Securing a virtual environment running VMware vSphere is not as simple as accepting the default setting and policies during installation. While the defaults provide partially hardened settings, there are many ways to improve upon them. By following VMware security best practices, you can help protect your VMware infrastructure against cybersecurity threats, including both malicious attacks and careless mistakes.
This article explains how to reduce the risk to your enterprise security by properly securing your VMware vCenter server and your ESXi hypervisor, and details the key best practices for secure deployment, operations and networking.
VMware vCenter Server Security
VMware vCenter server is the main control center of your vSphere environment. Whether you install it on a Windows or Linux operating system, the following best practices can help you maintain it in a secure state:
- To help keep VMware secure, make sure your vCenter Server systems use static IP addresses and host names. Each IP address must have a valid internal DNS registration, including reverse name resolution.
- By default, the password for the vpxuser account expires after 30 days. Change this setting if necessary to comply with your security policy.
- If you are running vCenter Server on Windows, make sure the remote desktop host configuration settings ensure the highest level of encryption.
- Make sure that the operating system is up to date on security patches.
- Install an antivirus solution and keep it up to date.
- Make sure that the time source is configured to sync with a time server or a time server pool, in order to ensure proper certificate validation.
- Do not allow users to log directly into the vCenter server host machine.
VMware ESXi Security
To secure your ESXi hypervisor, implement the following best practices:
- Add each ESXi host to the Microsoft Active Directory domain, so you can use AD accounts to log in and manage each host’s settings.
- Configure all ESXi hosts to synchronize time with the central NTP servers.
- Enable lockdown mode on all ESXi hosts. That way, you can choose whether to enable the direct console user interface (DCUI) and whether users can log in directly to the host or only via the vCenter Server.
- Configure remote logging for your ESXi hosts so you have a centralized store of ESXi logs for a long-term audit record.
- Keep ESXi hosts patched to mitigate vulnerabilities. Attacks often try to exploit known vulnerabilities to gain access to an ESXi host.
- Keep secure shell (SSH) disabled (this is the default setting).
- Specify how many failed login attempts can be made before the account is locked out.
- ESXi version 6.5 and later supports UEFI secure boot at each level of the boot stack. Use this feature to protect against malicious configuration changes within the OS bootloader.
Secure Deployment and Management
Here are the principal best practices for secure deployment and management of a VMware vSphere environment:
- Keep your virtual machine templates up to date with guest OS security patches.
- Deploy new VMs only from your VM templates. This practice helps ensure that the base OS is properly hardened before applications are installed and that all VMs are created with the same baseline level of security.
- Minimize use of the Virtual Machine console, since it allows users to use power management and removable device connectivity.
- Disable unnecessary functions inside each VM, including system components that are not necessary for the application you’re running. You can also disable CD/DVD drives, floppy drives and USB adapters.
- Restrict datastore browser access to limit risk to the virtualization files stored on your datastores.
- Prevent users from running commands inside a VM by disabling the command line window.
- Install an antivirus solution, set it to the highest protection possible and keep it up to date.
Secure Operations
Here are the key best practices for secure operations:
- VMware vSphere uses role-based management control (RBAC) to manage permissions. You can easily create, clone and modify roles in the vCenter Server system to implement the least-privilege principle.
- Integrate vCenter with Microsoft Active Directory. This can be done not only for vCenter running on Windows but also for a vCenter Server Appliance (VCSA) running on Linux PhotonOS. This integration enables you to use AD authentication for existing Microsoft AD users within vSphere, and enables vSphere administrators will be able to use a common identity source to grant access to vSphere objects.
- Create a named account for each user with the vCenter server administrator role. Grant this role only to administrators who need it; other users should have access to only the VMs and other resources they need to do their jobs.
- Resource privileges control the creation and management of resource pools. You can set privilege at different levels (for example, at the folder level) and let them propagate inside the object.
- Audit network traffic, firewall activity and other critical events. vSphere enables you to view the basic change log; for example, you can use the Tasks and Events tab in the vSphere Client to review all changes to any object in your vSphere hierarchy during a certain time period. However, third-party security solutions offer additional functionality, such as custom alerting on critical changes like the deletion of VMs or changes to resource pools. They also provide easy-to-read reports on changes and logon activities that make it easier to monitor your virtual environment and prepare for compliance
Secure Networking
The VMware vSphere virtual networking layer includes multiple elements, such as a virtual network adapter, virtual switches (vSwitches), distributed virtual switches (DVSs), ports and port groups. The ESXi hypervisor uses those elements to communicate to the outside world. The following the best practices will help you improve network security:
- Isolate network traffic based on type. You can use virtual LANs (VLANS) for this purpose.
- Secure virtual storage network traffic:
- Isolate storage traffic on separate physical and logical networks.
- Use CHAP authentication in iSCSI environments.
- Use Internet Protocol security policy (IP Sec) when possible. This network security mechanism allows authentication and encryption of packets of data sent over a network.
- Use firewalls to help secure virtual network elements and filter VM network traffic. Don’t modify the default ESXi firewall configuration.
Conclusion
Securing your virtualized environment is a complicated task. Following the best practices detailed here to design, configure and monitor your environment will take you a long way toward reducing risk and ensuring regulatory compliance.
