User manual VMWARE VCM 5.3 CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS

[. . . ] vCenter Configuration Manager Security Environment Requirements VMware VCM 5. 3 WHITE PAPER vCenter Configuration Manager Security Environment Requirements Table of Contents 1. 0 Introduction to The Security Environment of VCM 2. 0 Background Concepts 3. 0 Secure Domain Infrastructure 3. 1 Domain controller is trusted 3. 2 Network infrastructure is secure 3. 3 Network infrastructure services are available 3. 4 'Trusted' certificates, certificate authorities, and certificate servers are trusted 3. 5 Network infrastructure hosts are at least as secure as VCM 4. 0 Hosting Environment 4. 1 VCM servers are secured and managed like network infrastructure 4. 2 UI Zone machines should be subject to access controls 4. 3 Data originating from a managed machine is no more trustworthy than the machine 4. 4 Server zone machine dedicated to VCM 5. 0 Personnel Selection and Training 5 6 9 9 9 9 9 10 11 11 11 12 12 13 5. 1 VCM accounts are granted to users who are trusted, trained, and qualified as system and network administrators 13 5. 2 VCM users are advised to treat direct login prompts to VCM with skepticism and caution 5. 3 VCM users must protect collected data as confidential information 5. 4 Trust individual collection results no more than their source 5. 5 Beware of cross-site scripting attacks 5. 6 Exported data is outside the control of VCM 6. 0 Host Preparation and Management 6. 1 VCM hosts pass Foundation Checker checks 6. 2 Cryptographic service providers are FIPS-140 certified 6. 3 SQL Server best practices are followed 6. 4 Only trusted software should be installed in the server zone 6. 5 Perform routine backups, patches, and virus scanning 7. 0 Safeguarding Installation Kits 13 13 13 14 14 15 15 15 16 16 16 17 TECHNICAL WHITE PAPER / 2 vCenter Configuration Manager Security Environment Requirements 7. 1 VCM installation kits are obtained from VMware or secure sources 7. 2 VCM installation kits are protected from tampering or verified 7. 3 Unknown software publisher warnings during ClickOnce installations are not dismissed unless the publisher is VMware 7. 4 Automatic upgrade of the VCM Remote Client is not used to install software 8. 0 IIS Preparation 8. 1 IIS set to use Windows integrated authentication for the VCM Web site root 8. 2 VCM Web Service uses HTTPS 8. 3 SSL/HTTPS certificate issued by trusted CA or self Issued 9. 0 SQL Server Preparation 9. 1 Follow Microsoft SQL Server configuration best practices 9. 2 Use delegation with a VCM split installation 9. 3 Protect SQL Server from connections originating outside the server zone 9. 4 Forbid direct SQL Server login by VCM users 10. 0 Web Browser Preparation 10. 1 Place the VCM Web host in the IE trusted zone 10. 2 Verify the VCM Web host's HTTPS certificate 10. 3 Verify the VCM software publisher certificate 10. 4 Remove untrusted machines from the IE trusted zone 10. 5 Customize Internet Explorer's trusted zone Internet security options 11. 0 Agent Installation and Maintenance 11. 1 File and directory access controls prevent tampering 11. 2 Access control on machine configuration prevents tampering 11. 3 The Agent is available for collection 11. 4 The Trusted Certificate Store contains reputable certificates 11. 5 The enterprise certificate authorized collection 11. 6 Unauthorized (private) Agents are not allowed 11. 7 Continuous possession and control of the Agent 12. 0 Software Provisioning Components 12. 1 All published packages are signed by trusted parties 12. 2 Protect repositories 17 17 18 18 19 19 19 19 20 20 20 20 20 21 21 21 21 21 22 23 23 23 23 24 24 24 24 25 26 26 TECHNICAL WHITE PAPER / 3 vCenter Configuration Manager Security Environment Requirements 12. 3 Accept only reputable software package publishers 12. 4 Configure only trusted sources over secure channels 12. 5 Take precautions when using VCM Software Provisioning Extensions 13. 0 Proper Decommissioning 13. 1 An installation of VCM is properly decommissioned before its hardware is repurposed or retired 13. 2 Collector and Agent private keys used for TLS are not copied between machines 26 26 26 28 28 28 13. 3 Enterprise certificate private key and IIS (for HTTPS) host private keys are transferred manually 29 13. 4 Server zone hosts have their disks removed and transferred, secured, or erased before decommissioning 29 13. 5 Agent private keys are erased at Agent install 13. 6 Unused network authority accounts are disabled or removed References 29 29 30 TECHNICAL WHITE PAPER / 4 vCenter Configuration Manager Security Environment Requirements 1. 0 Introduction to The Security Environment of VCM VCM operates within the context of a security environment. This environment consists of host configuration, various personnel and usage assumptions, organizational security policies, configuration settings, and best practices. Ultimately all security requirements are met either by controls built into VCM that leverage the environment, or by controls built into the environment itself. Understanding and maintaining the security environment is an important responsibility of the VCM administrator and users. [. . . ] In addition, customers should follow the SQL Server Security Best Practices when configuring the database instance that will store VCM data. These are available in the SQL Server 2005 SP3 Security Features and Best Practices. 6 6. 4 Only trusted software should be installed in the server zone Even if server zone hosts are dedicated to running VCM, extra software packages beyond those provided by VMware or Microsoft are likely to be needed. Only trusted software should be installed, preferably software accompanied and verified by a software publisher certificate. It is unsafe to use software of unaccountable origin on machines in the VCM server and UI zones. 6. 5 Perform routine backups, patches, and virus scanning Routine host maintenance functions like backups, patches, and virus scanning should be performed on VCM hosts. Since UI and server zone hosts can also be managed machines, VCM itself provides the means for performing these functions. TECHNICAL WHITE PAPER / 16 vCenter Configuration Manager Security Environment Requirements 7. 0 Safeguarding Installation Kits 7. 1 VCM installation kits are obtained from VMware or secure sources Secure operation of VCM requires that the product's software be untampered with and intact as delivered by VMware. VMware ships VCM and add-on products on CD/DVD in packages signed by the VMware Software Publisher Certificate. This software reaches customer machines in various ways: l l Delivery of the CD/DVD Download from http://downloads. vmware. com/d/info/datacenter_downloads/vmware_vcenter_configuration_ manager/5_0 ClickOnceTM download from the server zone Agent push install by the Collector service Patching Agent push by Patching Thin client UI by HTTP VCM Remote updates Patching deployed patches and updates VMware VCM Software Provisioning SMS Group Policy VCM Remote Command file attachments l l l l l l l l l l The best practice is to ensure that each kit is either obtained from a secure channel, or is verified. Executables and MSI installers can be verified by using the Certificate Verification Tool available on the Microsoft Developer's Network. 7 The VMware Software Publisher Certificate is available at http://downloads. vmware. com/d/info/datacenter_ downloads/vmware_vcenter_configuration_manager/5_0. 7. 2 VCM installation kits are protected from tampering or verified When VCM installation kits are stored on writable media, they must be protected from tampering prior to installation. Compliance rules and other content exported using the VCM import/export tool likewise should be protected while in transit to other sites. Authenticode signatures on installation kits are verified just prior to installation. For example: signtool verify /a /v "CMAgent<version>. msi" TECHNICAL WHITE PAPER / 17 vCenter Configuration Manager Security Environment Requirements 7. 3 Unknown software publisher warnings during ClickOnce installations are not dismissed unless the publisher is VMware When ClickOnce software is installed through the VCM UI, IE will warn the user if the software is from an untrusted publisher (one whose Software Publisher Certificate is not in the trusted software publisher's certificate store). Despite the warning, the user can still choose to allow the software installation. However, this should not be done unless the software publisher is VMware. VMware software is identifiable as signed with the VMware Software Publisher Certificate. 7. 4 Automatic upgrade of the VCM Remote Client is not used to install software VCM Remote can push new VCM Remote Agents to the VCM Remote clients. This mechanism should not be used to distribute software other than VCM Remote. TECHNICAL WHITE PAPER / 18 vCenter Configuration Manager Security Environment Requirements 8. 0 IIS Preparation VCM IIS web service and virtual directories should be properly prepared as described in the following sections. 8. 1 IIS set to use Windows integrated authentication for the VCM Web site root The interface to the VCM console is through a thin browser-based interface to an IIS served web application located at the /VCM virtual directory. Integrated Windows Authentication (IWA) should be used with this directory. This can be done by setting the IIS metabase property NTAuthenticationProviders to the string 'Negotiate, NTML'. This is the default value, but VCM administrators should explicitly set this value at the /VCM directory regardless, in case subsequent modifications to the IIS metabase would unintentionally override the default value. Locate instructions for setting the metabase property in Microsoft Knowledge Base Article 215383, "How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication. "8 8. 2 VCM Web Service uses HTTPS Although it is possible to use the VCM UI across HTTP, this should not be done, as collection results may travel across the network insecurely. The VCM document root should be set to require HTTPS by following the directions described in Microsoft Knowledge Base Article 324069, "How to Set Up an HTTPS Service in IIS"9. HTTPS not only provides security against snooping, it also assures connection to a legitimate (not spoof) instance of VCM. In addition, an HTTPS connection activates security precautions built into IE when combined with the IE configuration recommendations listed later. [. . . ] Do not initiate software provisioning install/remove package operations on an untrustworthy machine. Restrict provisioning operations to provisioning collections and add/remove source. Assign the least permissions and login rights necessary to the network authority account used with a managed machine subject to software provisioning install/remove package operations. Assign an individual network authority account using a local administrator credential to an untrustworthy machine subject to software provisioning install/remove package operations. TECHNICAL WHITE PAPER / 27 vCenter Configuration Manager Security Environment Requirements 13. 0 Proper Decommissioning Hosts onto which VCM has been installed contain private keys, confidential credentials, and collection results. [. . . ]