VCAP6-DCV Deployment – Objective 8.3 – Harden a vSphere 6.x Deployment 3


Main Study Page

Objectives for 8.3 are broke down as the following

  • Enable and configure ESXi Lockdown mode (Strict / Normal)
  • Configure a user on the Lockdown Mode Exception Users list
  • Customize SSH settings for increased security
  • Enable strong passwords and configure password policies
  • Configure vSphere hardening of virtual machines according to a deployment plan

Enable and configure ESXi Lockdown mode (Strict / Normal)

To increase the security of your ESXi hosts, you can put them in lockdown mode.  In lockdown mode, some services are disabled, and some services are accessible only to certain users and operations must be performed through the vCenter by default.  Lockdown mode can be set in Normal or Strict

  • Normal – in this mode the DCUI service is not stopped.  If a connection to vCenter and to the Web Client is lost privileged users can still access the DCUI to exit lockdown mode.
  • Strict – in this mode the DCUI service is stopped.  If a connection to vCenter and to the Web Client is lost the ESXi host becomes unavailable, the host must be reinstalled.

Note – ESXi Shell and SSH services are independent of lockdown mode, these services should still be disabled for the most secure option.

To enable lockdown mode I go to Web Client – Host – Manage – Settings – System – Security Profile – Edit.

vcap8-3-1

I choose Strict then I need to confirm.

vcap8-3-2

Strict mode is now enabled for this host.

vcap8-3-3

Go back to edit to disable lockdown mode.

Lockdown mode can also be enabled from the DCUI.  Open the DCUI by selecting F2 on a ESXi host – Configure Lockdown Mode.

vcap8-3-4

By doing it through the DCUI it will put the host in Normal lockdown mode.

vcap8-3-5


 

Configure a user on the Lockdown Mode Exception Users list

You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list, this account will have access in the event of a vCenter failure.  Also these accounts can also log into a hosts DCUI in Normal lockdown mode and can then exit lockdown mode.

To add users to the exception list I go to Web Client – Host – Manage – Settings – System – Security Profile – Edit – Exception Users.

vcap8-3-6

Choose Add Lockdown Exception Users.  Pick a local user account if the host is not joined to Active Directory.  If the host is joined to AD the domain will appear.

vcap8-3-7

Select OK to apply.


Customize SSH settings for increased security

By default SSH service and ESXi Shell service is disabled and can be enabled via Web Client – Host – Manage – Settings – System – Security Profile – Edit. 

vcap8-3-8

You can set an availability timeout for ESXi shell to increase security – that is the time it will wait for a user to login before the service is disabled again.  I go to Web Client – Host – Manage – Settings – System – Advanced System Settings.  I then need to edit the following and add a value in seconds.

>UserVars.ESXiShellTimeOut

vcap8-3-9

You must then restart the ESXi Shell and SSH service to take affect.

I can also force idle sessions to close after a set period of time.  I go to Web Client – Host – Manage – Settings – System – Advanced System Settings.  This time I change the following setting and again add the value in seconds.

>UserVars.ESXiShellInteractiveTimeOut

vcap8-3-10


Enable strong passwords and configure password policies

In vSphere 6 a ESXi user password must meet the following requirements.

  • Passwords must contain characters from at least three character classes.
  • Passwords containing characters from three character classes must be at least seven characters long.
  • Passwords containing characters from all four character classes must be at least seven characters long.

To change this I must go to Web Client – Host – Manage – Settings – System – Advanced System Settings and change the following.

>Security.PasswordQualityControl

vcap8-3-11

By default, vCenter Server changes the vpxuser password automatically every 30 days, to change this I go to Web Client – vCenter – Manage – Settings – Advanced Settings and change the following.

>VimPasswordExpirationInDays

vcap8-3-12

To change the password policy for SSO user passwords I go to Web Client – Administration – Configuration – Policy – Password Policy.

vcap8-3-17


Configure vSphere hardening of virtual machines according to a deployment plan

Its difficult to cover all the options for this section, if you get a question on this in the exam the question will lead you in the right direction.  I will try and show some of the most of common tasks.

One common task would be to remove unnecessary hardware devices from a VM.  Web Client – Host and Clusters – Virtual Machine – Action – Edit Settings.

vcap8-3-13

Remove any Floppy drives or CD-ROM drives that are not required.

You can also remove any Serial ports, Parallel ports or Floppy disk controller from the VM’s BIOS that are not required.  Force the VM to boot into BIOS – Advanced – I/O Device Configuration.

vcap8-3-14

Copy and paste is disabled between guest OS and remote console by default, if it has been enabled and need to be disabled check for the following row under VM Options – Advanced – Edit Configuration.

  • isolation.tools.copy.disable
  • isolation.tools.paste.disable

If these rows exist and are set to Enabled – delete the rows.

You can set the VM to Lock the guest operating system when the last remote user disconnects by going to VM Options – Advanced – VMware Remote Console Options – Guest OS Lock.

vcap8-3-15

You can also Limit the number of simultaneous connections to this virtual machine from the same section, default is 40.

vcap8-3-16

 

 


Leave a comment

Your email address will not be published. Required fields are marked *

3 thoughts on “VCAP6-DCV Deployment – Objective 8.3 – Harden a vSphere 6.x Deployment

  • Chris Lewis

    Hi Kyle

    Great article. Any reasons why you wouldn’t go to Home – Administration – Configuration – Policies and then Password Policy and Lockout Policy? You can set Max Lifetime, restrict reuse, set minimum/maximum length and configure complexity. Assuming this is for local users.