Vmware has released guidance on protecting ESXi servers, the most used virtualization platform in the enterprise.
The ESXi hypervisor can be protected out-of-the-box, and lockdown mode and other built-in features can be used to further protect the ESXi host.
For consistency, you can set up a reference host and synchronize all hosts with the host profile of the reference host.
You can also protect your environment by using scripted administration to ensure that changes are applied to all hosts.
To enhance the protection of ESXi hosts managed by vCenter Server, do the following.
- Restrict access to ESXi
- Using an alias admin user and minimum privileges
- Reduce the number of open ESXi firewall ports
- Automate ESXi host management
- Using lockdown mode
- Verify the integrity of the VIB package
- ESXi Certificate Management
- Consideration of smart card authentication
- Considering ESXi account lockout
Restrict access to ESXi
By default, the ESXi Shell and SSH services are not running, and only the root user can log in to the DCUI (Direct Console User Interface). If you enable ESXi or SSH access, you can set a timeout to limit the risk of unauthorized access. If you enable ESXi or SSH access, you can set a timeout to limit the risk of unauthorized access.
Users who have access to the ESXi host must have permissions to manage the host. Set permissions on the host object from the vCenter Server system that manages the host.
Using an alias admin user and minimum privileges
By default, the root user can perform many tasks. Do not allow the administrator to log into the ESXi host using the root user account.
As an alternative, you can create administrative users from vCenter Server and assign the Administrator role to these users. You can also assign custom roles to these users. See Creating Custom Roles for more information.
If you are managing users directly on the host, the options for role management are limited.
Reduce the number of open ESXi firewall ports
By default, the firewall ports on an ESXi host will only be Open when the corresponding service is started.
You can use the vSphere Client or ESXCLI or PowerCLI commands to view and manage the status of firewall ports.
Automate ESXi host management
Because it is often important to keep different hosts in the same datacenter in sync, provision hosts using scripted installation or vSphere Auto Deploy.
You can use the script to manage your hosts.
As an alternative to scripted management, host profiles can be used. You can set up a reference host, export the host profile, and apply that host profile to all hosts.
Host profiles can be applied directly or as part of provisioning with Auto Deploy.
Using lockdown mode
In lockdown mode, by default, ESXi hosts can only be accessed through vCenter Server.
You can choose between strict lockdown mode or normal lockdown mode.
You can define an exception user to allow direct access to service accounts, such as the backup agent.
Verify the integrity of the VIB package
Each VIB package has an associated acceptance level; you can add a VIB to an ESXi host only if the VIB’s acceptance level is equal to or greater than the host’s acceptance level.
It is not possible to add CommunitySupported or PartnerSupported VIBs to a host without explicitly changing the host’s acceptance level.
ESXi Certificate Management
The VMware Certificate Authority (VMCA) provides each ESXi host with a signed certificate with the VMCA as the root certificate authority by default.
If your company policy requires it, you can replace the existing certificate with a certificate signed by a third party or enterprise CA.
Consideration of smart card authentication
ESXi supports the use of smart card authentication as an alternative to username and password authentication.
For added security, you can set up smart card authentication.
Two-factor authentication is also supported in vCenter Server.
Username and password authentication and smart card authentication can be configured simultaneously.
Considering ESXi account lockout
Account locking is supported for SSH and access via the vSphere Web Services SDK.
By default, a maximum of 10 failed attempts are allowed before the account is locked. The account will be unlocked after 2 minutes by default.
Please be careful.
The DCUI (Direct Console Interface) and ESXi shell do not support account lockout.
The security considerations for standalone hosts are similar, although the administrative tasks may be different.
Comments