vSphere 5.5 Hardening Guide

[KapsZ28]

How many people follow the hardening guide to a T? I've honestly never looked at this guide before. Most of it looks pretty good, but I am wondering if some is a bit excessive in small environments. Mike Foley at VMUG today was saying that the guides can be difficult to follow and the one for 6.0 is much improved.

Between that and the new Platform Services Controller, I am tempted to start planning out an upgrade to vCenter 6.0 to increase security by implementing the 6.0 hardening guide and also regain the link-mode that I miss so much. I also like the SMP-FT to protect VCSA. In the past with Windows based vCenters I used Heartbeat but was not overly impressed.

Do most people replace the self-signed cert and SSH keys in their environment?

 

[defuseme2k]

We do. Very little of it isn't implemented, there are a few things we cannot do. For instance you cannot set the four character type password complexity and get the vcloud director agent to work. Always a little bit of give and take based on operational needs.

Related to linked mode in 6, it is nice to have on the appliance .

I don't think that FT really provides the same kind of protection as heartbeat (which is dead btw). It won't help you when you patch or if the appliance was to PSOD. In vSphere 6 by using the windows version of vCenter you can do windows failover clustering as a heartbeat replacement. A recent blog post covering that subject mentioned that something along similar lines is coming for the appliances, and I suspect it will be the best and most simple solution if they get it done. I'm waiting with baited breath.

 

[KapsZ28]

Yes, I was kind of glad that heartbeat went away.

I realize FT is constantly replicating memory and disk, so a VM crash really isn't protected. But at least with the new FT you can also replicate to a different datastore. It would help a bit in the sense that if an ESXi host crashes you need to wait for it to restart on another machine and hopefully no damage was done, and also protect from a storage failure although that is much more rare. Although we did have an incident where a tech inadvertently tripped the breakers that one of our NetApps was on and we lost vCenter. Had to scamble and log into all the servers directly and get the VMs running again once storage was back online and of course the Windows based vCenter and SQL were not too happy which was probably about an hour of downtime to fix vCenter.

 

[Eulogy]

We're in the midst of 5.1 to 5.5 upgrade at my current place (I'm leaving this contract Friday for a full time gig elsewhere). We follow it pretty well, but not 100%. We absolutely minted our own certs and SSH keys.