Saturday, March 15, 2025

A Complete Guide to DHCP Snooping

 

A Complete Guide to DHCP Snooping, How It Works & Concepts & Database, Dealing with DHCP Starvation Attacks, DHCP Hijacking, Man-in-the-Middle Attacks, and Malicious DHCP Servers & DHCP 82


This article explores common attacks in Layer 2 and Layer 3 networks, with a particular focus on DHCP Starvation attacks, man-in-the-middle attacksmalicious unwanted DHCP servers, and explains how security features like DHCP Snooping can help protect networks from these attacks. We explain how DHCP Snooping works, cover related terms such as trusted, untrusted ports/interfaces, and discuss more topics. Finally, we note the importance and purpose of Binding Database in DHCP Snooping, which is also used by Dynamic ARP Inspection to prevent ARP Poisoning and ARP Spoofing attacks.

Topics covered include:

  • DHCP Starvation AttackMan-in-the-Middle AttackDHCP Hijacking, and Monitoring Attacks
  • Malicious DHCP Servers – Major Security Threat and Source of Network Disruptions
  • DHCP Snooping Support on Cisco Catalyst and Nexus Switches – Permissions and Features
  • How DHCP Snooping Works – DHCP Snooping Concepts – Valid and Invalid Ports/Interfaces
  • Traffic Blocked by DHCP Snooping, DHCP Snooping Violations – Syslog Messages
  • DHCP Snooping Binding IP Database – Dynamic ARP Inspection
  • DHCP Snooping-Option 82 Data Insertion
  • Summary

DHCP Starvation Attack, Man-in-the-Middle Attack, DHCP Hijacking & Reconnaissance Attacks

This article will help you gain an in-depth understanding of how to protect networks using DHCP Snooping and related security features.

The DHCP Starvation attack is one of the most common attacks on the network that targets the DHCP servers of the network. The main goal of this attack is to flood the organization's DHCP server with DHCP REQUEST messages from fake MAC addresses. The DHCP server responds to all requests, without realizing it's a DHCP Starvation attack, and assigns the available IP addresses until its DHCP money runs out.

At this point, the attacker renders the organization's DHCP server unusable and can activate its malicious DHCP server to address network clients instead of the primary server. The DHCP Starvation attack is typically associated with a Man-in-the-Middle attack, as the malicious DHCP server distributes fake IP addresses, including Gateway and DNS IP, so that all client traffic passes through the attacker and is inspected.

A man-in-the-middle attack usually involves client data streams passing through the attacker, so that the attacker is able to eavesdrop on or even manipulate the data.

By using packet capture tools and protocol analysis, the attacker is able to completely reconstruct any data stream it has recorded and extract files from it. In fact, the process is so simple that it only requires a basic understanding of these types of networking tools.

In other cases, a man-in-the-middle attack can be used as a monitoring attack with the goal of obtaining information about network infrastructure, services, as well as identifying high-importance hosts such as financial servers or databases.

Now it should be clear how a simple attack can become a major security threat to any organization. The aforementioned attacks are examples of how easy it is for hackers to effectively bypass firewalls and other security levels and gain access to valuable information by connecting an unauthorized/unauthorized device to an existing network port.

Malicious DHCP Servers – Major Security Threat and Source of Network Disruptions

Malicious DHCP servers are a common problem in large organizations and are not always directly related to the attack. Malicious DHCP servers usually appear unexpectedly due to users using consumer network devices that connect to the network infrastructure, without knowing that they have connected an unauthorized device with an active malicious DHCP server to the network.

The malicious DHCP server then begins to assign IP addresses to network hosts, causing network connectivity issues and, in many cases, major service disruptions. At best, DHCP clients are served with an invalid IP address, which disconnects them from other parts of the network. But in the worst case, the IP address is assigned to the clients, which was previously used by the network infrastructure devices (e.g., the VLAN interface on the main switch or the firewall interface), leading to serious network disruptions and conflicts.

A malicious DHCP server in operation takes control of DHCP services.

While many organizations have security policies in place that prohibit third-party or unauthorized devices from being connected to their network, there are still cases where users who may not be aware of or care about the security implications connect these devices to the network infrastructure without consulting the IT department.

Educating users and enforcing security policies can be challenging, which is why it is essential to have security mechanisms in place to help mitigate these incidents, and this is where DHCP Snooping comes into play.

DHCP Snooping, as a security tool, can prevent such problems from occurring. This mechanism allows switches to allow only authoritative DHCP servers to assign IP addresses, preventing unauthorized devices from connecting with malicious DHCP servers. This approach can dramatically increase network security and reduce attacks such as DHCP Starvation and Man-in-the-Middle.

DHCP Snooping support for Cisco Catalyst and Nexus switches. Permissions and Features

DHCP Snooping is available on both Cisco Catalyst and Cisco Nexus switches. Both platforms are classified as enterprise-grade switches and have full support for all DHCP Snooping capabilities.

DHCP Snooping is considered a standard security feature and does not require additional authorization for older Catalyst IOS operating systems, newer Catalyst IOS XE operating systems, and Nexus NS-OS operating systems, so this feature is available and easily configurable on all switches.

Examples of Cisco Catalyst switches that support DHCP Snooping include Cisco Catalyst 2960S2960-X35603750, 3750-X38504500650093009400, and 9500.

Examples of Cisco Nexus switches that support DHCP Snooping include the Nexus 2000300050007000, and 9000.

DHCP Snooping can be enabled globally or separately for each VLAN. This means that you can enable it for all VLANs (globally) or only for specific VLANs (including VLAN ranges, such as 1-20 VLANs and 45-50 VLANs).

How DHCP Snooping Works – DHCP Snooping Concepts – Valid and Invalid Ports/Interfaces

DHCP Snooping is a Layer 2 security feature that prevents unauthorized (malicious) DHCP servers from assigning IP addresses to DHCP clients. In fact, Cisco was the first vendor to implement DHCP Snooping as a security feature in their network switches, and other vendors have followed suit, introducing similar features in their products.

It is important to note that DHCP Snooping is an access layer protection service and is not located at the core of the network.

The way DHCP Snooping works is very simple. DHCP Snooping breaks down all switch ports into two simple categories:

  1. Trusted Ports
  2. Untrusted Ports

trusted port, also referred to as a trusted source or authoritative interface, is the port whose DHCP server messages are trusted because it is under the administrative control of the organization. For example, the port to which your organization's DHCP server is connected is considered a valid port. This is also shown in the chart below:

DHCP Snooping Concepts: Valid and Invalid Ports

In this way, DHCP Snooping only allows authoritative servers to assign IP addresses to clients, preventing unauthorized servers from distributing IP addresses. An untrusted port, also known as an untrusted source or untrusted interface, is a port where the messages from the DHCP server are not trusted. An example of an invalid port is the one to which hosts or computers are connected, where no DHCP OFFERDHCP ACK, or DHCP NAK messages should be displayed, as these messages are only sent by DHCP servers.

Traffic Blocked by DHCP Snooping, DHCP Snooping Violations – Syslog Messages

When DHCP Snooping is enabled, the switch begins to block certain types of DHCP traffic to protect the network from malicious DHCP servers. Below is a list of the types of DHCP traffic that DHCP Snooping blocks:

  • Block DHCP messages such as DHCPACKDHCPNAK, and DHCPOFFER that originate from an invalid DHCP server (invalid port connection).
  • Block DHCP messages requesting release or rejection if they don't originate from the port where the original DHCP conversation took place. This helps prevent the attackers from attempting to terminate or reject the DHCP offer instead of the actual client.
  • When DHCP Relay Agent sends a DHCP packet that contains a Relay-Agent IP address that is not equal to 0.0.0.0, or a packet that contains Option 82 information, to an invalid port. For a more in-depth analysis, see the DHCP Option 82 article.
  • Block DHCP messages where the source MAC address and client MAC address are not the same (see DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL message for more details).

Syslog Messages When DHCP Snooping Violates

When DHCP Snooping detects a breach, the DHCP packet that caused the event is blocked and a message is recorded in the log switch. This message can include one of the following:

  1. %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT:
    • DHCP Snooping has detected DHCP server messages from an invalid port. This is a serious breach and typically indicates the presence of a malicious DHCP server operating on an invalid port.
  2. %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL:
    • DHCP Snooping has detected that the source MAC address in the Ethernet frame and the client MAC address in the DHCP message are not the same.

These mechanisms help switches prevent DHCP Starvation attacksmalicious DHCP servers, and man-in-the-middle attacks, and protect the network from security threats.

Match the MAC address of the Ethernet frame source and the MAC address of the client in the DHCP message

Binding DHCP Snooping Database – Dynamic ARP Overview

Once DHCP Snooping is enabled, the switch begins to build a dynamic database that contains entries for any invalid hosts with a rented IP address, as long as the host is associated with a VLAN where DHCP Snooping is enabled. No entries are generated for hosts connected to authoritative interfaces.

Each entry in the Binding database contains the following information:

  • Invalid host MAC address
  • Invalid Host's Rented IP Address
  • Rental Duration
  • Binding Type
  • The VLAN number and interface to which the invalid host is connected

When invalid hosts receive their IP addresses from the authoritative DHCP server, the switch automatically creates new entries, updates them, and cleans up the DHCP Snooping Binding database.

Examples of processes:

  • When the lease period of an IP address expires or the switch receives a DHCPRELEASE message from an invalid host, the corresponding entry will be removed from the database.
  • On the other hand, when the switch receives a DHCPACK message from the authoritative DHCP server confirming that the IP address has been assigned to an invalid host, a new entry will be generated in the database.

Binding Database Display Commands:

The show ip dhcp snooping binding command displays all entries in the DHCP snooping binding database. The output of this command may look like this:

Cat3560-Firewall.cx# show ip dhcp snooping binding

MacAddress         IpAddress      Lease(sec)   Type           VLAN   Interface
------------       ------------   ----------   -------------  ----   -----------------
D0:76:58:0C:BB:80  192.168.4.50   85228        dhcp-snooping   4     GigabitEthernet0/5

Total number of bindings: 1

Binding Database and Layer 2/3 Security

The DHCP Snooping Binding database is also used by other Layer 2 and Layer 3 security features, such as Dynamic ARP Inspection, which helps protect the network from ARP Poisoning and ARP Spoofing attacks.

  • Dynamic ARP Inspection prevents ARP Poisoning attacks by checking the match between IP and MAC addresses.
  • In these attacks, the attackers try to intercept or alter network traffic by spoofing ARP addresses.

Configuring DHCP Snooping on Cisco Catalyst and Cisco Nexus Switches

Configuring DHCP Snooping on Cisco Catalyst and Cisco Nexus switch platforms will be explored in detail in future technical articles.

Exploring ARP Poisoning and ARP Spoofing Attacks

In future security articles, ARP Poisoning and ARP Spoofing attacks and how to deal with them through features like Dynamic ARP Inspection will be explained in detail.

DHCP Snooping Option 82 – Relay Agent Information

DHCP Option 82, also known as the Relay Agent Information Option, was first designed by RFC 3046 to allow the DHCP relay agent (such as a switch or router) to identify itself as well as provide information from the DHCP client that sent the DHCP messages. This option is especially used in implementations of large metropolitan Ethernet networks that require centralized management of IP addresses for a large number of users.

How does DHCP Option 82 work?

When DHCP Snooping is enabled on a Cisco Catalyst or Cisco Nexus switch, the switch automatically enters the Option 82 field into the client's DHCP messages. This field contains information that helps the DHCP server to determine which Relay Agent (such as a switch or router) the DHCP request came from and which physical port on the network it came from.

Option 82 Details

  1. Relay Agent Information:
    This field contains information about Relay Agent, such as:
  • IP address of the input port (from which the DHCP packet enters the switch)
  • MAC Address Input Port
  • Additional information about the network or DHCP configurations
  • Application in large networks:
    In large networks such as metropolitan access networks, this field is used to more accurately identify DHCP sources and help monitor the allocation of IP addresses. This allows network administrators to be able to accurately track which device and physical port a DHCP request is coming from.

How do switches add DHCP Option 82?

When DHCP Snooping is enabled, the switch automatically adds Option 82 information to the DHCP messages sent by the client. This information includes details that help the DHCP server identify the source of the DHCP request and accurately perform the IP address allocation process in accordance with the network settings.

Benefits of using DHCP Option 82:

  1. Added security:
    Adding Option 82 to DHCP messages can be helpful in detecting and preventing DHCP spoofing attacks, as it can detect if the message is coming from a valid or invalid port on the network.
  2. Better Management:
    This feature helps network administrators get accurate information about the status of network ports and devices that request IP.
  3. Accuracy in the allocation of IP addresses:
    Using the information added in Option 82, the DHCP server can adjust the allocation of IP addresses based on the physical location of the devices on the network.
DHCP Snooping enabled switch inserting DHCP Option 82 into a DHCP Request

DHCP Option 82 is not often widely used in organizations, but it can provide an extra layer of security if the DHCP server supports it. For example, the DHCP server in Windows Server 2012 or 2016 supports Option 82, allowing network administrators to create DHCP Policies that control the allocation of IP addresses to specific switches on the network.

Configuring DHCP Option 82 Policies

Network administrators can use Option 82 to create DHCP policies that limit the allocation of IP addresses to specific switches on the network. This feature is especially useful on large networks that have multiple switches or Relay Agents. This capability helps the DHCP server to restrict the assignment of IP addresses to specific devices and ports.

Conclusion:

Although DHCP Option 82 is not typically used in organizations, when supported by a DHCP server, it can provide additional security and more granular control over the allocation of IP addresses to the network.

Man-in-the-middle attacks and network disruptions caused by fraudulent DHCP servers are serious security threats that organizations face on a daily basis. In this article, we explained how Man-in-the-Middle attacks allow attackers to gain access to network traffic, which can lead to the disclosure of sensitive data being transmitted between servers and clients. We also explained what DHCP Snooping is, how it works, and how it can effectively protect the network from these attacks.

We looked at the type of traffic being blocked by DHCP Snooping, security breach alerts, as well as the purpose and functionality of the DHCP Snooping Binding Database. Finally, we mentioned DHCP Snooping Option 82 and explained how this feature can help strengthen the security and management of IP address allocation on the network...

Friday, March 7, 2025

vSphere 8 Security Hardening

 

vSphere 8 Security Hardening

The Secure Shell (SSH) of the ESXi host must be configured to use only FIPS 140–2/140–3 approved encryptions: esxi-8.ssh-fips-ciphers

VMware Tools is a set of tools that accelerate and improve the performance and efficiency of virtual machine operating systems and improve the management of virtual machines.

For example, by installing it, you can solve the following problems.

  • Low resolution graphics card
  • Inappropriate color depth
  • Incorrect display of network card speed
  • Encapsulated Mouse Movement
  • Inability to copy and drag – drop files
  • Sound loss and sound card issues
  • Ability to take snapshots of virtual operating systems

The VMware Tools package includes the following components:

  • VMware Tools service
  • VMware device drivers
  • VMware user process
  • VMware Tools control panel

VMware Tools Service

This service starts when the virtual machine operating system boots. This service rejects the information between the virtual machine and the hypervisor on the host, and this process runs in the Windows background of the virtual machine called vmtoolsd.exe in the list of processes, which is called vmware-tool-deamon in Mac operating systems and vmtoolsd in Linux. This service is able to do the following

  • Messages pass from the physical host to the virtual machine operating system except Mac OS
  • Running scripts that help automate some tasks in the virtual machine operating system
  • Synchronize time on virtual operating systems with hosting clocks except Mac OS
  • Ability to move the mouse freely between virtual machines and the main operating system, e.g. vmware workstation or vSphere client (exit from VM environment)
  • When a virtual machine is running under vSphere or vmware Server, heartbeat messages indicating that the virtual machine is running are sent by the service to VMware products.

VMware Tools Device Drivers

Improving mouse movement performance, folder sharing, improving audio, graphics, and network performance are other capabilities of this service that can be achieved with the help of Device drivers. At the time of installing VMware Tools you can specify which driver to install depending on the type of guest operating system. The following are supported with Device Drivers:

  • SVGA driver
  • SCSI driver
  • Paravirtual SCSI driver
  • VMXNet NIC drivers
  • Mouse driver
  • Audio driver
  • Kernel module for sharing folders
  • vmblock Module
  • vShield Endpoin
  • ThinPrint driver
  • Memory control driver
  • VMCI and VMCI Sockets drivers
  • Modules and drivers to support automatic backups of VMs

VMware User Process

With User Process, you can support some features such as copy/paste, drag/drop, and unity in VMware products. When the user logs in to the virtual machine operating system, this processing begins. The file involved in processing it is known as vmtoolsd.exe in Windows and in Linux as vmusr.


System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ciphers'
$arguments.value = 'aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

Secure Shell (SSH) ESXi Host must disable the local Forwarding capability of the stream type: esxi-8.ssh-stream-local-forwarding

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'allowstreamlocalforwarding'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

Here, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of your virtual environment.

The ESXi host must configure Secure Shell (SSH) to disable TCP forwarding capability: esxi-8.ssh-tcp-forwarding

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'allowtcpforwarding'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

The ESXi host must display the login banner before accessing the system: esxi-8.ssh-login-banner

System services must be secured and strengthened when activated. Also, you need to set the host's advanced Config.Etc.Issue parameter and provide text for this banner.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'banner'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'banner'
$arguments.value = '/etc/issue'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi Host Should Ignore .rhosts Files: esxi-8.ssh-rhosts

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ignorerhosts'
$arguments.value = 'yes'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

ESXi host should not allow host-based authentication: esxi-8.ssh-host-based-auth

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'hostbasedauthentication'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host should not allow the use of tunnels: esxi-8.ssh-tunnels

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permittunnel'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host should not allow user environmental settings: esxi-8.ssh-user-environment

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permituserenvironment'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

ESXi host needs to set up a timeout counter for inactive sessions: esxi-8.ssh-idle-timeout-count

System services must be secured and strengthened when activated. The timeout counter, multiplied by the inactive timeout interval, specifies the number of seconds the session may remain inactive until it is interrupted.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'clientalivecountmax'
$arguments.value = '3'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host needs to set a timeout interval for inactive sessions: esxi-8.ssh-idle-timeout-interval

System services must be secured and strengthened when activated. The timeout counter, multiplied by the inactive timeout interval, specifies the number of seconds the session may remain inactive until it is interrupted.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'clientaliveinterval'
$arguments.value = '200'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi Host must use FIPS 140–2/140–3 approved cryptographic modules: esxi-8.ssh-fips

OpenSSH is sent to the ESXi host by default with the FIPS 140–2/140–3 verified cryptographic module enabled. Due to backward compatibility reasons, this feature may have been disabled. Therefore, these settings should be reviewed and modified if necessary.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.security.fips140.ssh.get.Invoke()

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$ESXcli.system.security.fips140.ssh.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

The guest operating system should automatically configure the VMware Tools update according to the environment: guest-8.tools-upgrade

VMware Tools updates can be initiated by vSphere, which can help maintain up-to-date versions of VMware Tools. This feature should be disabled if VMware Tools is managed and updated through other methods. This standard suggests that automatic updates remain enabled.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-upgrade

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-upgrade true

Guest OS should disable Appinfo information unless needed: guest-8.tools-deactivate-appinfo

Appinfo is a way to explore apps through VMware Tools. Disable this module to reduce the attack level, unless this tool is used.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get appinfo disabled

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set appinfo disabled true

Guest OS should disable ContainerInfo unless needed: guest-8.tools-deactivate-containerinfo

The VMware Tools ContainerInfo module for Linux compiles a list of containers running inside the Linux guest operating system.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get containerinfo poll-interval

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set containerinfo poll-interval 0

Here are the PowerCLI codes for evaluating and fixing security issues related to VMware Tools on guest operating systems, which can help you strengthen the security and better manage these tools.

Guest OS should disable Guest Operations unless it is needed: guest-8.tools-deactivate-guestoperations

Guest operations are a set of functions that underpin most of the host's interactions with the guest. Disabling them reduces the attack surface of ESXi but dramatically reduces performance. Make sure your environment doesn't require these functions. Don't do this on template VMs.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get guestoperations disabled

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set guestoperations disabled true

Guest OS must enable Secure Boot: guest-8.secure-boot

Supported by all modern guest platforms, Secure Boot uses public key cryptography to validate hardware, bootloader, drivers, and the operating system kernel. This feature effectively prevents malware as it prevents the system from booting with an invalid boot chain.

PowerCLI Assessment:

(Get-VM -Name $VM).ExtensionData.Config.BootOptions.EfiSecureBootEnabled

Fix the PowerCLI issue:

$VMobj = (Get-VM -Name $VM)
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$bootOptions = New-Object VMware.Vim.VirtualMachineBootOptions
$bootOptions.EfiSecureBootEnabled = $true
$ConfigSpec.BootOptions = $bootOptions
$task = $VMobj.ExtensionData.ReconfigVM_Task($ConfigSpec)

The guest operating system should ensure that the virtual machine hardware is version 19 or newer, where it is supported: guest-8.virtual-hardware

Virtual hardware 19 is compatible with ESXi 7.0 Update 2 and later. Newer versions of virtual hardware enable better features and performance. If you've fully upgraded to vSphere 8, consider upgrading to VM Hardware 21. Other VMware guidelines recommend caution in the update. Snapshots capture the hardware version of the virtual machine, which makes it easier to test and revert back to previous versions. Consider all the places where a virtual machine may run or need to be restored. Changes in the configuration of VMware-provisioned virtual machines are not supported and may result in disruption of Services. This entry is deliberately categorized as "in-guest" due to the updates that are made when updating a virtual machine, despite the low impact.

PowerCLI Assessment:

(Get-VM -Name $VM | Get-View).Config.Version

Fix the PowerCLI issue:

Set-VM -Name $VM -HardwareVersion vmx-21

This section includes PowerCLI codes for evaluating and fixing security issues and configuring virtual machines in VMware systems, which can help you have better security and performance in your virtual environment.

Guest firmware should ensure that VMware Tools is up to date: guest-8.tools-updates

VMware Tools is an essential part of the VMware ecosystem that allows guest platforms to properly shut down and manage throughout their lifecycle, provides drivers for virtualized para devices, and helps deploy and customize virtual machines from templates. Like other software, VMware Tools needs to be managed and updated. Make sure you're running a supported version for your guest OS, whether it's delivered as part of a Linux distribution or installed by you for Microsoft Windows.

PowerCLI Assessment:

Get-VM -Name $VM | Select-Object -Property Name,@{Name='ToolsVersion';Expression={$_.Guest.ToolsVersion}}

PowerCLI Fix: Depending on your site and environment. There are several ways to update VMware Tools. The vmxnet3 and pvscsi drivers are also available via Windows Update, please make sure you import them into tools like WSUS.

Guest OS should prevent VMware Tools features from being added automatically: guest-8.tools-add-feature

VMware Tools' automatic update processes can add or remove features from the VMware Tools installation, which can be useful but also provide an opportunity to change the security profile of the guest operating system through vSphere.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-add-feature

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-add-feature false

Guest OS should restrict the use of MSI transforms when reconfiguring VMware Tools: guest-8.tools-allow-transforms

MSI transforms allow the installation database to be changed on Microsoft Windows guest operating systems. This can be useful, but it also provides an opportunity to change the security profile of the guest operating system through vSphere.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-msi-transforms

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-msi-transforms false

These PowerCLI settings and codes help ensure that VMware Tools are updated and configured effectively while maintaining the security of your environment.

The vCenter server should use the vSphere Authentication Proxy to prevent Active Directory credentials from being stored: esxi-8.ad-auth-proxy

vSphere Authentication Proxy allows vCenter to connect to and manage AD entities without directly storing Active Directory (AD) credentials, which reduces the risk of disclosure or misuse of credentials.

PowerCLI Assessment:

Get-VMHost -Name $ESXi | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus

Virtual machines should disable console copy operations: vm-8.deactivate-console-copy

Disabling console copy operations on virtual machines prevents data from being copied between the virtual machine and the local client, regardless of whether the user has access to the web console, VMRC, or another method.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.copy.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.copy.disable | Remove-AdvancedSetting

Virtual machines should disable the console's drag-and-drop operations: vm-8.isolation-tools-dnd-deactivate

Disabling drag-and-drop operations on the virtual machine console prevents data from being transferred between the virtual machine and the local client, regardless of the type of console, which helps increase data security.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.dnd.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Remove-AdvancedSetting

These PowerCLI settings and codes help you improve the security of your virtual machines and vCenter server by disabling copy-drag-and-drop operations that may cause data leaks. The security of Active Directory credentials is also enhanced by using vSphere Authentication Proxy.

Virtual machines should disable console paste operations: vm-8.deactivate-console-paste

Disabling console paste operations on virtual machines prevents data from being transferred from the local client to the virtual machine, whether the user is using a web console, VMRC, or another console.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.paste.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.paste.disable | Remove-AdvancedSetting

Virtual machines should disable virtual disk miniaturization operations: vm-8.deactivate-disk-shrinking-shrink

Disabling virtual disk minification operations on virtual machines helps prevent disk inaccessibility issues. The ability to perform these operations is usually limited to non-admin users in a guest environment.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskShrink.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Remove-AdvancedSetting

Virtual machines should disable virtual disk cleanup operations: vm-8.deactivate-disk-shrinking-wiper

Disabling virtual disk cleanup operations on virtual machines helps prevent disk inaccessibility issues. The ability to perform these operations is usually limited to non-admin users in a guest environment.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskWiper.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Remove-AdvancedSetting

Virtual machines should be restricted to console sharing: vm-8.limit-console-connections

Limiting virtual machine console sharing to one user prevents multiple views and increases security. However, this may indirectly provide a path to cause disruption to the service.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1

These PowerCLI settings and codes will help you improve the security of your virtual machines by disabling operations such as docking the console, minimizing the disk, cleaning up the disk, and restricting the sharing of the console, and prevent potential vulnerabilities.

Virtual machines should limit the passthrough capability of the PCI device: vm-8.pci-passthrough

DirectPath I/O features allow virtual machines to access system hardware directly, which affects risk mitigation tools such as vMotion, DRS, and High Availability. This feature also gives attackers access to high-rated hardware. Make sure that only essential virtual machines have this privilege and that the security of the guest system is set up correctly.

PowerCLI Assessment:

Get-VM -Name $VM | Get-PassthroughDevice

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-PassthroughDevice | Remove-PassthroughDevice

Virtual machines should prevent unauthorized removal, connection, and modification of devices: vm-8.isolation-device-connectable-deactivate

Preventing unauthorized device modifications to virtual machines prevents users or non-managerial processes from connecting, disconnecting, or setting device settings. This measure prevents unauthorized access and disruption of operations, reduces the risks of inaccessibility to the service, and blocks some paths for data extraction.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.device.connectable.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.device.connectable.disable | Remove-AdvancedSetting

Virtual machines should remove unnecessary virtual hardware: vm-8.remove-unnecessary-devices

Removing unnecessary virtual hardware from virtual machines helps reduce the attack surface. Rarely used ports, temporary CD/DVD drives, and hardware imported through migrations may be vulnerable. Removing these hardware reduces the risk of introducing malware or extracting data from the protected environment.

PowerCLI Assessment:

$VMview = Get-VM -Name $VM | Get-View
$UnnecessaryHardware = "VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom"

$VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object {
  $devname = $_.GetType().Name
  Write-Host "$VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing." -ForegroundColor Yellow
}

These settings help increase the security of your virtual machines and prevent the potential for vulnerabilities of unnecessary devices and hardware...