Regardless of the specific domain a company works in or its size, IT security always was one of the key components when it comes to running workloads for internal and external customers. Virtualization is a particularly critical area to protect in that aspect as it centralizes all the resources in one place and acts as a core housing for the workloads. While an attack on a standalone server will only impact its services and those that depend on it, vSphere hosts and vCenter servers must be secured at all costs as an attack on these could hit everything running on the SDDC stack, impacting hundreds of VMs at once.
This is what happened in the past couple years when the IT landscape was plagued by an increase in Ransomware attacks against VMware environments. Bad actors would get access to the hypervisors, usually through AD domain credentials theft, and then encrypting the files on the datastores after shutting down all the virtual machines. Needless to say, this can be insanely hard to recover from, especially if you don’t have a solid backup solution in place.
VMware has been helping organizations secure their virtual environments for many years with what started as the vSphere Hardening Guide which was later rebranded as the vSphere Security Configuration Guide (SCG). This guide includes a PDF on how to use it and an Excel spreadsheet containing a number of recommendations with commands to set them automatically.
Security hardening
Hardening IT systems refers to the action of tightening security to reduce the attack surface by adjusting specific settings, restricting user accesses and so on. There is actually a good blog out there about what hardening is. We already discussed this topic in the Vembu blog back in 2018 when vSphere 6.5 was the current version. You can refer to this piece to get an introduction to the vSphere Security Configuration Guide.
Note that not everything in the Security Configuration Guide (SCG) falls under the hardening umbrella as a number of recommendations are aimed at auditing purposes or site-specific settings.
vSphere 7 Security Configuration Guide
The vSphere SCG is a baseline for auditing and hardening guidance. As opposed to earlier versions that were tied to the vSphere Hardening guide, a large number of security best practices and recommendations have been committed to the code of vSphere ESXi over the years which now embeds them out-of-the-box to better protect all customers.
As mentioned earlier, the vSphere 7 Security Configuration Guide is made up of a PDF that explains how to use it and the Excel spreadsheet with the recommendations. You can download the vSphere 7 SCG from this permanent redirect link
Compliance frameworks
There are a bunch of compliance frameworks out there like NIST 800-53, PCI DSS, CMMC and more. Those compliance frameworks can be confusing and hard to understand, especially for VI admins who have a thousand other duties to work upon, which often creates friction and gaps in understanding during the auditing process. None of these guides tell you how to actually set them in your environment to be compliant. vSphere 7 SCG is now aligned with those frameworks to help administrators achieve said compliance much faster.
CIA triad
You may be familiar with this core concept in the security world, the CIA triad refers to three areas that must be addressed when securing an IT system:
Abiding by these three principles is mandatory for any security system to ensure that the data stored in an organization is safe and accessible, especially in a world where Ransomware attacks target virtual environments. For that reason, VMware further reduced the attack surface with recommendations including among others:
– Keeping SSH disabled.
– Automating as much as possible through PowerCLI and API calls.
– Patching each step of the stack down to the guest.
Increased Release cadence
You may be aware that, a few years ago with vSphere 7, VMware adopted a more aggressive release cycle of every 6 months which aligns with other software vendors. Whether this was a good thing or not seeing all the problems there has been with new vSphere releases is a different can of worms. However, this increased release cycle was aimed to be matched by the vSphere 7 Security Configuration Guide to more swiftly correct errors, introduce automation, adjust guidance and so on.
vSphere 7 Virtual Machine Security Parameters
Working towards securing virtual machines is a huge task that is not as straightforward as disabling the virtual console. Current settings change between versions, some get added, others are deprecated and others just find the default values adjusted after receiving feedback from the community or following internal testing. In order to facilitate the tracking of this tangled mess, you can refer to this resource about VM security parameters that will help you stay current on recommendations on top of the vSphere 7 Security Configuration Guide.
Using the vSphere 7 Configuration Guide
The great thing about the vSphere 7 Security Configuration Guide is that it is intuitive to use and includes everything you need to know before going ahead with a change. Because VMware recommends a default value for a setting doesn’t mean you should jump on vCenter and push it to your environment straight away. While it may apply to most environments, yours may have specificities that require more consideration or different values. This is also something the vSphere SCG takes care of as it will tell you whether a recommended value is already the default, if it can have a negative impact and so on.
The vSphere 7 Security Configuration Guide gives you the following details about the recommendations:
- Guideline ID: Unique ID to identify the change
- Description: Explains the change
- Discussion: Additional context around the change
- Configuration Parameter: Named setting
- Desired Value: VMware’s recommended value for the setting
- Default Value: Value that is set out-of-the box
- Desired value is the default: Match of the last two
- Action needed: Should you Add, Modify or Audit the specific change
- Setting Location in vSphere Client: Where you can find the setting in the web UI
- Negative Functional Impact in Change From Default? Can the change have an adverse effect in your environment?
- PowerCLI Command Assessment: Get command to obtain the current value (audit)
- PowerCLI Command Remediation Example: Set command to apply the recommendation
- Able to set using Host Profile: Whether the change can be done using host profile
- Hardening: Is this a hardening setting or not
- Site Specific Setting: Is it a Site-specific setting or not
- Audit Setting: Is it an audit setting or not
Conclusion
As you know, a large number of decisions in the IT landscape are driven by security concerns. Some companies will go to extreme lengths with large investments of cash to tighten every single nut and bolt in their on-prem and cloud environments while smaller businesses will do the best they could with the resources they have at their disposal. While you can always find ways to further improve security, following the vSphere 7 Security Configuration Guide will guide you through hardening your environment with a sensible set of settings and considerations.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.