Category Archive: IT

May 04

Secure Boot for ESXi 6.5 – Hypervisor Assurance

I’ve talked about how vSphere has been moving towards a “secure by default” stance over the past few years. This can clearly be seen in the new vSphere 6.5 Security Configuration Guide where the number of “hardening” steps are growing smaller with every release. In this blog post we will go over another “secure by default” feature of vSphere 6.5 that provides hypervisor assurance, Secure Boot for ESXi.

One of the coolest things in 6.5, in my opinion, is the adoption of Secure Boot for ESXi. Now, you might say “But my laptop has had Secure Boot since Windows 8, what’s the big deal?”

Well, the “big deal” is that we’ve gone beyond the default behavior of Secure Boot and we now leverage the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. Best of all, it’s simple to implement! Let’s dive in!

Read the rest of this entry »

Apr 07

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

Read the rest of this entry »

Jan 26

Making Security Easier – An ESXi Fling for US Federal Customers

Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.

DISA STIG

Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.

Read the rest of this entry »

Older posts «