VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure Security Settings for vCenter Server from the vSphere Client

You perform the procedure on all vCenter Server instances to configure password policies, lockout policies, alarms, proxy, login banners, LDAP, and other configurations.
  1. In a Web browser, log in to vCenter Server by using the vSphere Client.​
    Setting
    Value
    URL
    https:/
    /management-domain-vcenter-server-fqdn
    /ui​​​
    User name​
    administrator@vsphere.local​
  2. Configure the password policies.
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Under
      Single Sign-On
      , click
      Configuration
      .
    3. On the
      Local accounts
       tab, under
      Password policy
      , click
      Edit
      .
    4. In the
      Edit password policies
       dialog box, configure the settings and click
      Save
      .
      Configuration ID
      Setting
      Value
      VMW-VC-00421
      Maximum lifetime
      60
      VMW-VC-00410
      Minimum Length
      15
      VMW-VC-01269
      Maximum Length
      64
  3. Configure the lockout policies.
    1. On the
      Local accounts
       tab, under
      Lockout policy
      , click
      Edit
      .
    2. In the
      Edit lockout policies
       dialog box, configure the settings and click
      Save
      .
      Configuration ID
      Setting
      Value
      VMW-VC-00436
      Maximum number of failed login attempts
      3
      VMW-VC-00434
      Time interval between failures
      900 seconds
      VMW-VC-00435
      Unlock time
      0 seconds
  4. VMW-VC-01219
     Configure an alert for the appropriate personnel about SSO account actions
    1. In the
      Hosts and clusters
       inventory, select the vCenter Server that manages the ESXi host you configure.
    2. Click the
      Configure
       tab, select
      Alarm definitions
       under
      Security
      .
    3. Click
      Add
      .
      The
      New alarm definition
       wizard opens.
    4. On the
      Name and targets
       page, enter the settings and click
      Next
      .
      Setting
      Value
      Alarm name
      SSO account actions - com.vmware.sso.PrincipalManagement
      Target type
      vCenter Server
    5. On the
      Alarm rule 1
       page, under
      If
      , enter
      com.vmware.sso.PrincipalManagement
       as a trigger and press Enter.
    6. Configure the remaining settings for the alarm, click
      Next
      , and follow the prompts to finish the wizard.
      Setting
      Value
      Trigger the alarm and
      Show as warning
      Send email notifications
      Off
      Send SNMP traps
      On
      Run script
      Off
  5. VMW-VC-01209
     Configure a login message.
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Navigate to
      Single sign-on
      Configuration
      .
    3. Click the
      Login message
       tab and click
      Edit
      .
    4. Activate the
      Show login message
       toggle.
    5. In the
      Login message
       text box, enter the login message.
    6. Activate the
      Consent checkbox
       toggle.
    7. In the
      Details of login message
       text box, enter the site-specific banner text and click
      Save
      .
  6. VMW-VC-01212
     Configure Mutual CHAP for vSAN iSCSI targets.
    1. In the
      Hosts and Clusters
       inventory, select the vSAN-enabled cluster.
    2. Click the
      Configure
       tab and under
      vSAN
      , click
      Services
      .
    3. In the
      vSAN iSCSI target service
       tile, click
      Enable
      .
    4. Activate the service from the toggle switch.
    5. From the
      Authentication
       drop-down menu, select
      Mutual CHAP
    6. Configure the incoming and outgoing users and secrets appropriately and click
      Apply
      .
  7. Set SDDC deployment details on the vCenter Server instances.
    1. In the
      Global inventory lists
       inventory, click
      vCenter Servers
      .
    2. Click the vCenter Server object and click the
      Configure
       tab in the central pane.
    3. Under
      Settings
      , click
      Advanced settings
       and click
      Edit settings
      .
    4. In the
      Edit advanced vCenter Server settings
       dialog box, enter the settings and click
      Add
      .
    Setting
    Value
    Name
    config.SDDC.Deployed.ComplianceKit
    Value
    VCF-NIST-800-53
  8. VMW-VC-00422
     vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Under
      Deployment
      , click
      Client configuration
      .
    3. Click
      Edit
      , for
      Session timeout
      , enter
      10
       minutes, and click
      Save
      .
  9. VMW-VC-01216
     vCenter must limit membership to the SystemConfiguration.BashShellAdministrators SSO group.
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Under
      Single sign-on
      , click
      Users and Groups
       and
      Groups
      .
    3. Click
      > next page arrow
       until
      SystemConfiguration.BashShellAdministrators
       appears.
    4. Click
      SystemConfiguration.BashShellAdministrators
       and click three vertical dots next to the name of each unauthorized account and click
      Remove Member
       and click
      Remove
      .
    By default the Administrator and a unique service account similar to "vmware-applmgmtservice-714684a4-342f-4eff-a232-cdc21def00c2" will be in the group and should not be removed.
  10. VMW-VC-01217
     vCenter must limit membership to the TrustedAdmins SSO group.
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Under
      Single sign-on
      , click
      Users and Groups
       and
      Groups
      .
    3. Click
      > next page arrow
       until
      TrustedAdmins
       appears.
    4. Click
      TrustedAdmins
       and click three vertical dots next to the name of each unauthorized account and click
      Remove Member
       and click
      Remove
      .
    These accounts act as root on the Photon operating system and have the ability to severely damage vCenter, inadvertently or otherwise.
  11. VMW-VC-01274
     The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
    1. From the
      Home
       menu of the vSphere Client, click
      Administration
      .
    2. Under
      Single sign-on
      , click
      Users and Groups
       and
      Users
      .
    3. Change the domain to
      vSphere.local
       and
    4. Select
      K/M
       and
      krbtgt/VSPHERE.LOCAL
       accounts and click
      More
       and select
      Disable
       and click
      OK
      .
    5. Repeat Step d with
      krbtgt/VSPHERE.LOCAL
       account
  12. VMW-VC-01267
     vCenter must require authentication for published content libraries.
    1. From the
      Home
       menu of the vSphere Client, click
      Content Libraries
      .
    2. Click on the target content library and click
      Edit Settings
       under
      Actions
      .
    3. Click the checkbox to
      Enable user authentication for access to this content library
      , and enter and confirm
      password
       and click
      OK
      .
    Any subscribed content libraries will need to be updated to enable authentication and provide the password.
  13. VMW-VC-01268
     vCenter must enable the OVF security policy for content libraries.
    1. From the
      Home
       menu of the vSphere Client, click
      Content Libraries
      .
    2. Click on the target content library and click
      Edit Settings
       under
      Actions
      .
    3. Click the checkbox to
      Apply Security Policy
      , and click
      OK
      .
    If you disable the security policy of a content library, you cannot reuse the existing OVF items.

Content feedback and comments