Much of this guide is concerned with protecting vCloud Director itself, but overall system security also requires securing the infrastructure on which vCloud Director depends, including vSphere, NSX, the cell Linux platform, and the vCloud Director database.
Applying current security patches to each of these infrastructure components before installation is a key step and ongoing monitoring to keep these components at a current patch level is also crucial.
Securing Your VMware Infrastructure
- vSphere security
- vSphere Security. https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-52188148-C579-4F6A-8335-CFBCE0DD2167.html
- NSX security
- Securing VMware NSX for vSphere. https://communities.vmware.com/docs/DOC-27674 and https://communities.vmware.com/docs/DOC-28142.
Securing Your Cell Platforms
vCloud Director cells run on a Linux-based operating system as an unprivileged user (
vcloud.vcloud) created during installation. The list of supported cell platform operating systems is included in the vCloud Director Release Notes. Securing the cell platform, whether it is physical or virtual, is a key part of securing vCloud Director.
Standard security hardening procedures should be applied to the cell platform, including disabling unnecessary network services, removing unnecessary packages, restricting remote root access, and enforcing strong password policies. Try to use a centralized authentication service such as Kerberos. Consider installation of monitoring and intrusion detection tools.
It is possible to install additional applications and provision additional users on the cell OS instance, but it is recommended that you do not do this. Widening access to the cell OS may decrease security.
Protecting Sensitive Files After Installation
During installation, vCloud Director writes installation data, including passwords, to files in the local file system of the cell Linux host. These files, global.properties and responses.properties, both found under $VCLOUD_HOME/etc, contain sensitive information that you must reuse when you add more servers to a server group. The responses.properties file contains responses provided by the administrator when running the configuration script. That file contains an encrypted version of the vCloud Director database password and system keystore passwords. Unauthorized access to that file could give an attacker access to the vCloud Director database with the same permissions as the database user specified in the configuration script. The global.properties file also contains encrypted credentials that should not be made accessible to anyone but a cell administrator.
At creation, the responses.properties and global.properties files are protected by access controls on the $VCLOUD_HOME/etc folder and the files themselves. Do not change the permissions on the files or folder as it may either give too much access, reducing security, or restrict access too much, stopping the vCloud Director software from working. In order for the access controls to properly work, physical and logical access to the vCloud Director servers must be strictly limited to those with a need to log in and only with the minimal levels of access required. This involves limiting the use of the root account through sudo and other best practices that are outside the scope of this document. Moreover, any backups of the servers must be strictly protected and encrypted, with the keys managed separately from the backups themselves.
For more details, see Protecting and Reusing the Response File in the vCloud Director Installation and Upgrade Guide.
Ensure that any credentials used for administrative access to the cell, vSphere, the vCloud Director database, to external firewalls and other devices, follow standards for adequate password complexity. Consider an expiration and rotation policy for passwords wherever possible. Please be aware, however, that an expired or changed database, vSphere, or NSX password will make part or all of the cloud infrastructure nonfunctional until vCloud Director is updated with the new passwords.
It is important from a "defense in depth" perspective to vary the administrative passwords for the different servers in the vCloud Director environment, including the vCloud Director cells, the vCloud Director DB, vSphere servers, and NSX manager. This is so that if one set of credentials is compromised (for example, through a disgruntled employee leaving the organization), other systems are not automatically compromised across the rest of the infrastructure.
For more information about account and credential management for administrators and tenants, see User Account Management