Download VMware Certified Professional 6 - Data Center Virtualization.2V0-621.ActualTests.2018-11-16.150q.vcex

    Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-37AB1F95-DDFD-4A5D-BD49-3249386FFADE.html

Use VMCA as an Intermediate Certificate Authority You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates. This approach combines the security of third-party CA-signed certificate with the convenience of automated certificate management. Procedure 1    Replace the Root Certificate (Intermediate CA) The first step in replacing the VMCA certificates with custom certificates is generating a CSR and adding the certificate that is returned to VMCA as a root certificate. 2    Replace Machine SSL Certificates (Intermediate CA) After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates. 3    Replace Solution User Certificates (Intermediate CA) After you replace the machine SSL certificates, you can replace the solution user certificates. 4    Replace the VMware Directory Service Certificate If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services. 5    Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-5FE583A2-3737-4B62-A905-5BB38D479AE0.html

ESXi Certificate Replacement For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.   Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html

Strict Lockdown mode:In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host. Reference:https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008077

root User Privileges By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server. This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator. Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server. Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-55F14938-8A2F-4703-8A60-3516F9C3E312.html

ESXi Passwords By default, ESXi enforces requirements for user passwords. Your user password must meet the following length requirements. Passwords containing characters from one or two character classes must be at least eight characters long. Passwords containing characters from three character classes must be at least seven characters long. Passwords containing characters from all four character classes must be at least six characters long. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash. The password cannot contain the words root, admin, or administrator in any form. Reference:https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html

B-)  ESXi Passwords and Account Lockout For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information. ESXi Passwords: ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client.When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.(link  : https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html)

    Reference:http://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR-SECRTY-HRDNG-USLET-101-WEB-1.pdf

Litmit SETINFO Messages Now if you read through the hardening guide, you’ll come cross a section that covers informational messages, otherwise known as SETINFO messages. Now my understanding is that currently there is no limitation on the amount of data that can be sent from VMware tools to the host, so you can imagine it wouldn’t be hard to write some code to continuously send huge amounts of data. So lets looks at how to limit this to something more acceptable as per the hardening guide. tools.setInfo.sizeLimit = “1048576” Now you can actually totally disable this using the following isolation.tools.setInfo.disable = “true” But this stops the Virtual Center client from displaying any information about the Virtual Machine, e.g. IP Address, DNS information. So for a production environment I would recommend setting a limit rather then totally disabling. Reference:https://goingvirtual.wordpress.com/2009/07/11/locking-down-vmware-tools/

B-) ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions. However, ESXi 5.x hosts that were running self-signed certificates and then upgraded to vSphere 6.0 will have their certificates regenerated using VMware-signed. For more info link:https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2113926C-) In vSphere 6.0, VMware tried to address SSL certificates in a different manner. It introduced a new component called the "Platform Services Controller." The Platform Services Controller includes a fully-functional certificate authority, called the VMware Certification Authority (VMCA), that automatically manages the certificates used in vCenter and the ESXi hosts. There are two steps to complete. First, you need to retrieve the root certificate from vCenter and convert it into something usable. Once you've done that, you need to deploy it as a Trusted Root Certificate. The easiest way to do this with multiple computers is to use Group Policy. Here are the steps to retrieve the certificate:1. Open your Web browser. 2. Navigate to https://<fqdn of vcenter>3. In the lower right-hand corner, click the Download Trusted Root CA link.------ for more:https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-C91AFFAD-A830-4BBE-BF7C-F779A3AD03F1.html?resultof=%2522%2573%2573%256c%2522%2520