VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Installationsanleitung

VMware vCenter Configuration ManagerSecurity GuidevCenter Configuration Manager 5.5This document supports the version of each product listed and suppo

nCollector service that processes requests and receives resultsnSQL Server database that stores results and application control informationnInternet I

Figure 1–1. VCMComponents and ZonesCAUTION Any system that participates in your VCM environment can contain sensitive data, or itcan hold authenticat

nVCM users and administrators log in to VCM and use its Web interface to administer managedmachines using the Agents, run compliance tests, and genera

Requirement InfrastructureZoneServerZoneUIZoneAgentZoneAccess to machine configuration settings isrestricted.X X X XRoutine backups, patches, and viru

VCM Security Guide14VMware, Inc.

Domain Infrastructure2Domain InfrastructureSecuring the domain infrastructure for use with VCM involves configuring the domain controller,network infr

Microsoft Domain Controller Hardening GuidelinesTo secure the domain controller for use with VCM, start by following Microsoft domain controllerharden

Carefully Assigning AccountsAs an enterprise-wide configuration management and compliance tool, VCM can collect, correlate, andchange system data on m

VCM cannot control access to data after it is exported in these ways. When data must be exported,personnel must protect the exported files while store

VCM Installation Kits3VCM Installation KitsLike the systems on which VCM runs, the software installation kits for VCM must be secured andprotected fro

CopyrightYou can find the most up-to-date technical documentation on the VMware Web site at:http://www.vmware.com/support/The VMware Web site also pro

Unknown Software Publisher WarningsDo not ignore unknown software publisher warnings during ClickOnce installations unless the publisher isVMware.When

Server Zone Security4Server Zone SecurityAddress the following security environment guidelines for all systems in the server zone, including theVCM Co

General Security Guidelines for VCM ServersIn the server zone, VCM systems store and manipulate the collected data and change requests for everymanage

Dedicating a Server to VCMVCM relies on the server operating system to protect the confidentiality, integrity, and availability ofserver zone data fro

The Microsoft CSPs that ship with Windows 2000, 2003, XP, Vista, Windows 7, and Server 2008 meet theFIPS 140–2 standard. Do not delete, replace, or su

VCM Collector Server5VCM Collector ServerThe following sections describe security and hardening guidelines that are unique to the VCM Collectorfunctio

VCM Security Guide26VMware, Inc.

SQL Server6SQL ServerThe following sections describe security and hardening guidelines that are unique to the system whereMicrosoft SQL Server and you

nSQL Server 2005 Best Practices Analyzer ToolnSQL Server 2008 R2 Best Practices Analyzer ToolA secure installation of VCM pays particular attention to

For secure operation of VCM, configure for delegation. With private login, the VCM Web servicemaintains a copy of the VCM user's login credential

ContentsContentsAbout This Book 7Introduction to VCM Security 9VCM Security Environment 9VCM Components 9How Personnel Use VCM 11Trust Zones 12System

VCM Security Guide30VMware, Inc.

Web Server7Web ServerThis chapter describes security and hardening guidelines that are unique to the Web server system whereMicrosoft Internet Informa

Use Integrated Windows Authentication (IWA) with this directory by setting the IIS metabase propertyNTAuthenticationProviders to the string 'Nego

VCM Agent Systems and ManagedMachines8VCM Agent Systems and Managed MachinesThis chapter describes security and hardening guidelines for what is possi

Restricting Access to ScriptingGrant access to script authoring, remote commands, content authoring, and import and export only toVCM administrators.V

Use physical (possession, locks) or cryptographic (encrypted file system) means to maintain continuouscontrol.Unauthorized AgentsThe managed machine a

Trusted Certificate StoreThe Agent validates up to two certificates while authenticating and authorizing a Collector: a rootcertificate and an Enterpr

Individual CollectionResultsTrust individual collectionresults to be only as valid as their source.Data collected by VCM is returned by the Agent th

VCM Security Guide38VMware, Inc.

VCM User Interface System9VCM User Interface SystemThe VCM Web Console runs in Internet Explorer and connects to the VCM Web application served byIIS.

VCM Security GuideUsing VCM to Manage the SQL Server 27Having a SQL Server Machine Group in VCM 27Microsoft SQL Server Best Practices and Hardening Te

Access ControlThe security environment for machines in the user interface zone is less strict than in the server zone. Userinterface machines are not

Public Access PointsDo not run the VCM user interface from public systems or from public Internet access points like kiosks orInternet cafés.Network t

To add the VCM Web server to the Internet Explorer trusted zone, see the instructions in the VCMInstallation Guide.Removing Untrusted SystemsDo not al

NOTE Initially, Internet Explorer asks you to review the details of self-signed certificates. It treats self-signed certificates as suspicious until y

VCM Security Guide44VMware, Inc.

Software Provisioning Components10Software Provisioning ComponentsA software package is composed of the files and scripts necessary to install and rem

Separating and Securing the Software Provisioning ZoneMake the software provisioning zone network a private network. Use a separate, dedicated network

Software Provisioning CredentialsNormally, VCM does not store customer credentials on a managed machine. During softwareprovisioning though, the Netwo

VCM Security Guide48VMware, Inc.

Operating System Provisioning Com-ponents11Operating System Provisioning ComponentsVCM operating system provisioning deploys operating system images t

ContentsVMware Software Publisher Certificate 43FIPS Cryptographic Service Providers 43Running Anti-virus and Anti-rootkit Tools 43Software Provisioni

Separating and Securing the OS Provisioning ZoneMake the operating system provisioning zone network a private network. Use a separate, dedicatednetwor

To mitigate this risk, use one or more of the following techniques:nUse operating system provisioning only across a secure network. After a machine is

VCM Security Guide52VMware, Inc.

Decommissioning12DecommissioningSystems where VCM was installed contain private keys, sensitive credentials, and collection results.Properly decommiss

Besides being difficult to copy securely, copying a private key presents the risk of sharing it with morethan one machine, a configuration that is uns

Always trace the origin of your virtual machines backward and forward so that you find all systems thatcontain confidential data or keys.Decommissioni

VCM Security Guide56VMware, Inc.

Authentication13AuthenticationThis chapter describes the VCM authentication and certificate structure. To understand these concepts,you must have some

Using Single or Paired KeysEncryption usually uses one of the following approaches:nSingle key (symmetric) algorithms rely on a single key that both e

Certificate Expiration and RevocationBecause keys can be compromised and circumstances can change, keys and certificates are not designedfor indefinit

VCM Security GuideMark a Certificate as Authorized on Windows 69Creating Certificates Using Makecert 70Create the Enterprise Certificate and First Col

nAn Enterprise certificatenOne or more Collectors, each with a certificatenAn Agent certificate for each managed machine, for mutual authenticationVCM

Figure 13–2. Shared Collector-Agent RelationshipTo properly support the trust chain, mutual authentication, and multiple Collector environments,Enterp

Authorized Certificates in the Trust ChainAgents maintain a store of trusted certificates used for authenticating Collectors. When a Collector sendsit

First ContactWhen a Collector first contacts an Agent, the Agent determines whether the Agent already has a certificateand private key pair. If the Ag

nCollector certificate. Local machine personal system storenEnterprise certificate. Local machine trusted root system storeThe private key of the Ente

This renewal process only works for Collector certificates stored in the Agent certificate store. In mutualauthentication in the other direction, Agen

Replace Only the Collector CertificateAfter VCM installation, you can replace the certificates generated or selected during installation. To replaceon

Installing on Windows with CMAgtInstall.exeThe CMAgtInstall.exe installer executable file does not contain certificates for Agents. Instead,CMAgtInsta

Storing and Transporting CertificatesA certificate contains the public half of a key pair, identifying information, and an authenticating signature.Al

If you are exporting the private key, store the file to a secure folder.9. Type a name for the certificate file and click Save.10. Click Next.11. Revi

About This BookAbout This BookThe VMware vCenter Configuration Manager Security Guide describes how to harden vCenter ConfigurationManager (VCM) for s

PrerequisitesnOpen the certificate store. See "Access the Windows Certificate Store" on page 68.nImport the certificate into the Agent machi

Create the Enterprise Certificate and First Collector CertificateIn this process, the Enterprise and first Collector systems are the same machine. See

Examplemakecert -pe -n "CN=CM Collector Certificate BBBBBB" -sky exchange -sv "CMCollector BBBBBB.pvk" -b 04/07/2008 -e 04/07/2018

NOTE VCM programmatically uses a long GUID, represented by AAAAAA or BBBBBB, to ensure that aname is unique. You do not need a long GUID in a manual p

Option Descriptionthe VCM installer have the form:"CN=VMware VCM Collector Certificate AAAAAA, T=VMwareVCM Certificate 7529006C-222F-4EBF-A7E7-F6

use <insert your VCM SB name here>update ecm_sysdat_configuration_valuesset configuration_value = upper(replace('xx xx xx xx xx xx xx xx xx

CSI_ManageCertificateStore OptionsThe following printout of the CSI_ManageCertificateStore manpage is useful in understanding the CSI_ManageCertificat

CSI_ManageCertificateStore -d -f filenameorCSI_ManageCertificateStore -d -g fingerprintDelete existing certificates from the certificate store:CSI_Man

By default, the -l option for listing certificates causes all certificates in the store to be listed. This behaviorcan be modified by specifying optio

Inserting Certificate:Fingerprint: 0041AB5ECF869E1D6A38389A6B834D5768932397Common Name: Enterprise Certificate 2CA82018-20E1-4487-8A02-DA7A2CFD4304Sub

environment. To access information about education classes, certificationprograms, and consulting services, go to http://www.vmware.com/services.VCM S

VCM Security Guide80VMware, Inc.

Supplemental References14Supplemental ReferencesThis chapter provides reference information about VCM and its security implementation.CryptographyIf y

Operating System Version HardwarePlatformFIPS Module CertificateWindows 2000 All x86 103Windows 2008 1 x86 and 64-bit;Itanium is notsupported.See &quo

DSSENH Validated OperatingSystemsValidatedVersionsFIPS Certificate# FIPS VersionValidatedWindows 2000 SP2 5.0.2195.2228 #103 140–1Windows 2000 SP3 5.

OpenSSL-FIPS, OpenSSL, libssh2nCommunication protocols; such as TCP, Telnet, X.25, IEEE 802.11, IEEE 802.16, or SIP:Communication takes place over TCP

Port Transport Usage389 TCP, UDP Lightweight Directory Access Protocol (LDAP)443 TCP HTTPS (HTTP over SSL/TLS)445 TCP, UDP Server message block (SMB)

VCM Security Guide86VMware, Inc.

IndexAaccess 35UI zone machines 40accountsdomain 40granted 17agentcertificate 59, 62install 66installation 33manual installation 67one per machine 35p

FFIPSagent proxy 83Windows hardware 81firewallSQL Server 28Foundation Checker 23HhardwareFIPS 81hostdecommission 53OS provisioning server 50security 1

machine 23managed machines 23no direct connection 28trusted software 23, 42servicesnetwork infrastructure 16signed packages 46softwareClickOnce 20pack

Introduction to VCM Security1Introduction to VCM SecurityTo understand VCM security requirements, familiarize yourself with the overall security envir

90VMware, Inc.VCM Security Guide