security

Remove the ESXi web welcome screen

Duncan Epping · Jan 28, 2010 ·

I received a question from a customer who wanted, for security reasons, to remove the ESXi web welcome screen. This is the screen that enables you to download the vSphere Client and RCLI and even browse datastores.

I’ve tested it and removing (or renaming) the following file will lead to a blank page when the ESXi host is accessed via http(s):

/usr/lib/vmware/hostd/docroot/index.html

<edit>

William Lam created another work around which is definitely a more elegant solution: Remove the ESXi web welcome screen.

</edit>

Draft version of the vSphere Security Hardening Guide available

Duncan Epping · Jan 26, 2010 ·

VMware published the draft version of the vSphere Security Hardening Guide. Keep in mind that it’s still draft and needs tweaking. The Team needs your feedback, so if you have any comments please don’t hesitate to reach out and leave a comment on the community forums.

Overall, there are more than 100 guidelines. The guide itself is split into the following major sections:

Please bare in mind the following:

Another new aspect of the guide is the desire to create it with input from the VMware community. This draft is available for public comment for a period of approximately one month. VMware’s intention is to incorporate public feedback into the next revision of the guide, which will be the final version. However, this current revision is the result of a private review of an initial draft, and so we believe that the final version will not differ too significantly. This revision can therefore be used for customer production deployments today, with the caveat that some new guidelines might be added and some existing ones slightly modified.

Thanks Charu for posting these! They contain really valuable info.

HyTrust Appliance 1.5

Duncan Epping · Aug 19, 2009 ·

HyTrust just published info on their latest and greatest version of their appliance which will be released on the 24th of August and will carry version number 1.5. Hytrust sits between your virtual environment and the admin and enforces granular authorization of all virtual infrastructure management operations, according to user role, object, label, protocol and IP address. If you will attend VMworld I suggest you head over to their booth and ask for a demo.

Additional New Features:

Support for VMware vSphere (ESX 4.0 and vCenter 4.0)
Support for VMware ESXi (all versions)
Two‐factor authentication including RSA SecureID
Label‐based policy enforcement
VM‐to‐host and VM‐to‐network segment control
VM tag policy import
XACML policy import/export
AD policy import for virtual machine management

HyTrust Appliance, the community release

Duncan Epping · May 5, 2009 ·

I wrote about HyTrust a month ago. Today HyTrust announced a community version. In short, for up to three host you can use a fully featured version of the Hytrust Appliance for free…

HyTrust Appliance, Community Edition is now available for download now as a pre-built, VMware-compatible virtual appliance to members of HyTrust Community. To join the community free of charge, go to http://www.hytrust.com/community/register. Support for Community Edition is provided by the Community via online forum participation and direct community member interaction.

You can find the full press release here.

Now, back to the VMware vSummit again… and I hope to do some technical blogging again soon.

Security updates for ESX 3.x

Duncan Epping · Apr 11, 2009 ·

Just a quick note that I wanted to get out… A security patch has been released. Please look at the following KB article and download, test and implement the patch.

VMware ESX 3.5, Patch ESX350-200904201-SG: Updates VMX RPM
Issues fixed in this patch (and their relevant symptoms, if applicable) include:

A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue.