VMware

VMwarehttp://www.checklist20.com/bestpractices.htmlDatabase ChecklistRestrict Owner and Group File Ownership to Root for .vmdk Files http://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=367&tn=Restrict Owner and Group File Ownership to Root for .vmdk Files Restricting file ownership for virtual machine disk files helps prevent accidental or malicious changes to application data.Set file ownership for all .vmdk disk files to:Restrict owner and group file ownership to root ...  View More]]>Restrict Owner and Group file ownership to Root for .vmx Fileshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=366&tn=Restrict Owner and Group file ownership to Root for .vmx FilesRestricting file ownership for configuration files helps prevent accidental or malicious changes to the system.Set file ownership for all .vmx files to:Restrict owner and group file ownership to root ...  View More]]>Disable Group and Other Read, Write and Execute File Permissions for .vmdk Fileshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=365&tn=Disable Group and Other Read, Write and Execute File Permissions for .vmdk FilesDisabling file permissions for virtual machine disk files helps prevent accidental or malicious changes to application data.Set file permissions for all .vmdk disk files to:Deny group read, write and execute accessDeny other read, write and execut ...  View More]]>Disable Group and Other Write File Permissions for .vmx Fileshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=364&tn=Disable Group and Other Write File Permissions for .vmx FilesDisabling file permissions for configuration files helps prevent accidental or malicious changes to the system.Set file permissions for all .vmx configuration files to:Deny group write accessDeny other write access ...  View More]]>Implement logon warning bannershttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=363&tn=Implement logon warning bannersThere are no default warning banners since your organization’s exact wording is unknown at installation.Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer syst ...  View More]]>Use CHAP protocol to connect to iSCSI deviceshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=362&tn=Use CHAP protocol to connect to iSCSI devicesUse of the CHAP protocol ensures ESX hosts and storage devices are communicating with known endpoints. Configure connections to iSCSI storage devices to use the CHAP protocol for authentication. ...  View More]]>Harden firewall settings to allow only authorized traffichttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=361&tn=Harden firewall settings to allow only authorized trafficIf unauthorized ports are opened to the ESX host by a firewall change, traffic containing disruptive or malicious payloads may negatively impact the host�s performance or securityConfigure the built-in firewall to ensure only authorized por ...  View More]]>Protect against MAC address spoofing, forged transmits, and promiscuous modehttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=360&tn=Protect against MAC address spoofing, forged transmits, and promiscuous modeChange the flags to reject for the settings MAC Address Changes and Forged Transmits for a <vSwitch> or a <PortGroup>.The default setting is accept in virtual switches and in portgroups.These settings provide the ability to drop incomi ...  View More]]>Enable BIOS passwordshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=345&tn=Enable BIOS passwordsDisable the server's ability to boot off all non-hard disk devices, including floppy, CD-ROM, and USB. Configure any required BIOS passwords in conformance with the organization's policy. ...  View More]]>Isolate service console management traffichttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=342&tn=Isolate service console management trafficDuring the installation, un-select the default option to create a default network for virtual machines.This default installation option will combine the virtual machine network with the virtual infrastructure service console management network. Th ...  View More]]>Configure syslogd to send logs to a remote LogHosthttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=357&tn=Configure syslogd to send logs to a remote LogHostRemote logging is essential in detecting intrusion and monitoring multiple servers simultaneously. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the attack. If a copy of the logs ...  View More]]>Review logs periodicallyhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=356&tn=Review logs periodicallyReviewing logs in a timely manner may detect a performance or security issue in its early stages enabling the organization to take countermeasures to reduce the event’s impact.Establish procedures defining the timing of and the staff responsibilit ...  View More]]>Enable compression and rotation for log fileshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=355&tn=Enable compression and rotation for log filesThe larger the log file the more events will be captured to help research system performance or security issues. Compression will allow more events to be captured in the file space provided. Increase the file size 2096K and enable compression for ...  View More]]>Minimum password lengthhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=354&tn=Minimum password lengthThe longer the total character length of a password, the more difficult it is to guess by unauthorized users.Set the minimum required number of characters a password must contain to:Greater than or equal to 8 characters. ...  View More]]>Enable password minimum days parameterhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=353&tn=Enable password minimum days parameterCombined with the history setting (see section 1.3.4), the minimum days setting will cause multiple days to transpire before a user can return to a favorite password, discouraging password reuse.Set the minimum number of days a password must exist ...  View More]]>Enable maximum password life parameterhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=352&tn=Enable maximum password life parameterMinimizing the life of a credential reduces the likelihood that the password will become compromised.Set the maximum number of days before a password is required to be changed toLess than or equal to 90 days. ...  View More]]>Failed login attemptshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=351&tn=Failed login attemptsFor user accounts, setting the failed attempt number at a low level discourages repetitive tries, which may be automated, to guess a user’s password.Set the number of login attempts allowed before the account is locked / disabled to:Less than or e ...  View More]]>Implement strong password complexityhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=350&tn=Implement strong password complexityThe user should create a password that consists of a mix of character classes from the four choices; upper case, lower case, numeric, or special to reduce the use of common words as passwords and increase the difficulty of an unauthorized user gue ...  View More]]>Implement strong password controlshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=349&tn=Implement strong password controlsRetain a history of previous passwords used and configure the authentication controls to validate new passwords against greater than or equal to 10 recently used credentials.Maintaining a history file containing previously used credentials for eac ...  View More]]>Restrict SSH Accesshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=348&tn=Restrict SSH AccessSecuring administrator login and communication sessions reduces the chance of unauthorized interception of credentials or sensitive configuration information.Remote shell access to the console operating system should protect both the authenticatio ...  View More]]>Configure system clock synchornization with NTPhttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=347&tn=Configure system clock synchornization with NTPAdd configuration settings to enable system clock synchronization with Network Time Protocol (NTP) server(s). Keeping systems synchronized to a local or remote NTP server ensures log entries are date and time stamped consistently across systems al ...  View More]]>Disable unnecessary serviceshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=346&tn=Disable unnecessary servicesServices enabled at ESX host startup should be limited to the vendor�s default services and any authorized exceptions. ...  View More]]>Apply critical security patcheshttp://www.checklist20.com/bestpractices.html#cid=168&cn=VMware&tid=344&tn=Apply critical security patchesIt is critical that an organization develop a formal process for keeping up-to-date with applicable VMware patches. VMware uses three categories for patches: Security, Critical, and General. The patch # refers to KB (knowledge base) article number ...  View More]]>