The VMware vSphere Security Configuration Guide has long been the standard baseline for hardening VMware vSphere environments utilized by engineers across the world. As such, with the release of VMware vSphere 8.0, VMware also released a new version of the security configuration guide. For those familiar with implementing United States (U.S.) Department of Defense (DoD) Defense Information Systems Agency (DISA) STIGs, the guidance provided within the VMware vSphere 8 Security Configuration Guide should seem quite familiar. While not quite as strict as STIG guidance, the security configuration guide covers many of the same areas of concern, often implementing similar or slightly less aggressive security settings.
“The vSphere Security Configuration Guide is intended to be a baseline set of security best practices that inform a vSphere Administrator’s security efforts in a general way that examines the tradeoffs at hand. Turning on all security features to their highest levels can be detrimental, impeding day-to-day efforts by administrators to operate, patch, and monitor their environments. The Security Configuration Guide is not a catalogue of all available security controls, it is simply a reasonable baseline from which we can operate.”
Compliance Content Included
The following VMware vSphere 8 Security Configuration Guide components are included in my VMware Aria Operations compliance content downloads:
- VMware vSphere Security Configuration Guide 8, Virtual Machine Controls - Version 800-20221031-01
- VMware vSphere Security Configuration Guide 8, ESXi Controls - Version 800-20221031-01
- VMware vSphere Security Configuration Guide 8, vCenter Server Controls - Version 800-20221031-01
My VMware Aria Operations compliance content is broken into two types of downloads. The first is a custom compliance benchmark definition which includes all of the symptom, alert, and recommendation content, as well as a custom compliance benchmark definition. The second set of downloads is the alert/symptom/recommendation content for each of the components (virtual machine, ESX, vCenter application). The content can be downloaded from the Downloads page on this site.
I have attempted to include automated compliance checks for as many of these components as possible. Unfortunately, due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components, only a subset of the compliance checks are included. I have noted the excluded checks within the notes for each of the VMware Aria Operations Alerts. Additionally, below is a list of those checks that are not included in my compliance content download:
VMware vSphere Security Configuration Guide 8, Virtual Machine Controls - Version 800-20221031-01
- vm-8.ft-encrypted - Require encryption for Fault Tolerance logging.
- vm-8.isolation-tools-setGUIOptions-enable - Disable console GUI operations in a virtual machine.
- vm-8.isolation-tools-vmxDnDVersionGet-disable - Disable drag & drop console functionality.
- vm-8.remove-unnecessary-devices - Remove unnecessary virtual hardware.
VMware vSphere Security Configuration Guide 8, ESXi Controls - Version 800-20221031-01
- esxi-8.account-password-max-days - Maximum number of days between password changes.
- esxi-8.annotations-welcomemessage - Configure the text of the login message.
- esxi-8.etc-issue - Configure the text of the SSH connection banner.
- esxi-8.host-client-session-timeout - Set a timeout to automatically terminate idle ESXi host client sessions.
- esxi-8.lockdown-exception-users - Ensure the Lockdown Mode Exception Users list is empty.
- esxi-8.supported - ESXi is a version with active maintenance by VMware.
- esxi-8.updates - ESXi is up to date.
- esxi-8.vmk-management - Ensure that vSAN, vMotion, and other dedicated VMkernel Adapters do not have management services enabled.
VMware vSphere Security Configuration Guide 8, vCenter Server Controls - Version 800-20221031-01
- vcenter-8.administration-client-session-timeout - Configure a timeout for idle vSphere Client sessions
- vcenter-8.administration-login-message-details - Configure the text of the detailed login message, linked from the login message text.
- vcenter-8.administration-login-message-enable - Enable the login message to be displayed.
- vcenter-8.administration-login-message-text - Configure the text of the login message.
- vcenter-8.administration-sso-groups - Consider the risks of using Active Directory groups to authorize vSphere Administrators.
- vcenter-8.administration-sso-password-lifetime - Maximum number of days between password changes.
- vcenter-8.administration-sso-password-policy - Ensure the vSphere SSO domain password policies are correct for your site.
- vcenter-8.administration-sso-password-reuse - Number of passwords to remember for each user.
- vcenter-8.network-restrict-discovery-protocol - Disable participation in CDP or LLDP.
- vcenter-8.network-restrict-netflow-usage - Ensure that NetFlow traffic is being sent to authorized collectors.
- vcenter-8.network-restrict-port-mirroring - Ensure that port mirroring is being used legitimately.
- vcenter-8.supported - vCenter Server is a version with active maintenance by VMware.
- vcenter-8.vami-access-ssh - Limit access to vCenter Server by restricting SSH.
- vcenter-8.vami-administration-password-expiration - Ensure password expiration for the root user is correct for your site.
- vcenter-8.vami-networking-settings - Remove unnecessary NICs.
- vcenter-8.vami-updates - vCenter Server is up to date.