When you start to use VCSA you may think that it comes already secure enough. That's true, but... Always is a "but" and in this case is what you can do to protect VCSA additionally. VMware published Hardening Guide for vSphere 5.5 (Excel spreadsheet) and one of the tabs is about VCSA. There are only 3 recommendations:
- Change Default Password. VCSA doesn't ask you to change root password during installation. Defaults are: user "root" and password "vmware". As we cannot add in Admin GUI a different user to administer VCSA, changing the root's password is the only option. Keep in mind that the password is required to be changed every 90 days. You can change a time interval as you wish or you can disable it. There is an additional field to enter an email address to send password expiration alerts.
- Config NTP. To know more about this topic, please follow vSphere 5.5 Documentation centre's article: Synchronize the vCenter Server Appliance Clock with an NTP Server
- Restrict Network Access. Access should be limited only for those essential components and systems required to communicate with VCSA. Internal firewall on VCSA should be set to be compliant with DISA STIG level. To configure your firewall please follow: Updating the vCenter Server Appliance (vCSA) firewall rules to DISA STIG compliance (2047585)
If you're interested in Hardening Guide for vSphere 5.5 (and not only) you should visit the following site:
No comments:
Post a Comment