- 57 Modifying the VMware vCenter Server Single Sign On password
- 58 Changing virtual machine operating system administrative passwords
- 58 Changing the server administrator password in Windows 2008 R2
- 58 Changing the server administrator password in Windows 2012
- 58 Management
- 59 Changing the VxRack Controller password
- 59 Vision Intelligent Operations credentials
- 59 Changing the default password for user root
- 61 Changing the password for the vision-integration user
- 62 Changing the Central Authentication Service (CAS) password for the admin user
- 64 Ports and protocols
- 64 ScaleIO ports and authentication
- 64 VMware vSphere 6.0 ports and authentication
- 67 Vision Intelligent Operations ports and protocols
- 67 Open port assignments
- 69 Northbound Vision software ports and protocols
- 70 Southbound Vision software ports and protocols
- 70 Compute components
- 70 Network components
- 70 Storage components
- 71 Management components
- 71 Virtualization components
- 72 References