What is that – And why I „need“ that?
Security Hardening Guides provide prescriptive guidance for customers on how to deploy and operate VMware products in a secure manner. Guides for vSphere are provided in an easy to consume spreadsheet format, with rich metadata to allow for guideline classification and risk assessment. They also include script examples for enabling security automation. Comparison documents are provided that list changes in guidance in successive versions of the guide.
https://www.vmware.com/solutions/security/hardening-guides
A few days ago, my colleague Markus and I started discussing the recommendations from the vSphere Security Configuration Guide (SCG) with one of our customers. Personally, I would recommend that every customer or VMware administrator take a look at the SCG. Not all of this points needs to be implemented or adapted, as every environment is different – even if they are all the same – there is always a point why a recommendation cannot be implemented. But you should know the aspects from the guide and at least know what the best practice would be and, above all, why.
How it works?
First of all – take a moment to look into the Security Configuration and Hardening Guide Guidance. In addition to how to use, there are also important tips on how to use it correctly. E.g. that „All guidance in the Security Configuration Guide is meant to be applied to virtual machines in a powered off state, or hosts
which have been placed in maintenance mode and are able to restart.“
After you mean, that you now know what you do 🙂 you can start with the excel file and take a first look into the recommendations. They are clustered into different Topics on the spreadsheet pages like System Design or Hardware Configuration. For each Point you got a Discussion Field – it describes, why you need to be think about that and a Description Field about the „potential Impact if the default value changed“. In case that it is available for this Recommendation, there is a PowerCLI command to got a batch export for it. And last bot not least, you got a Priority between P0 and P2 in the second column. P0 means that it is important to set for security as there isn’t a default or not a clear compensating control. For P1 there is already a default exist but needs to be audit.
There are some Differences starting with Version 8. Now you are also find ps1 files. On the one hand there are audit files to compare the outcome of your environment with the Guide and on the other hand, there are remediate scripts to adjust your environment. Also there are fewer table pages in the excel file. Most of the old Recommendations for vCenter, VM, etc. are now placed in the Control Table.
Where can I find the vSphere Security Configuration Guide?
As there are always new versions of the SCG with the version updates, I will not provide a direct link at this point to a special Version. However, in this overview you will find the link to the newest vSphere SCG as well as the other hardening guides. Another option is on Github, here you find all sources around the vSphere Security Configuration Guide: https://bit.ly/vcf-scg (permanent Link)
Also good2know
For all of you using Aria Operations there are also since 8.16 different Compliance Dashboards. Dashboards for CIS, DISA, etc. are very helpful to got a quick overview of your environment challenge by your required Compliance Policy. And if necessary, there is also an option to create your own Compliance Dashboard with your company requirements.