Concepts of ESX security

w  ESX is a very secure product, by design

w  Access to the VMKernel is only from virtual guests and only through API calls. The VMKernel is what ultimately leads to the strong security of ESX. The VMKernel was designed from scratch by VMware with security in mind.

w  All virtual guests are isolated from each other by the VMKernel and each VM only has access to its own resources.

w  When loaded, ESX is secure, by default. By default, the service console has a firewall enabled with only the minimum required ports for vmware VI client management enabled. We recommend you leave the firewall enabled.

w  For stability and security, it is not recommended to load 3^rd party products on the service console.

 

w  ESX server uses local linux accounts

w  VC uses windows AD accounts

w  Permissions can be setup either using windows AD groups or users, depending on what your VI client is connected to

w  All VI client communications I encrypted.

w  VLANs can be used to segment a network for security

w  CHAP should be used to authenticate Iscsi traffic

w  Users and groups are assigned to roles.

w  A role is a set of privileges

w  Roles are assigned to objects, such as a VM or data center

w  The combining of the user and group with the role is what creates the permission.

w  By default, only local ESX service console root users or windows AD administrators can login with the VI client.

w  In the case of using VC, administrators would be

• Members of the local admin group if the VC server is NOT a DC or
• Member of the domain admin group if VC is a domain controller

w  If the host you are login into is not a DC login as domain\user

w  It is not recommended to run VC on an AD DC

w  Access rule changes take effect immediately, no need to log off and back on

w  ESX security permissions are inherited in a hierarchical manor

w  Networks and datastores inherit permissions from above but you cannot directly assign permissions to them.

 

Windows File Protection (WFP)

Windows File Protection runs in the background and watches for applications trying to replace your system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files.  If an application attempts to replace a system file with one that is not signed, Windows file protection replaces it back with one stored in dll cache and logs the attempt in the Event log.  There are 4 instances where File protection will allow the files to be replaced:

• Service Packs that use Update.exe
• Hotfix distributions using Hotfix.exe
• Operating system upgrades using Winnt32.exe
• Windows Update service

 

Remote Access Authentication Protocols

CHAP – (Challenge Handshake Authentication Protocol) – uses the industry standard MD5 1-way encryption scheme to encrypt the response.  Highly Secure.

EAP (Extensible Authentication Protocol) – Client and server negotiate the Authentication method to include MD5 username and password encryption, smart-cards, token cards, retina or fingerprint scanners and other third party authentication technologies.

MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)– 1-way encrypted password.  This is enabled by default on a Windows Server 2003 running RAS.  Highly Secure. This differs from CHAP in that client communication must be between two Microsoft operating systems.

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)– Strong encryption.  Windows clients use this by default for dialup networking (also known as DUN).  Windows 2000,NT4 and Win98 clients use this by default for VPN.  Highly Secure. Version 2 differs from version 1 primarily in that two-way (mutual) authentication is implemented in version 2.

PAP (Password Authentication Protocol) – uses clear text passwords. Provides little security.

SPAP – (Shiva Password Authentication Protocol) – more secure than PAP, it is uses to connect to Shiva LANRover. Medium Security.

– Technet

 

Name Resolution Nodes

B-Node (broadcast) – uses broadcasts to resolve names (not recommended for larger networks, and mostly used by older clients)
P-Node (peer to peer) – uses WINS only, no broadcasts.  No WINS server, no resolution.  This is the mode typically used by newer clients
M-Node (mixed) – Broadcast first, then WINS (this is not recommended as you want to attempt to minimize broadcasts).
H-Node (hybrid) – uses WINS first, then broadcast  (this is recommended as it cuts down broadcasts by trying WINS first but will resort to broadcast as last resort.)

 

 

TCP/IP utilities

ARP – Address Resolution Protocol – displays a cache of locally resolved IP addresses to Media Access Control (MAC) addresses.

Finger – Retrieves system info from a remote computer that supports the TCP/IP finger service.

FTP – File Transfer Protocol – provides file transfers between TCP/IP hosts with one running FTP software.

Hostname – returns the local computers host name.

IPCONFIG – Verifies TCP/IP information.  with the “/all” switch, it will give DHCP, DNS and WINS addresses.  WINIPCFG is the utility used in place of IPCONGIG on Win9.x workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS options are used to directly interact with Domain Name Service variables.

LPD – Line Printer Daemon – Services LPR requests and submits print jobs to a printer device.

LPQ – Line Printer Queue – Obtain status of a print queue on a host running the LPD Service.

LPR – Line Printer Remote – Prints a file to a host running the LPD Service.

NBTstat – Checks the state of current NetBIOS over TCP/IP connections, updates LMHOSTS cache, determines registered name.

Netdiag – Tests the network functions and provides a report of the results.

Netsh – Network Shell.  This utility can be used to interact with most services from the command-line.

Netstat – Displays Protocol statistics and the current state of TCP/IP connections. The -a option is used to see all information.

NSlookup – examines entries in the DNS database pertaining to a particular host or domain.

Pathping -acts as combination of ping and tracert. It sends echoes requests out and identifies the host that hears them.

PING – Packet Internet Groper – Verifies that TCP/IP is configured correctly and that another host is available.

REXEC – Remote Execution – Runs a process on a remote computer.

Route – views or modifies the local routing table.

RSH – Remote Shell – runs commands on a UNIX host.

Telnet – Provides Terminal Emulation to a TCP/IP host running Telnet server software.

Tracert – verifies the route used from the local host to the remote host. This is superior to PING in that it also shows the route taken to reach the remote host.