Four steps to securing vCenter and the VMware virtualized environment

Get familiar with the details and use these four steps to lock down hosts in your VMware virtualized environment.

IT security can often become an issue once your company gets above a certain size. When considering the overall security of a VMware virtualized environment, limiting access to vCenter is the first step. Next, you should look at the security underlying the actual host itself and take steps to make that safer. These four steps will pave the way for a more secure VMware environment.

1. Restrict who can access the host

Configuring Lockdown Mode in vCenter
Configuring Lockdown Mode in vCenter in ESXi version 4.

The first and easiest step to securing a host is to enable lockdown mode. This ensures that all the hosts connected to vCenter are managed by vCenter. It also prevents users from directly logging into the host using vSphere or any other tool that doesn't communicate through vCenter. To do this for ESXi version 4, log into vCenter and select a host you wish to secure. Click Configuration tab followed by Security. Navigate to Lockdown Mode, click Edit and click Enable Lockdown Mode. Click OK. If you are using version 5 of ESXi, log into the console and use the Direct Console User Interface (DCUI) to enable lockdown.

This feature is only available on ESX 4 and above. In an emergency, you can disable lockdown mode -- for example, if vCenter is unavailable for some reason -- by directly logging into the host console and disabling lockdown from the DCUI.

2. Secure the network

By default, when a vSwitch is created, it disables promiscuous mode but allows MAC address changes and forged transmits to accept. Unless you have a really compelling reason to do so, set MAC address changes to Reject and the same for forged transmits. Be careful, as some load-balancing products and virtual appliances make use of this feature.

Modifying the security settings of the vSwitch
Adjusting the vSwitch security settings .

To configure the switch security, select the host in question, go to Configuration, then Properties of the Network, to change. Select the virtual machine (VM) vSwitch and edit the switch. Select the Security tab and select from the dropdown to modify as needed. This operation can also be selected for port groups as well as switches.

It is also worth noting that if you do use port groups, the settings are inherited from the vSwitch settings unless you explicitly change them.

3. Secure the VM

By default, copy and paste between the client and the VM is enabled when using the vSphere application. In a secure environment, this is not an appropriate setting. In order to fix this, select the VM where you wish to prevent the copy-and-paste operation interaction. Then select Options>Advanced. Select the General tab and enter the following (or use a combination of them if you wish to enable only one operation, i.e., copy or paste):

isolation.tools.copy.disable true

isolation.tools.paste.disable true

4. Enable domain authentication

Tighten security in vCenter

Use vCenter roles wisely for VM security

Four steps to securing vCenter

Sharing the root password creates several issues around security, not least accountability, but this can easily be resolved by changing the authentication methods. You can set up the host to use Active Directory (AD) authentication quite easily.

Before you enable this feature, you need to create a group in your AD infrastructure called ESX Admins. It must be exactly as shown or it will not work.

Join the domain with the proper credentials
Enter an account with credentials to join the domain.

Once that is done, AD authentication can be enabled on the host. Find the host in question and go to the Configuration tab, click the Properties menu in the right-hand corner. This will pop up a Directory Services configuration menu. On the dropdown, choose Select Directory Service Type and select Active Directory. Domain settings will then become available. Fill in your domain name and press the Join Domain button. At this point you will need to enter an account with credentials to join the domain. If you have issues using the domain\username format, use user@domain format. The latter usually works better than the former.

To make life a bit easier, you may find it appropriate to nest your administrators group in the ESX Admins group. However, don't just place your Domain Admins group inside the ESX Admin group. Do it properly and create a group with your administrators in it.

This login can also be used for the DCUI console if needed.

This was first published in December 2013

Dig deeper on Securing a VMware environment

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchVirtualDesktop

SearchDataCenter

SearchCloudComputing

Close