I recently got a question about how to harden your vSphere environment. As you will probably know there are actually there are two ways in achieving this:
- Using the VMware Security Hardening Guides that are available for download for free. The vSphere Security Configuration Guide is available for the different versions of vSphere (both 6.x and 7.x). Each guide consists of a PDF that explains the approach for hardening your environment and a XLS file that contains all the guidelines, description desired situation and how to achieve this situation.
- Using the compliance feature of vRealize Operations (vRops). I will dive a little deeper into this option in this article, using vRops 8.3.
The compliance feature of vRops is available through the quickstart menu. This feature is used to assess and manage compliance; there are a lot of different benchmarks available including vSphere/vSAN/NSX-T security guides, but also regulatory benchmarks including CIS, DISA, FISMA and PCI. On top of that it’s also possible to add your own custom benchmarks.
The vRops benchmarks for vSphere/vSAN/NSX-T security guides are of course based on the VMware Security Hardening Guides as mentioned at the beginning of this article.
Just enable the vSphere Security Configuration Guide to get started:
After enabling the vSphere Configuration Guide you have to select a policy you want to modify. Security Configuration Guide related alarms will be enabled on the selected policy. If you want to apply the guidelines to your full vSphere environment you can select the default policy, however you might want to select a child policy that is linked to a subset of objects in your environment.
13 compliancy related alarms that are triggered by 225 different symptoms will be enabled in the policy:
No wait for 5-10 minutes until the vSphere Security Configuration Guide dashboard has been updated and shows your current compliance state:
You can walk through the Compliance Alerts list and solve any triggered alarms.
For example, let’s optimize some DVS settings on a specific distributed portgroup:
Let’s review the settings in the vSphere WebClient:
..and update the settings:
Wait for ˜5 minutes and the compliance score for this specific object:
Note: it’s very helpful to use the excel list from the Security Configuration Guide to learn how to implement required settings for a specific alarm.
I hope this explains how vRealize Operations will simplify your life and will help you to increase the security of your vSphere environment.
If you want to learn more about compliance and vRealize Operations, please also check this article by my colleague Henk Engelsman. This blogpost “Evolving the VMware vSphere Security Configuration Guides” is also worth a read.