IV. Hardening Steps to Secure Virtualisation Environment - Server Service Console
by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
All configuration tasks for the VM Server are performed through the Service Console, including configuring storage, controlling aspects of virtual machine behaviour, and setting up virtual switches or virtual networks. A privileged user logged in to the Service Console has the ability to modify, shut down, or even destroy virtual machines on that host. If attackers gain access to the Service Console, they will have access to attribute configuration of the server host. The Service Console is the point of control for server and safeguarding it from misuse is crucial. The following security recommendations or guidelines help to guard against the attacks through Service Console:
1. Restrict the connection to internal trusted network only - Restricting the connection to internal trusted network only will help to minimise the chance of the attack via Service Console from untrusted network.
2. Change the account name of "Administrator" - Most brute force attacks will use the account name "Administrator" as this default account is not subject to account lockout. To minimise the risk of attacks, user should modify this default account by editing the Local Security Policy.
3. Block all the incoming and outgoing traffic except for necessary ports - Service Console firewall should be configured at the high security setting, which blocks all incoming and outgoing traffic except for ports 902, 80, 443, and 22, which are used for basic communication with VM Server in general. This can reduce the risk of the Denial of Service (DoS) attack using the default ports.
4. Monitor the integrity and modification of the configuration files - Key configuration files (such as "/etc/profile", "/etc/ssh/sshd_config", "/etc/pam.d/system_auth", "/etc/ntp", "/etc/ntp.conf", "/etc/passwd", "/etc/group", "/etc/sudoers"," /etc/shadow", "/etc/vmware/") should be monitored for integrity and unauthorised tampering to prevent unauthorised modification of key Service Console configuration files. These files should also be securely backed up on a regular basis.
5. Limit ssh based client communication to a discrete group of ip addresses - Connectivity of ssh based client communication tools (such as putty, winscp etc.) should be limited to a discrete group of ip addresses belonging to the physical / virtual desktops of the Windows Infrastructure Management Team staff. Limiting the connectivity will be achieved by utilising the /etc/hosts.allow and /etc/hosts.deny files within VMware ESX. The best practice approach to this is to deny access based on subnet range, only allowing access based on ip address exception.
6. Create separate partitions for /home, /tmp, and /var/log - Without partitioning for /home, /tmp, and /var/log may experience the Denial of Service (DoS) attack since the root partition may full and unable to accept any more writes.