IC121-End-to-End Virtual Security Hands-On Lab Description Many of us fear zero day exploits especially if they could impact our dynamic virtual systems. Learn how you can leverage CCS VSM to quickly lock down your virtual environment as you use CCS VM to identify any impacted systems. Finally we will show you how you can learn from exploits and then customize security standards in CCS SM and VSM. At the end of this lab, you should be able to Assess and report on your esx system using VMware hardening guidelines Use CCS VM to assess your virtual environment for vulnerabilities Use CCS VSM to lock down your Virtual Environment to protect it against misconfiguration and vulnerabilities Generate a CCS Dashboard for Virtual Environment Root Password Vaulting Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.
Exercise 1: Show Evaluation results with same issue as found in CCS VM CCS provides the ability to assess your virtual environments using best practices based on VMware hardening guidelines for ESX. 1. From the Desktop double click the Symantec Control Compliance Suite Console icon The Home view is the default view that appears when you log on to the Control Compliance Suite (CCS) Console. This page provides the working flow of the features within the solution. 2. Select Manage > Assets In Control Compliance Suite, an asset is defined as a managed object in the system that has value, has an owner, has controlled access, and can have authority. The primary goal of the asset management system is to present a consolidated view of the assets that are present in the organization with the ability to manage those assets.. 3. Expand the Asset System folder 4. Select the VMware ESXi machines group 5. Select the 192.168.1.90 Asset 6. What is the Compliance Score for this Asset? 7. Select the Evaluation Tab CCS provides the ability to evaluate systems security configurations against industry best practices such as the VMware Harding Guidelines Double click on the evaluation to display the Evaluation Result Details The Evaluation Results Details page provides you with a quick view of your overall security poster and allows you to also analyze which areas may need more attention than others. The page gives you two views of the data. The Standards based view and the Asset based view. 8. Select the Asset-based view button 9. Drag the Status column into the tool bar 10. Drag the Risk column down to the column headers 11. How many configuration checks failed for this asset? 12. Expand the Failed checks 2 of 12
13. Select and right click the is unauthorized removal, connection and modification of devices prevents? Check 14. Click Show Detailed Evidence 15. View the devices which have this option disabled select and highlight and hoover the mouse over the custom message. This setting is disabled by default for virtual environments. When enabled, users have the ability to connect devices and change settings on virtual systems. This means a user can do things like migrate or copy critical systems and access sensitive data by setting up shares on the image 3 of 12
Exercise 2: View the vulnerability details for ESX system As more organizations expand their infrastructure into the virtual realm, effective security for business must reflect the changing needs of those dynamic environments. CCS Vulnerability Manager (CCS VM) will help find and report on specific vulnerabilities within your ESX Hypervisor. 1. From the desktop double click the CCS VM icon 2. Select Continue to this website. (the certificates for the website have not been generated within the demo image at this time) 3. Log on: Username: vmadmin Password: symc4now The Home page shows sites, asset groups, tickets, and statistics about your network that are based on scan data. You have logged on with the Global Administrator role for the solution. This allows you to not only view information but also edit site and asset group information, and run scans for your entire network all from this page. The row of tabs at the top of the page is used to navigate to the main pages of each functional area of the solution. 4. Using the search feature on the upper right side of the interface enter ESX and select the magnifying glass to search for the ESX systems. 5. How many vulnerabilities were detected within the exs41i system? 6. Select the 192.168.1.90 system link to drill down into the details found from the vulnerability assessment 7. Filter the Risk Score to see the highest risk vulnerabilities first 8. Select the first vulnerability on the list 9. Provide a brief description of the suggested solution 4 of 12
Exercise 3: Protect systems with critical data from changes or migrations Locking down your ESX environment against changes will help ensure the security of your surrounding infrastructure especially when critical vulnerabilities have been found. CCS Virtualization Security Manager provides powerful access control features for your virtual environment which allows you to isolate virtual assets limiting access to and from them and dictating where and if they move. This is done by creating policies which are defined by labels, Roles and Rules created within CCS VSM and assigning those policies to specific users based on their role. 1. From the web browser select the CCS VSM tab in the favorites bar 2. Select Continue to this website. (the certificates for the website have not been generated within the demo image at this time) 3. Log into the web console: Username: SuperAdminUser Password: symc4now The Appliance Dashboard is the first page displayed when logging into the appliance. This page was designed to provide summary information based on your VSM implementation. The row of tabs at the top of the page are used to navigate to the main pages of each functional area of the solution 4. Select the Policy tab and then Resources 5. Expand Appliance Root The lab environment has two ESX systems. The yellow shield next to each of the systems indicates that these systems are now protected by the VSM Appliance. 6. From the server system taskbar select Start > VMware vsphere Client or click the icon on the desktop. 7. Login: Username: Mark_Rhodes Password: symc4now 5 of 12
8. Select Login 9. What is the message that is displayed? 10. Click OK and Close the Client 11. Go back to the CCS VSM web console 12. From the Policy tab select Labels Labels are used to classify or categorize policy resources. They are often used to define constraints. For example by assigning production virtual machines with a label you have the ability to assign a constraint that those machines should never be turned off. 13. Select Create Draft The Create Draft button allows the solution to copy the deployed labels into a draft copy before actually deploying it out. 14. Select the PCI Label Currently the PCI Label has two Virtual Systems assigned. 15. Select Assign For each label you have the ability to associate different resources within the virtual environment. 16. Select OK and OK again to get back to the Policy Labels window to finish without making any changes to the label. 17. From the Policy Tab select Roles Roles are used to define authorized operations and usually become an attribute of a rule. 18. From the right side of the page select page 2 19. Select the TestSystemsUsers. Click to open the Edit Role TestSystemUsers window. The checked items listed here are enabled operations which the users who have the TestSystemUsers Role associated 20. Select the check box next to resource Resources enable the ability to change the resource pools within the Virtual Environment. This includes the ability to do actions such as move or migrate virtual machines into different hosts. 21. Click OK 22. From the Policy Tab select Rules 6 of 12
Rules provide the relationships between Active Directory user groups, objects within the virtual environment and the entitlements for a specific role. 23. Select TestUsers and open the Edit Rule TestUsers window. 24. Click the Add button within Constraints Constraints are used to restrict access to specific entities of the Virtual Environment 25. Select Match VM Label(s) 26. Select the PCI VM Label 27. Click the checkbox to Exclude VM Label 28. Click OK 29. Click the Propagate checkbox This will propagate the policy down the resource tree and enable it. 30. Click OK 31. Click Deploy Changes 7 of 12
Exercise 4: Test Protection Settings 1. From the system taskbar select Start > VMware vsphere Client Login: Username: Mark_Rhodes Password: symc4now 2. Select Login Mark Rhodes is part of the user group within Active Directory who has been assigned the TestUser Role. 3. Expand the Symplified Virtual Datacenter 4. Expand the 192.168.1.90 host 5. Right Click the Exchange Server Virtual Machine 6. Select Migrate 7. Select Change both host and datastore 8. Click Next 9. Expand the Symplified Virtual Datastore 10. Select the 192.168.1.85 host 11. Click Next 12. Click the Research and Development Resource Pool 13. Click Next 14. Keep the default for the datastore 15. Select Next 16. Select Finish 17. What is the message that is displayed? 8 of 12
Exercise 5: View Evaluation information for Virtual Environment from a single location In the beginning of the lab we went through the Configuration Assessment results within CCS Standards Manager and also the Vulnerability scan results from CCS Vulnerability Manager. CCS provides the ability to view the evaluation results from both solutions from the Virtual Environment from a single location using the CCS Dynamic Dashboards which are part of the CCS Web Client. 1. Select the Chrome Icon from the taskbar This brings you to the CCS Web Client. The web client provides the ability to view and create dashboards using the data within the CCS and External data from third party solution, Accept, review, and approve policies from the CCS policy manager solution and answer questionnaires from the CCS Assessment Manager solution. 2. Select the Dashboards tab 3. Expand Misc tab These are the default dashboards that come with the solution. They have been generated to provide a view of information based on Mandates and operational information 4. Select the Panels Tab Dashboards are generated by applying different panels. This is a list of predefined panels which come with the solution. Using these panels it is easy to generate a custom dashboard. Panels can also be customized to view and analyze data in different ways. 5. Select New Panel 6. Select Standard Compliance Management > Check as the Area of Interest 7. For Measure (y axis) select Results Summary 8. For Dimension (x axis) select Results Name 9. Select the green plus sign to add an additional Dimension 10. Select Standard Name 11. Select Standard Name for the Axis Label 12. Name the panel Standards Evaluation Results for ESX systems 13. Within Filters select Results Name for the Attribute 14. Select is equal to for the Operator 15. Use the Ctrl keyboard button to select the Check Asset Fail and the Check Asset Pass values 16. Select the green plus sign to add an addition Attribute 17. Select Standard Name as the Attribute 9 of 12
18. Select is equal to for the Operator 19. Select VMware Hardening Guideline for ESXi 4.x 20. Select Apply and Save 21. Select the Dashboard in the top toolbar 22. Select New Dashboard 23. Name the dashboard Vision Virtual Environment 24. Select the green plus sign next to Category 25. Name the category Virtual Environment 26. Select Create 27. Select Stay on this page 28. Expand the Private Panels tab 29. Select the Standards Evaluation Results for ESX systems 30. Drag the panel into the grid 31. Expand the panel so that it take up 7x7squars 32. Expand the Published Panels 33. Select the Top 10 Most Common Network Vulnerabilities panel 34. Drag and drop the panel under the Standards Evaluation Results for ESX systems 35. Expand the panel so it takes up the bottom 7x7 squares 36. From the published panels select Data Collection Coverage 37. Drag the panel and expand it into the space beside the Standards Evaluation Results for ESX systems 38. Select Vulnerabilities by Severity 39. Drag the panel into the remaining space. 40. Select Save and Close 10 of 12
Exercise 6: Root Password Vaulting It is not a good security practice to distribute the root passwords for an ESX or ESXi system. Root Password Vaulting allows CCS VSM to manage the root password of individual hosts by creating a secure root password for an ESX host and storing that password vault. The system will then automatically rotate the root password on the host on a regular basis. 1. Open Internet Explorer and select CCS VSM from the Favorites tool bar 2. Select Continue to this website. (the certificates for the website have not been generated within the demo image at this time) 3. Log into the web console: 4. Username: SuperAdminUser 5. Password: symc4now 6. From the CCS VSM web interface select: Configuration > Root Password Vaulting 7. For the recovery passcode enter: CCS!sfun 8. Confirm the recover passcode: CCS!sfun 9. Click Apply The Recovery Passcode is used to provide an emergency mechanism to recover root passwords if the VSM is not available 10. Select Compliance > Hosts 11. Select the hyperlink for the esxi50.symplified.org host 12. Click the Root Password Vaulting option 13. User ID: root Password: Symc4now! 14. Click OK You will see a key icon appear next to the host which indicated that root password vaulting has been enabled 15. Click the box next to ESXi50.symplified.org 16. Select Issue Password 17. Provide a Reason: Quick Change to ESXi System 18. Click Issue Password 19. Copy down the password 11 of 12
20. Click Apply 21. For the VSM SuperUserPassword enter symc4now 22. Click OK 23. Go to the esxi50.symplified.org vmimage 24. Click on the screen and then click f2 25. Enter the root password provided by VSM 12 of 12