CIS Releases New Security Guidelines for VMware ESX Server

Back in September, the Center for Internet Security (CIS) released a whitepaper titled “Virtual Machine Security Guidelines – Version 1.0”. In it, they addressed security concerns that apply to virtual machine technologies. But while the document focused on issues unique to virtual machines, it fell short of discussing security hardening steps needed for the popular VMware ESX Server virtualization platform.

In the second part of this document, ICS takes a look at security measures needed in the implementation of a VMware ESX Server 3.x environment.

It reads:

This document addresses the security aspects of virtual machine technologies and VMware ESX Server 3.x implementations. While these topics cannot be completely separated from the standard security issues of operating a physical computer or basic issues of running the individual operating systems involved, this document’s primary focus is on virtual machine security issues. For this reason, we do not cover all of the steps needed to harden the guest operating systems. The Center for Internet Security has multiple documents, which address guest operating system security recommendations. Recommendations are based on a variety of public sources and input from members of the Center for Internet Security (CIS).

In this 70 page document, they cover installation considerations, network security settings, minimizing boot services, logging, file permissions, user accounts and more.

As VMware migrates toward 3i implementations where the VMware COS is no longer in play within their ESX environment, many of these security concerns go away. Until then, this is a great place to start if you want to make sure that your environment is secure.

You can download the documents by registering, here.