Information Technology Reference
In-Depth Information
Securing vCenter Server
For the most part, discussing how to secure vCenter Server entails discussing how to secure
the underlying OS. For environments that have deployed the Windows Server-based version of
vCenter Server, this means securing Windows Server. For environments using the Linux-based
vCenter Server virtual appliance, it means securing SuSE Linux. Because it's a virtual appliance,
though, there isn't a lot that you can do to secure the preinstalled SuSE Linux instance.
Securing Windows Server—for those environments running the Windows Server-based ver-
sion of vCenter Server—is a topic that has been discussed many, many times, so we won't go into
great detail here. The following security recommendations are among the more common ones:
◆
Stay current on all Windows Server patches and updates. This helps protect you against
potential security exploits.
Harden the Windows Server installation using published best practices and guidelines
from Microsoft.
◆
In addition to these standard security recommendations, we can offer a few other secu-
rity recommendations that are specii c to vCenter Server and its components such as SSO, the
Inventory Service, and the Web Client:
Be sure to stay current on vCenter Server patches and updates.
◆
◆
Place the vCenter Server backend database on a separate system (physical or VM), if pos-
sible, and follow recommended practices to secure the separate system.
If you are using Windows authentication with SQL Server, use a dedicated service account
for vCenter Server—don't allow vCenter Server to share a Windows account with other
services or applications.
◆
Be sure to secure the separate database server and backend database using published secu-
rity practices from the appropriate vendor. This includes securing the database server itself
(Microsoft SQL Server, or Oracle) as well as the underlying OS for that database server
(Windows Server, Linux, or other).
◆
Replace the default self-signed SSL certii cates with a valid SSL certii cate from a trusted
root authority for vCenter Server and all of its components.
◆
SSL Certificate Replacement
With the separation of vCenter components for vSphere version 5.1 and above, the complexity for
replacing the default SSL certifi cates has increased. VMware has addressed this complexity by creat-
ing tools to assist the process and also by providing extensive Knowledge Base articles on the topic.
It would take a dedicated chapter to explain the entire process step-by-step, so if you're interested
we recommend you read the Knowledge Base located at kb.vmware.com/kb/2034833.
In addition to these recommendations, there are other steps you should take to ensure that
vCenter Server—and the infrastructure being managed by vCenter Server—is appropriately
secured and protected.
