As the second part of security recommendations for vSphere environments and in continuous of first chapter i want to explain more about how to secure our virtualization infrastructure. Today unlike the previous post that i speak about some service or protocols, now i want to have 5 topics to discuss about how to harden credentials on virtualization infrastructure:
1. Account Lockout Duration: ESXi Hypervisors are very important part of VI and you must track and investigate every actions on them. So to prevent one of the main and usual attacks on ESXi credentials, first of all secure every types of login: DCUI, Shell, SSH, Web Client and vSphere Client. In the first step you should increase login failure lockout duration for root account or every sensitive credentials. After release of vSphere v6.0, account lockout is supported only for SSH and vSphere Web Services SDK not DCUI and Shell access. The default setting is 5 failed attempts and 15 minutes locking period. But if you feel it's not enough to prevent another retry, then you must increase lock duration and decrease number of permitted failed login. For example i think if you want to consider some failures for password input, because your VI admins maybe are still sleepy or want to have breakfast on his desk like me and blah blah blah, 3 failed attempts for login is enough and at least 30 minutes is a good decision to avoid risk of password guessing or brute force and library attacks. (Authentication Layer)
2. Limit access to Host per IP: No one is legitimate to connect to your VI assets like ESXi or vCenter servers, unless they are qualified as the approved persons and their system on networks are permitted. So the hosts and other VI management system IP addresses should accept only from some specific clients belongs to VI admins regardless of whether they are correct or not. (Access Layer)
3. Who has which access exactly? Sadly it's a common method to grant root access to each of VI support and administration team. It's necessary to clearly specify every authorized member need which privileges, so you can grant default roles like VM Power user or network administrator or provide a new role with required actions for that level. Maybe i don't need some privileges for my daily management actions, so it's better to never have them. (Personally i always preferred to never carry responsibilities more than i legally permitted and i hope you listen to this advice.) At last grant role access to each of VI admins or VM help desk or tech support members. (Authorization Layer)
4. How much time you need to stay in "logged in" mode? Especially it will be very sensitive, if you are in shell or SSH connection (you know because of magical power of these management access!) and leave your PC for some minutes, What reaction should be happened against your idle connection? Obviously i want to say it must be interrupted after a short while if you are not there yet. So strongly recommended to specify idle timeout and availability timeout for all of connecting methods (ESXi Shell, SSH or DCUI).
5. SSO configuration password policy: Never change these settings or if you want to do that, never make it easier (please for sake of god). It's very important that every member of VI admin team use very complex password and nobody logins with default user.
I know these topics are routine tips, but sometimes it's good to remind them to us. For more helps to do them, refer to below links:
No comments:
Post a Comment