So this topic of virtual servers is starting to catch on a bit more, I still think it will go the wayside of bluetooth and only people that drink the Intel kool-aid will adopt it, but thats just me, dont get me wrong I feel there is a place for virtual machines in the data center, the technology and use just isn't impressing me today. The real point of this post is to bring together some of the tips about virtual server security, I say virtual server and not vmware because they arnt the only players in the market, example is Virtuozzo who I was just talking with a friend about. I was listening to a pauldotcom podcast the other day (which if your interested you need to go listen to)
Anywhoo I have compiled a list of some of the top things to disable or change to harden your virtual environment. The following documents go into further detail but I wanted to explain out a few ideas. The first is disabling unused hardware, examples are FDD, CDROM, USB, and most important the NIC. Obviously you can understand the media not only will it free up resources (other tips are shut down screensavers and the K-Desktop) but they just arnt needed typically in a virtual environment. The NIC is one that most people overlook (depending on setup and how you have things configured this can be incorrect tip), they will have a virtual host with the ability to link to your LAN. now this is particularly and issue if the threat of jumping out of a virtual ever comes to light as a virus. If you have a host on a protected network and your vm’s are on a DMZ for example, then once the virtual is hacked your protected network is at risk, the amount of times that you should have to touch the host is minimal so keep the KVM attached and disable the protocalls and ip address on the host.
Next topic that ties in with the first is to keep similar security devices on the same host, and put that host in the proper subnet for the security of the virtuals. Meaning, dont put your web server on the same host as your financial server, and dont put your web server on the same as a tool server that is located in your ring 0/1 LAN. If its a DMZ server and you would have put it there physically, then put it there phys-virtually (thats physically and virtually in one word) so say this with me once again, put like security servers in the proper realm with the proper vrituals sharing a host.
Now to get a little specific to vendors, example is VMware. With VMware you have cool things like drag-and-drop file copy, cut and paste etc. In a server virtual machine you want to shut these enhancements off.
Patch! VMware, Microsoft each have patches for the softwares they produce, update and patch your software. vmware has no nice patch management notification like MicorosoftUpdate so Patch your softwares, also patch your hosts and virtuals for OS and APP patches.
VMWare has actually published a paper for security with the ESX Server, this has important tips for logs, users, and resource provisioning to prevent denial of service issues.
Also CI Security is supposed to release hardening guides, however they also publish good standards for the OS in the virtual so check them out, along with that is the Microsoft published 2000 hardening and 2003 hardening guides.
Another interesting summary from guys at Petri, specifically because they have screenshots 