Trimarc recommends treating these updates as regular candidates for review at every Configuration Control Board (CCB) meeting or however your organization approves changes.
#VMWARE ESXI 6 FEATURES MANUAL#
Standalone installations of VMware Tools are more manual and can be challenging to keep updated. Virtual Machines can be set to “update on reboot” if VMware Tools is configured to be managed by vCenter. With vSphere version 6.5 and above, VMware has been working on releasing cross-version compatible VMware Tools versions as well as simplifying deployment and updates.
Keep your VMware Tools and Virtual Hardware versions up to date and ensure vCenter and ESXi host patches and versions are up to date as well (dependency). You are not solving your problems just letting your backup solution or the Guest OS disk encryption just take care of it for you. Or even pick your scariest line of business application…or how about your backup servers! Yes, VM Encryption isn’t “just encryption”.
#VMWARE ESXI 6 FEATURES PASSWORD#
If a VMWare administrator’s credentials were compromised, an attacker could download your Active Directory Domain Controller’s (DC) virtual disks compromising your entire environment (by extracting password data) or even temporarily take the virtual DC offline and modify highly privileged Active Directory group membership directly on disk before starting the DC’s VM again. Direct VM storage access (via VMDK) which has been one of the biggest security concerns with virtualization for years. This also protects the VM storage files (Virtual Machine Disk or “VMDK” files) from being directly accessed (and potentially modified by an attacker) or downloaded which would provide an attacker all the data contained within the VM. The new role “No Cryptography Administrator” allows administrative privileges to be assigned to individuals while safeguarding against the ability to gain direct console access to VM Encrypted virtual machines. VM encryption is a huge step forward to protect sensitive server loads. This removes the original dependency on an external or independent KMS solution for vSphere to handle key-based security solutions such as enabling host cryptographic functions (Host encryption mode) or meeting the requirements for VM Encryption.Ī good and relevant article describing key provider comparisons for deployment considerations can be found in the VMware Security guide.
#VMWARE ESXI 6 FEATURES UPDATE#
VSphere Native Key Provider – a new feature in vSphere 7 update 2 is the ability for vSphere to natively provide the keys for its own security features. While it may be the highest level of effort from a planning and implementation standpoint, this is also one of most complete configurations when considering the overall root of trust of the vSphere environment. vSphere Trust Authority requires an external key server. The Trust Authority makes access to the encryption keys conditional to the attestation state of a workload cluster. Trusted Key provider – in vSphere 7 and newer, the key provider can be configured based on the “Trust Authority” if it is present in the environment. Once vCenter is configured with a KMS provider then new and existing virtual machines can be secured using VM Encryption. Standard key provider – independent and external (to the vSphere solution) KMS solutions are one way of enabling cryptographic ability in the vSphere environment.