WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Updated vSphere Security Hardening Report Script for vSphere 4.1

Updated vSphere Security Hardening Report Script for vSphere 4.1

01.22.2011 by William Lam // 5 Comments

VMware released earlier this week the first draft copy of the vSphere 4.1 Security Hardening Guide which provides several changes to the vSphere 4.0 version released last year. Unfortunately there was no change list provided and you have to manually go through both documents to get the differences. Luckily I did the heavy lifting for you and here are the changes in 4.1 version:

Edit: It looks like Charu of VMware has already posted a "diff" of the 4.0 and 4.1 version here.

Added Checks (14):

  • VSH07 (Enterprise) - Check for privilege re-assignment after vCenter Server restarts
  • VSH10 (Enterprise) - Clean up log files after failed installations of vCenter Server
  • VUM06 (Enterprise) - Do not use default self-signed certificates
  • VMX23 (Enterprise) - Use secure protocols for virtual serial port access
  • VMX24 (DMZ) - Disable certain unexposed features
  • VMX56 (Enteprise) - Restrict access to VMsafe network APIs
  • HIN02 (Enterprise) - Keep ESX/ESXi system properly patched
  • HCM05 (DMZ) - Disable Welcome web page
  • HMT12 (Enterprise) - Prevent unintended use of VMsafe network APIs
  • HMT15 (Enterprise) - Audit for loading of unauthorized kernel modules (ESXi only)
  • HMT20 (DMZ) - Ensure that vpxuser auto-password change meets policy
  • HMT21 (DMZ) - Ensure that vpxuser password meets length policy
  • HCN05 (SSLF) - Disable DCUI to prevent all local administrative control
  • HCN06 (Enterprise) - Disable Tech Support Mode unless needed for diagnostics and break-fix

Removed Checks (10):

  • VMX03 (Enterprise) - Disable copy/paste to remote console
  • VMX51 (Enterprise) - Restrict access to VMsafe CPU/memory APIs
  • VMX54 (Enterprise) - Restrict access to VMsafe network APIs
  • HCM04 (Enterprise) - Ensure that ESX is configured to encrypt all sessions
  • HMT10 (Enterprise) - Prevent unintended use of VMsafe CPU/memory APIs
  • HMT11 (Enterprise) - Prevent unintended use of VMsafe network APIs
  • HCN01 (Enterprise) - Ensure that only authorized users have access to the DCUI
  • HCN03 (Enterprise) - Avoid adding the root user to local groups
  • HCN04 (SSLF) - Disable tech support mode
  • COP06 (DMZ) - Ensure that vpxuser auto-password change in vCenter meets policy

Note: Some of the removed checks may have been replaced with newer and updated information and shows up in the added checks.

To help with your vSphere validation, here is the latest version of the vSphere Security Hardening Report script 1.5 script. There have been a few enhancements to the script which only validates a check based on whether it it is applicable to classic ESX or ESXi, which in the past it would display "N/A". There is also some further validation of the service endpoints for /, /ui, and /mob that may also help reduce manual verification where applicable. You can also join the new vSphere Security Hardening Report VMTN Group for new updates, bug report and discussions.

Here is an updated sample report based on vSphere 4.1:
vmwarevSphereSecurityHardeningReport-SAMPLE.html

One other thing I noticed while going through both the 4.0 and 4.1 security guide is the numbers for the code are all over the place, there are sometimes huge gaps that are unexplained (e.g. VSH6, VSH7 ... VSH10)

More from my site

  • vSphere Security Hardening Report Script Updated for vSphere 5.1
  • vSphere Security Hardening Report Script for vSphere 5
  • Potential ESX(i) 4.1 Update 1 upgrade caveat
  • ESXi 4.1 - Major Security Issue
  • Quick Tip - API for Broadcom Security Advisories

Categories // Uncategorized Tags // hardening guide, security, vSphere 4.1

Comments

  1. *protectedBas says

    01/22/2011 at 7:45 pm

    Thanks for the updated report script. Keep up the good work.
    Charu posted an article which explains the differences between the 4.0 and 4.1 version of the security hardening guide.
    http://communities.vmware.com/docs/DOC-14528

    Reply
  2. *protectedWilliam says

    01/22/2011 at 7:56 pm

    @Bas,

    Thanks for the information, I must have missed that document. I'll go ahead and update the post.

    Reply
  3. *protectedBrian says

    06/21/2012 at 7:00 pm

    Is there a PowerCLI version of this script?

    Reply
    • *protectedWilliam says

      06/21/2012 at 10:39 pm

      @Brian,

      No, if you take a look at the latest vSphere 5.0 Security Hardening Guide, it contains PowerCLI snippets to help you check/redmediate but this script is written using vSphere SDK for Perl and you'll need to install either vCLI or use vMA to run the script.

      Reply

Trackbacks

  1. Analizar la seguridad de VMware vSphere says:
    08/14/2014 at 10:03 am

    […] segunda de las herramientas se trata de un script en Perl programado por William Lam, vSphere Security Hardening Report Script . Este script se conecta con un host ESX(i) o un vCenter y realiza una revisión de los puntos […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025