Announcing the GA release of the vSphere Security Configuration Guide!
As I mentioned in my previous blog post where I announced the availability of the Security Configuration Guide (SCG) Release Candidate, the term “Hardening Guide” will no longer be used starting with vSphere 6.5. Only an increasingly small subset of the settings are truly “hardening”. It’s mostly about configuration and auditing of settings.
Review, Change, Repeat
One of the things I always heard from customers over the years is “Why can’t you ship things secure out of the box”. While we are moving in that direction for those settings we can set, one thing to note is that 65% of today’s guide contain settings that VMware can not set for you or settings that we have already set that should be audited to check to see if the default value has been changed.
Every release we (myself and engineers) review all the settings and “clean house”. Everything is questioned. I started this review process for the 6.0 release and quite frankly, it upset a few apple carts. The guide at that time had grown like a set of firewall rules. As the guide grew over the years, nobody wanted to change anything because they didn’t know what the fallout would be. In my opinion, that is NOT a way to run your security operations. Security in this era DEMANDS that you always question the status quo.
Because of this review process, we are making great progress towards shipping “secure by default” and that effort will be ongoing .