2018 archive

Nov 02

Announcing the vSphere 6.7 Update 1 Security Configuration Guide

Back in March I released the vSphere 6.5 Update 1 Security Configuration Guide (a.k.a “The SCG”). At that time, I went in to detail on more than just the guide. I covered the topic of why some guidelines are removed or changed. I also covered how more settings were set to “secure by default” now and showed the progress between the 6.5 guide and the 6.5 Update 1 guide.

Today I’m happy to announce the release of the vSphere 6.7 Update 1 Security Configuration Guide. And like the 6.5 Update 1 guide, there’s more changes that I wanted to make you aware of. These changes are there to (hopefully!) make your life as the VI Admin easier. Download the 6.7 Update 1 SCG spreadsheet.

Deprecated Settings

The first big change is that I have come up with a new category for settings that have been fixed in the code of ESXi or vCenter and no longer need to be manipulated anymore. This new category is called “deprecated”. We recommend that you no longer change these settings. There is no active code in ESXi that these settings change. We fixed them to match previous guide values so that you can stop “managing” them. This is done to lessen the IT burden of security.

All settings fitting this category are released in a separate Excel spreadsheet. By sunsetting these settings and moving them out of the guide the SCG will now be only 50 settings in total. This is a decrease from 68 in 6.5 Update 1. Many of these settings were called out in an earlier blog from June 2017 entitled “Secure By Default – VM.disable-unexposed-features”.

Some customers may wish to consider these deprecated settings as “Audit Settings”, meaning that you may wish to check to see if someone has set them. Setting them adds no value and only increases the management burden. You can safely remove these settings from your configurations.

Risk Profiles Goes Away

The second big change is that I’m sunsetting the use of “Risk Profiles”. Now, I’m sure that this will panic many as some may consider this a big change. Honestly, it’s not. Here’s why. Of the 50 remaining settings in the guide only one was at “Risk Profile 1”. Everything else was at either 2,3 or 1,2,3. The value that Risk Profiles brought just wasn’t there anymore. The work we have been doing to deprecate settings is paying off.

The Risk Profile 1 setting was “ESXi.enable-strict-lockdown-mode”. The companion or flip side of that was the setting “ESXi.enable-normal-lockdown-mode” which was Risk Profile “2,3”. It was either one or the other. You couldn’t do both. That was confusing to some people and the first setting was really the only reason to keep Risk Profiles around. So, instead, I added content to the Vulnerability Discussion of both settings that addresses the risk discussion.

Hardening .vs. Non-Hardening Part Deux

As I mentioned in the 6.5 Update 1 blog article, in 6.5 I renamed the guide from the vSphere Hardening Guide to the vSphere Security Configuration Guide. This was done because the number of “Hardening” guidelines was eclipsed by the number of settings that VMware can’t set for you (a.k.a. “Site Specific”) or settings you should audit to ensure someone hasn’t set them to the non-default value without good reason (e.g. “SSH is enabled on ESXi. It’s off by default”).

For the 6.7 U1 SCG, one of the guidelines I changed from “Hardening” to “Site Specific” was the “vNetwork.enable-bpdu-filter” setting. Why? Because it involves coordination with a hardware switch and the use of BPDU packets within a Windows VM. This is a corner case scenario and as such should actually have been classified as “Site Specific”. Does it provide a “hardening” function? Yes, by adding protection against Spanning Tree Loops. But again, it’s not a “normal” occurrence.

Progress

See this video and you’ll see how far we’ve come.

All of this work has lessened the load on the VI Administrator. In 6.5 we had 24 settings that were considered “Hardening”. This dropped to 10 in 6.5 Update 1 and now down to just 5!

Wrap Up

Going forward, I really want to shrink that to one hardening guideline called “Apply Patches”. Unfortunately, we’re not there yet but I think the progress we’ve shown from 6.0 to 6.5 to 6.7 shows you that we are not standing still! Should any new automation functions appear you may find new settings being added to a future guide. I’m always re-evaluating the capabilities that get added to new releases and updates.

I’d like to thank the engineers that have helped me get the SCG to a better place by fixing code to match the values called out in previous “hardening” guides.

mike

If you have questions that haven’t been answered you can reply here, send them to mfoley at vmware.com or via Twitter to @vspheresecurity. @vspheresecurity is a curated list of vSphere Security specific tweets.

 

 

 

Aug 20

VMworld 2018 vSphere Security Sessions

It’s that time of year again! The time when we all pack our comfortable shoes and head to Las Vegas for VMworld! As we are all dealing with the seemingly ever-increasing IT security issues that plague our industry, VMware is there to help you make sense of it and deal with it in as easy a way as possible.

This blog article focuses on the vSphere side of the VMware house. Let me share with you the sessions I’m part of and one or two that I think you should all attend.

CPU Vulnerabilities Sessions (Spectre, L1TF a.k.a. Foreshadow)

Mitigating CPU Security Vulnerabilities – A look at vSphere Mitigations [SAI3770BU]

L1TF (a.k.a. Foreshadow) is the latest in a round of CPU based attack vectors the industry as a whole is dealing with. To address that for VMworld I’m happy to say that our CTO of Server Platform Technologies, Rich Brunner, will be giving this session. (Little known fact, both Rich and I worked in the OpenVMS development team many years ago!)

If you want one of the deepest dives into CPU-based security challenges such as Spectre and L1TF then this is the session you MUST attend. It’s on Monday, Aug 27, 4:00 p.m. – 5:00 p.m.

CPU Security Vulnerabilities Q&A Panel [SAI4777PU]

I’ll be moderating this panel session. We’ll have the following folks on the panel:

  • Manish Gaur, Director, vSECR (Product Security)
  • Richard Brunner, CTO, Server Platform Technologies
  • Edward Hawkins, Security Response (PSIRT)
  • David Dunn, Principal Engineer

We’ll be taking questions on the latest security vulnerabilities, introducing you to how VMware responds to vulnerabilities and probably breaking some myths while we’re at it. Wednesday, Aug 29, 3:30 p.m. – 4:30 p.m

If security vulnerabilities are your thing then you should sign up for these two right away.

vSphere Security

With vSphere 6.7 having come out this year and introduced a bunch of new security features, it stands to reason that I’ll be showcasing those features at VMworld. I’ve brought along a few friends to help me out with some of these sessions.

vSphere Platform Security Update [VIN1305BU]

This is a session I give every year. If your schedule is jam packed and you just need the Readers Digest version of the other stuff I will be talking about then this is the session to take. In this session I’ll give an overview of all of the vSphere 6.7 security features and will briefly touch on the L1TF. Thursday, Aug 30, 12:00 p.m. – 1:00 p.m.

Deep Dive: Supporting Microsoft Virtualization-Based Security with vSphere [VIN1304BU]

I, along with my co-speaker, David Dunn, a Principle Engineer working on vSphere security architecture, will be diving into vSphere 6.7’s support for Microsoft Virtualization Based Security. Your security teams probably refer to this as “Credential Guard” but it’s much more. In the session I will level set everyone with what VBS does and cover the features in 6.7 to enable it. David will dive under the covers and show you how we actually implemented it. Seeing as a VM running VBS is a “nested” VM, this introduced a lot of challenges that we had to tackle! (Spoiler: We succeeded!)

vSphere Security Deep Dive: Supporting TPM and Virtual TPM 2.0 [VIN1303BU]

Everyone asks for a TPM, but do you know what it really does? I ask only because I have had to dispel a lot of assumptions. In this session my co-speaker Sam (Samyuktha) Subramanian will cover what a TPM actually does do (and not do!). She was one of the engineers who brought TPM 2.0 to ESXi, so she knows her stuff! Together we’ll cover how ESXi uses a TPM and how a virtual TPM works. If your security folks are on your case about vTPM or TPM on ESXi then this is the session for that!

ESXi Security – A Step Ahead [VIN2762BU]

You’ve seen all the work we’ve done with vSphere and Security over the past few releases. Do you want to gain a better understanding of how some of that work was developed? And maybe learn more about where hypervisor security could go? Join me and my co-speaker, Kevin Christopher, a Sr. Staff Engineer here at VMware, for an engaging discussion that will be light on PowerPoint and deep on where we see things in the future of hypervisors and security.

General

Meet the vSphere Experts Panel [VIN3032PU]

Finally, the session lots of folks enjoy. It’s not unlike the game of “Stump the Chumps”! The vSphere Experts Panel includes a number of us from the vSphere Tech Marketing team. Names you’re familiar with such as Emad Younis, Adam Eckerle, Kyle Ruddy and yours truly. Leading this band of merry men on the panel is Dilpreet Bindra, our Sr. Director of vCenter Development. If it goes in to vCenter then it’s been approved by Dilpreet!

Wrap Up

This marks my 5th VMworld as a VMware employee and my 9th VMworld in the US. It’s interesting to watch the changes in vSphere security over the years. I think it’s finally reached critical mass! (Or maybe I have?)

If you are new to VMworld (and I see a lot of new faces at VMworld lately!) then take the time to enjoy the scene and become part of a huge community of like-minded individuals.

If you see me moving quickly through the halls of Mandalay Bay and I don’t see you it’s probably because A. I don’t have my distance glasses on and B. I’m late to my next session or customer meeting! If we have the time to chat, then please hit me up. I’m at VMworld to work and to help you be successful when it comes to vSphere Security!

Enjoy VMworld!

mike

Jun 13

Configuring TPM 2.0 on a 6.7 ESXi host

In a previous blog post I went over the details on how ESXi uses a TPM 2.0 chip to provide assurance that Secure Boot did its job and how that “attestation” rolls up to vCenter to be reported on.

In this blog article I’m going to go over some of steps necessary to configure the ESXi host to use TPM 2.0 chip. Now, I have only a limited number of hardware systems in my lab from which to do this, but the steps should be familiar, regardless of the server model.

Continue reading