際際滷

際際滷Share a Scribd company logo
1.1.1 vSphere Security Virtual Machine Security Enhancements  {To be applied}
Options Visual Discussion
Security
Profile
Custom VM Security measures: VMX File Edits(Directcommands)
Prevent virtual disk shrinking. 1. isolation.tools.diskWiper.disable=TRUE
2. isolation.tools.diskShrink.disable=TRUE
Ensure that unauthorized
devices are not connected.
3. Floppydrives:floppyX.present
4. Serial ports:serialX.present
5. Parallel ports:parallelX.present
6. USB controller:usb.present
7. CD-ROM: ideX:Y.present
Prevent unauthorized removal,
connection and modification of
devices.
8. isolation.device.connectable.disable=TRUE
9. isolation.device.edit.disable=TRUE
Disable VM-to-VM
communication through VMCI.
10.vmci0.unrestricted=FALSE
Limit VM log file size and
number.
11.log.rotateSize=1000000
12.log.keepOld=10
Limit informational messages
from the VM to the VMX file.
13.tools.setInfo.sizeLimit=1048576
Avoid using independent non-
persistent disks.
1. Not present
2. Not setto independentnonpersistent
Disable certain unexposed
features: point 21. Is optional
14.isolation.tools.unity.push.update.disable=
TRUE
15.isolation.tools.ghi.launchmenu.change =
TRUE
16.isolation.tools.memSchedFakeSampleStats.di
sable = TRUE
17.isolation.tools.getCreds.disable =TRUE
18.isolation.tools.ghi.autologon.disable=TRUE
19.isolation.bios.bbs.disable=TRUE
20.isolation.tools.hgfsserverset.disable=TRUE
21.isolation.tools.ghi.autologon.disable=TRUE
Disable remote operations
within the guest. (If enabled,
the system administrator can
execute scripts or programs
that use
the VIX API to execute tasks
within the guest OS.)
22.guest.command.enabled=FALSE
For highest security, only one
remote console session at a
time should be allowed
23.remotedisplay.maxconnections=1
Explicitly disable copy
operations
24.isolation.tools.copy.disable=TRUE
Explicitly disable paste
operations
25.isolation.tools.paste.disable=TRUE
Disable VM Monitor Control 26.isolation.monitor.control.disable=TRUE
These enhanced
configuration
parameters
ensure that
potential resource
variables are not
exploited into
security
vulnerabilities.
Options Visual Discussion
Do not send host performance
information to guests.
27.tools.guestlib.enableHostInfo=FALSE
Global Windows Time sync
recommendation
28.tools.syncTime="True"
1.1.1 vSphere Security ESXi Host Security Enhancements {To be Applied}
Options Visual Discussion
Security
Profile
Custom Host
Security
measures:
Directcommand
To disable Host
Welcome login
web-page: #vim-cmdproxysvc/remove_service"/""httpsWithRedirect"
Disable
Managed Object
Browser: vim-cmdproxysvc/remove_service "/mob""httpsWithRedirect"
This advances
system change
will prevent all
Web-bases
access
including via the
SDK
vSphere 5.x BAsic Security Hardening

More Related Content

vSphere 5.x BAsic Security Hardening

  • 1. 1.1.1 vSphere Security Virtual Machine Security Enhancements {To be applied} Options Visual Discussion Security Profile Custom VM Security measures: VMX File Edits(Directcommands) Prevent virtual disk shrinking. 1. isolation.tools.diskWiper.disable=TRUE 2. isolation.tools.diskShrink.disable=TRUE Ensure that unauthorized devices are not connected. 3. Floppydrives:floppyX.present 4. Serial ports:serialX.present 5. Parallel ports:parallelX.present 6. USB controller:usb.present 7. CD-ROM: ideX:Y.present Prevent unauthorized removal, connection and modification of devices. 8. isolation.device.connectable.disable=TRUE 9. isolation.device.edit.disable=TRUE Disable VM-to-VM communication through VMCI. 10.vmci0.unrestricted=FALSE Limit VM log file size and number. 11.log.rotateSize=1000000 12.log.keepOld=10 Limit informational messages from the VM to the VMX file. 13.tools.setInfo.sizeLimit=1048576 Avoid using independent non- persistent disks. 1. Not present 2. Not setto independentnonpersistent Disable certain unexposed features: point 21. Is optional 14.isolation.tools.unity.push.update.disable= TRUE 15.isolation.tools.ghi.launchmenu.change = TRUE 16.isolation.tools.memSchedFakeSampleStats.di sable = TRUE 17.isolation.tools.getCreds.disable =TRUE 18.isolation.tools.ghi.autologon.disable=TRUE 19.isolation.bios.bbs.disable=TRUE 20.isolation.tools.hgfsserverset.disable=TRUE 21.isolation.tools.ghi.autologon.disable=TRUE Disable remote operations within the guest. (If enabled, the system administrator can execute scripts or programs that use the VIX API to execute tasks within the guest OS.) 22.guest.command.enabled=FALSE For highest security, only one remote console session at a time should be allowed 23.remotedisplay.maxconnections=1 Explicitly disable copy operations 24.isolation.tools.copy.disable=TRUE Explicitly disable paste operations 25.isolation.tools.paste.disable=TRUE Disable VM Monitor Control 26.isolation.monitor.control.disable=TRUE These enhanced configuration parameters ensure that potential resource variables are not exploited into security vulnerabilities.
  • 2. Options Visual Discussion Do not send host performance information to guests. 27.tools.guestlib.enableHostInfo=FALSE Global Windows Time sync recommendation 28.tools.syncTime="True" 1.1.1 vSphere Security ESXi Host Security Enhancements {To be Applied} Options Visual Discussion Security Profile Custom Host Security measures: Directcommand To disable Host Welcome login web-page: #vim-cmdproxysvc/remove_service"/""httpsWithRedirect" Disable Managed Object Browser: vim-cmdproxysvc/remove_service "/mob""httpsWithRedirect" This advances system change will prevent all Web-bases access including via the SDK