You must follow multiple best practices at all times when you operate your vCenter Server instances.
Best Practice |
Description |
|---|---|
Assign correct roles to vCenter Server users.
|
Users and service accounts must be assigned only privileges they require. To reduce risk of confidentiality, availability, or integrity loss, the least privilege principle requires that these privileges must be assigned only if needed. |
Use unique service accounts for applications that connect to vCenter Server.
|
Create a service account for each application that connects to vCenter Server. Grant only the required permissions for the application to run. |
vCenter Server must restrict access to cryptographic permissions.
|
These permissions must be reserved for cryptographic administrators where VM and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography. Only the Administrator and any site-specific cryptographic group must have the following permissions:
|
Use templates to deploy virtual machines.
|
To create application-specific templates, use templates that contain a hardened, patched, and properly configured operating system . You can also use the application template to deploy virtual machines. |
The vCenter Server must use LDAPS when adding an SSO identity source.
|
To protect the integrity of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere SSO. When configuring an identity source and supplying an SSL certificate, vCenter Server enforces secure LDAP. |
The vCenter Server must implement Active Directory authentication
|
The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities. |
The vCenter Server must use a limited privilege account when adding an LDAP identity source
|
When adding an LDAP identity source to vSphere SSO, the account used to bind to the AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other permissions inside or outside of that OU are unnecessary and violate least privilege. |
Backup the vCenter Native Key Providers with a strong password.
|
The vCenter Native Key Provider acts as a key provider for encryption based capabilities, such as encrypted virtual machines, without requiring an external KMS solution. When activating this feature, a backup PCKS#12 file is created. If no password is provided during the backup process, the backup file can be used maliciously and compromise the environment. |
Restrict access to the cryptographic role.
|
The built-in Administrator role has the permission to perform cryptographic operations, such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators, where virtual machine or vSAN encryption is required. All other vSphere administrators, who do not require cryptographic operations, must be assigned the No cryptography administrator role. |
The vCenter Server Machine SSL certificate must be issued by an appropriate certificate authority.
|
The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with an approved certificate. The use of an approved certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted. |
Ensure that participation in CDP or LLDP is intentional.
|
The vSphere VDS can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. This can facilitate improved mapping network topology and troubleshooting, however you must ensure that information sent and received is intentional, as this information can be used by an adversary to gain a better understanding of your environment. |
Ensure that port mirroring is used legitimately.
|
The vSphere VDS can mirror traffic from one port to another, allowing observation of traffic. Ensure that port mirroring is used legitimately. |
Configure the vCenter Server firewall for additional defense-in-depth.
|
vCenter Server has its own firewall settings that can be used in conjunction with a network/perimeter firewall for additional defense. Ensure that you configure it with |
Remove unnecessary NICs.
|
In Center Server, you can configure multiple network interfaces connected to different networks. If a system has interfaces on different networks, there is potential to bridge the networks, or create a backdoor that circumvents network-based access controls. Ensure that all NICs are configured properly and are necessary. |
Install security patches and updates for vCenter Server.
|
You install all security patches and updates on vCenter Server instances as soon as possible. An attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges. Mitigate the risk of breaches by updating vCenter Server instances first and then updating ESXi hosts. |
Configure Key Encryption Keys (KEKs) to be re-issued at regular intervals for the vSAN encrypted datastores.
|
Interview the SA to determine whether a procedure exists to perform a shallow re-key of all vSAN encrypted datastores at regular, site-defined intervals. This interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not applicable. |
At a minimum, vCenter must provide an immediate, real-time alert to the system administrator (SA) and information system security officer (ISSO) of all audit failure events requiring real-time alerts.
|
Ensure that the Central Logging Server is configured to alert the SA and ISSO, at a minimum, on any AO-defined events. Otherwise, this is a finding. If there are no AO-defined events, this is not a finding. |
Remove unnecessary virtual hardware devices from the VM.
|
Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. USB devices, sound cards, and other unnecessary hardware may be introduced with migrations from VMware Workstation, Fusion, or through other tools. Any enabled or connected device represents a potential attack channel, through the possibility of device drivers that contain vulnerabilities, by granting the ability to introduce software or exfiltrate data to or from a protected environment. Note: Removing the CD-ROM device may impact VMware Tools installation and maintenance. |
Consider the risks of using Active Directory groups to authorize vSphere Administrators.
|
If you are using a centralized directory service such as Active Directory for both authentication and authorization, an attacker can can compromise the service and obtain authorization to other infrastructure services. It also means that the administrators ("Domain Admins") for the directory service are defacto administrators of infrastructure. To help manage risk, where feasible, consider the use of local SSO groups for authorization. |
