WilliamLam.com

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

by // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

[Read more...]

Applying additional security hardening enhancements in ESXi 8.0

by // 14 Comments

While responding to a few ESXi security configuration questions, I was referencing our ESXi Security documentation, which includes a lot of useful information and latest best practices. It is definitely worth re-reviewing this section from time to time to take advantage of all the ESXi security enhancements to help protect and secure your vSphere environment.

In certain areas of the ESXi security documentation, I noticed that it mentions CLI and API, but it does not always provide an example that customers can then reference and use in their Automation, which is really the only guaranteed method to ensure configurations are consistent across your vSphere environment. After answering some of the security related questions, especially on the Automation examples, I figure it would be useful to share this information more broadly so that folks are aware of some of the new and existing security enhancements along with some of their implications if you are not implementing them.

Speaking of new ESXi security enhancements, one of the new features that was introduced in ESXi 8.0 is the ability to disable ESXi Shell access for non-root users. While this might sound like a pretty basic feature, applying this towards the vCenter Server service account vpxuser can help add another layer of protection for your ESXi hosts against attackers. It turns out that users with ESXi Shell access can also modify other local users password on ESXi host including the root user. By restricting ESXi Shell access for the vpxuser, you prevent attackers, which can also be insiders who have access to vCenter Server the ability to just change the ESXi root password without knowing the original password. As a result, this can lock you out of your ESXi hosts or worse, enable an attacker to encrypt your workloads, especially as the rise ransomeware attacks has been increasing.

[Read more...]

Enhanced vCenter Server Audit Event & Logging in vSphere 6.7 Update 2

by // 9 Comments

A couple of years back I had published a detailed analysis on vCenter Server's Authentication (AuthN) and Authorization (AuthZ) from an auditing and logging standpoint. This has been the go to reference for many of our customers and the posts also includes a number of log samples which I have documented in the following Github repository.

In addition to serving as a reference for our customers, it has also helped our Product and Engineering teams understand where we still had some gaps and how we could improve the overall user experience. As hinted in the recently announced vSphere 6.7 Update 2 release, which will be available soon, there are number of new auditing enhancements that have been made to both vCenter Server and the vCenter Single Sign-On (SSO) service that I think customers will really appreciate.

"Real" client IP address in Events

When you look at a login or logout Event in vCenter Server today, you may have noticed the user's client IP Address is actually of the vCenter Server rather than the actual remote client's address and the reason for this is explained here. In vSphere 6.7 Update 2, the real client IP Address is now captured and is included in all successful login/logout and failed logins. This information can now enable administrators to easily identify unauthorized access and be able to quickly track down the systems initiating the connections.

[Read more...]