VMware Hands-on Labs - HOL-1911-04-SDC


Lab Overview - HOL-1911-04-SDC - vSphere 6.7 Security - Getting Started

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Lab Module List:

 Lab Captains:

 This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Automating Password Complexity for ESXi Users (15 minutes)

Introduction


This module (Module 1 - Automating Password Complexity for ESXi Users) will show administrators how they can automate security policy on all of their ESXi hosts. For this module, we will be setting password complexity for users on the vSphere hosts. However, the intent is to show how this method can be applied to all security policies an administrator would like to automate. So imagine you had one complete script that enforced all of the security guidelines for ESXi. On day zero of provisioning ESXi hosts, you would be in compliance. This will reduce the overall operating expense of securing the Software Defined Data Center.

ESXi Passwords and Account Lockout:

For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option. ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpage for pam_passwdqc for detailed information.

Note: The default requirements for ESXi passwords can change from one release to the next. You can check and change the default password restrictions using the Security.PasswordQualityControl advanced option.

 ESXi Passwords:

ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client. By default, you have to include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash when you create a password. Passwords cannot contain a dictionary word or part of a dictionary word.

Note: An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

 Example ESXi Passwords:

The following password candidates illustrate potential passwords if the option is set as follows:  retry=3 min=disabled,disabled,disabled,7,7

With this setting, passwords with one or two character classes and pass phases are not allowed, because the first three items are disabled. Passwords from three- and four-character classes require seven characters. See the pam_passwdqc manpage for details.

With these settings, the following passwords are allowed:

 ESXi Pass Phrase:

Instead of a password, you can also use a pass phrase; however, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option from the vSphere Web Client.

For example, you can change the option to the following:  retry=3 min=disabled,disabled,16,7,7

This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces. For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is depreciated for future releases. Use the Security.PasswordQualityControl advanced option instead.

Changing Default Password Restrictions:

You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced option for your ESXi host. See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.

You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows:  retry=3 min=disabled,disabled,15,7,7 passphrase=4

See the manpage for pam_passwdqc for details.

Note: Not all possible combinations of the options for pam_passwdqc have been tested. Perform additional testing after you change the default password settings.

ESXi Account Lockout Behavior:

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.

 Configuring Login Behavior:

You can configure the login behavior for your ESXi host with the following advanced options:

See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.

 This Module contains the following lesson:

 


 

Script We will Execute (password.ps1)

NOTE: Below is the contents of the password.ps1 script we will be running against our ESXi hosts to set the password complexity on them. DO NOT run these commands at this time!

#Set password policy

Connect-VIServer -server vcsa-01a.corp.local -user administrator@vsphere.local -password VMware1!

#Get the list of connected ESXi hosts

$VMHosts = Get-VMHost | Where {$_.ConnectionState -eq "Connected"}

#Set the password policy

$passwordpolicy = "retry=3 min=disabled,disabled,disabled,7,7"

#Loop through the lists of hosts and set the advanced setting

foreach ($VMHost in $VMHosts) {Get-AdvancedSetting -Entity $VMHost -Name Security.PasswordQualityControl |Set-AdvancedSetting -Value $passwordpolicy -Confirm:$false}

 

Automate Password Complexity Policy


In this module, we will use PowerCLI to run a script (password.ps1) against (2) hosts in a single cluster to set the password policy on them. Using PowerCLI is a quicker, easier, and a less demanding way to make bulk changes in general as well as make changes to host password policies. So for environments with numerous hosts (20 or more), this is a more effective way of make bulk changes on hosts than doing it in the web client on each individual host.


 

Launch PowerCLI

 

1. Double-click on VMware PowerCLI Icon on the desktop.

 

 

Clear Screen

 

  1. Type the following command to clear the screen:
cls

 

 

Verify password.ps1 Script Location

 

1. Type the following command to change to the HOL-1911 directory.

cd C:\LabFiles\HOL-1911\

2. Type the following command to list all files in the HOL-1911 directory.

ls

3.  You should see the script named password.ps1

This script contains the following code, which leverages the advanced ESXi settings to change the complexity. For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.

We see here all the lines of code that is in the password.ps1 script:

#Set password policy

Connect-VIServer -server vcsa-01a.corp.local -user administrator@corp.local -password VMware1!

 

#Get the list of connected ESXi hosts

$VMHosts = Get-VMHost | Where {$_.ConnectionState -eq "Connected"}

 

#Set the password policy

$passwordpolicy = "retry=3 min=disabled,disabled,disabled,7,7"

 

#Loop through the lists of hosts and set the advanced setting

foreach ($VMHost in $VMHosts) {Get-AdvancedSetting -Entity $VMHost -Name Security.PasswordQualityControl |Set-AdvancedSetting -Value $passwordpolicy -Confirm:$false}

 

 

 

Execute password.ps1 Script

 

  1. Type the following command to execute the password.ps1 script:
./password.ps1

NOTE:   The "./" in the command we just performed represents the act of running the command in the current working directory. If we were in a different directory and wanted to run the password.ps1 script, we would have to provide the entire path to the password.ps1 script. (e.g. 'PS C:\> cd C:\LabFiles\HOL-1911\password.ps1').

  1. Notice how we set the password complexity value to "retry=3 min=disabled,disabled,disabled,7,7"

The following password candidates illustrate potential passwords if the option is set to "retry=3 min=disabled,disabled,disabled,7,7". That means that passwords with one or two character classes and pass phases are not allowed, as indicated by the first three disabled items. Passwords from three and four character classes require seven characters.

 

 

Close PowerCLI

 

  1. Click on the red "X" on the PowerCLI window to close PowerCLI.

 

 

Launch Putty

 

1. Click on the Putty icon in the toolbar.

 

 

Connect to esx-01a.corp.local

 

  1. Click on the esxi-01a.corp.local server under Saved Sessions.
  2. Then click on the Load button.
  3. Then click on the Open button to connect to the host.

 

 

Clear Screen

 

  1. Type the following command into the putty window to clear the screen to make it easier to see commands and give more screen space.
clear

 

 

Verify Change Was Made

 

Because we double-clicked the esxi-01a.corp.local server in the saved settings, it automatically logged in as the root user account and with the correct password.

We are now at the command prompt and need to type the following commands:

  1. Type the following command to change directory to the pam.d folder:
cd /etc/pam.d
  1. Type the following command to print the lines of text in the passwd file:
cat passwd
  1. We should see your changes and the proper complexity settings loading with pam.

NOTE: Feel free to repeat Steps 1 - 2 with esx-02a.corp.local to see the change was made against that host as well.

 

 

Close Putty

 

  1. Click on the red "X" on the Putty window to close Putty.

 

 

Putty Exit Confirmation

 

  1. Click on the OK button.

 

 

Automate Password Complexity Policy - Complete

Congratulations on completing Module 1: Automating Password Complexity for ESXi Users!

Using PowerCLI commands, we performed tasks to change the password complexity requirements using command-line instead of using a Graphical User Interface (GUI) like most do. We then verified the changes were successfully made by connecting to the hosts via putty to verify the changes.

 

Conclusion


Congratulations on completing Module 1!

Leveraging scripts to remediate security policies that are out of compliance is a key way  to reduce the overall security risk of the Software Data Center and lower the associated operating expense of securing your systems. In this module we took some time to see how we can leverage PowerCLI to automate password complexity settings, this also can apply to a myriad of security settings.

Proceed to the next module (Module 2 - Forensic Security with vRealize Log Insight), or feel free to skip to any other module below which interests you most.


 

Automating Password Policy Resources:

NOTE: Because the lab environment typically does not connect out to the internet, you will not be able to connect to the below links from the lab environment. The links are meant to be provided so you can save the links to refer at a later time. Feel free to take a picture with your cell phone to save the list of links to refer to later.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue on to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 2 - Forensic Security with vRealize Log Insight (30 minutes)

Introduction


This module (Module 2 - Forensic Security with vRealize Log Insight) shows how a vSphere administrator can use the logging capabilities in vSphere 6.7 and vRealize Log Insight to show who actually did what in vCenter. vRealize Log lnsight delivers heterogeneous and highly scalable log management with intuitive, actionable dashboards, sophisticated analytics and broad third-party extensibility. It provides deep operational visibility and faster troubleshooting across physical, virtual and cloud environments.

vRealize Log Insight for vCenter FAQ Blog:  https://blogs.vmware.com/management/2016/02/vrealize-log-insight-for-vcenter-faq.html

This module will also show how we can create a custom dashboard from within vRealize Log Insight to give administrators a rapid view of whom rebooted a virtual machine as well as valid and unauthorized login attempt to ESXi. We also explore the security dashboards from the Security Operations content pack within vRealize Log Insight. This content pack is just one of many that are available to install in vRealize Log Insight to offer additional extensibility. Additional content packs can be downloaded from the VMware Solutions Exchange.

Prior to vSphere 6.5, actions taken at the vCenter level by a named user would show up in ESXi logs with the “vpxuser” username.

 In 6.7, all actions taken at vCenter against an ESXi server now show up in the ESXi logs with the vCenter username

This Module contains the following lessons:


 

Actionable Logging

 

In vSphere 6.7 we can see that now the log information is actionable. We see that the administrator account has moved the VM from the PCI-vSwitch  to the Non-PCI vSwitch. This could just as easily be from the Secure Network to the Unsecured Network. The point here is that this is a security event.

vRealize Log Insight can parse this and create an alert. Why is this important? Because now an IT manager can be alerted immediately when a virtual machine is now out of scope for security.

NOTE: This is a general example and does not relate the existing lab environment.

 

Getting to Know the User Interface of vCenter Server 6.7


In this lesson, we will provide an overview of the vCenter server user interface in regards to its security focused features. vSphere 6.7 has enhanced audit quality logging. Prior to 6.7, logs were more focused on "troubleshooting" and not on IT operations or security use cases. For example, if a virtual machine was reconfigured from one network to another network, the most that would come out of the log would be "Virtual Machine <name> reconfigured". While accurate, it was incomplete.

 Logs coming from vCenter via Syslog will be enriched with data from vCenter Events. These logs will clearly show "Before" and "After" setting changes.  This enhances the ability of IT and Security administrators to troubleshoot issues by providing exactly what changed in the vSphere environment. In the image below, the virtual machine has been moved from a network labeled "PCI-vSwitch", inferring that the network is in scope for secure Payment Card Industry network traffic, to the "Non-PCI-vSwitch".

Today in vSphere 6.7 and below, when we make a change to a virtual machine, we only get the “Mike Foley reconfigured this VM” type of message. Why is this bad, because it’s not actionable. Was it something that has security implications? Did you move it from a secure network to an unsecure network?

Can Log Insight help in this scenario?? No, vRealize Log Insight and any other syslog collector can only act on the information it receives.

A virtual machine that is in scope for PCI being moved off of a PCI network to a non-PCI network would be a serious security issue. With the enhanced logging available in vSphere 6.7,this notification would go directly via SYSLOG to the logging solution where it would be parsed and an alert could be generated, informing those concerned of the serious situation.

For vSphere 6.7, the logging of not only virtual machine changes but all vSphere changes have been improved. Changes to vCenter roles and permissions, datastore browsing functions like downloading a VM and actions such as creating and modifying vCenter clusters and hosts are all included in the enhanced logging.

For those that are used to 5.x and 6.0 logging, these changes come with no need to increase the logging level beyond "info" nor do they add any measurable load to vCenter or add to the vCenter database. This is because the information has already been recorded as part of the existing vCenter event.Enhanced logging exposes this information via the Syslog stream. Troubleshooting and support logs are unaffected and will still be used by support as necessary.


 

Open Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

RegionA vCenter Server (Flash)

 

In this lesson, we will be using the older vSphere Web Client that is built on Flash to look at the system logs in this particular client.

  1. Click on the RegionA vSphere Client (Flash) Bookmark located on the Bookmark Toolbar.

 

 

Log Into RegionA vCenter Server (Flash)

 

  1. Type administrator@corp.local in the username text field.
  2. Type VMware1! in the password text field.
  3. Then click on the Login button.

 

 

Home

 

  1. Hover the mouse over the Home icon at the top of the content pane,
  2. Click on Home in the drop-down menu.

 

 

Minimize Panes

 

In order to give us more screen real estate with the vCenter Web Client, we will minimize the various panes.

  1. Click on the Pin icon next to the Work In Progress pane.
  2. Click on the Pin icon next to the Alarms pane.
  3. Click on the Pin icon next to the Recent Objects pane.
  4. Click on the Pin icon next to the Recent Tasks pane.

 

 

Default Home View

 

When in the Home view, we see the list of different object group types in the left navigation pane such as Hosts and Clusters, VMs and Templates, Storage, Networking, Policies and Profiles, and much more. On the right side is the content pane which has several sections to it:

  1. We have the Inventories section which is a commonly used section with Hosts and Clusters, VMs and Templates, Storage, Networking, etc.
  2. We have the Operations and Policies section. with Tasks, Events, VM Storage Policies, etc.
  3. We have the Administration section which has Roles, System Configuration, Licensing, etc.
  4. And finally we have the Plug-ins for Installation section for plug-ins such as vRealize Orchestrator, the Hybrid Cloud Manager, and much more.

NOTE: You may have to scroll down in order to see the Plug-ins for Installation section.

 

 

Global Inventory List

 

  1. Click on the Global Inventory Lists in the Content Pane under the Inventories section.

 

 

vCenter Home View

 

Now we see the vCenter Home view which provides a list of all of the object types in the vCenter server.

  1. Click on the vCenter Servers object in the left Navigation Pane.

 

 

vCenter Server System Logs

 

In order to see the system logs for the vCenter Server, we need to first select the vCenter Server that we want to see the logs for since we have more than one vCenter Server. Then we will need to make a few other selections to get to the log files themselves.

  1. Click on the vcsa-01a.corp.local vCenter Server in the left navigation pane.
  2. Click on the Monitor tab on the content pane.
  3. Click on the System Logs tab.

We see the default log that comes up is the vCenter Server Log [vpxd-***.log], but there is a drop-down to select the different vCenter Log files.

NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

Selecting Other Log Files

 

At this point, we want to look at another vCenter Server log, specifically the vpxd.log.

  1. Click on the vCenter Server logs drop-down menu and select the vCenter Server log [vpxd.log].
  2. We see that the log files or more descriptive than they were in previous versions of the vCenter server.

 

 

Exporting System Logs

 

For many administrators, especially ones that do not have a log analysis solution such as VMware's vRealize Log Insight solution, being able to export the logs is an important feature to have. As we see here, there is an easy way to export any of the logs that we need to export.

  1. Click on the Export System Logs button.

 NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

Exporting System Logs - Select Host(s)

 

Now we have the opportunity to select which vSphere host(s) we want to export their logs. For our sake we will export just one of the hosts system log files as well as the vCenter Server and vSphere Web Client logs.

  1. Click on the check box next to esx-01a.corp.local to select that specific host.
  2. Click on the check box next to Include vCenter Server and vSphere Web Client logs to include these log files in the export. (selecting this greatly increases the size of the file)
  3. Click on the Next button.

NOTE: If the names of the hosts in the screen capture are different than what we see in the lab environment, check to be sure we are logged into the correct vCenter server.

 

 

Select The Logs

 

Here we are able to get specific on which log files we want to export. Some of the examples of the log files are the System, Performance Snapshot, Installer, Virtual Machines, and much more. We have the ability to also gather performance data for a set amount of time and set a password to encrypt the core dump files.

  1. If need be, scroll down the page until we can see the Network check box.
  2. De-select the Network check box.  
  3. Click on the Gather performance data check box and keep the default settings for it.
  4. We will NOT actually export the logs due to time and disk space, click on the Cancel button.

NOTE: We didn't click Finish because of the time and space it would take to gather the log files. This was just meant to show us how to go about exporting log files and what options we can select to capture.

 

 

Show Line Numbers

 

When looking at log files, it can be hard to distinguish between where one ends and then next one begins, so we have provided the option to add line numbers to the logs to assist with this.

  1. Click on the Show line numbers check box.
  2. We now see the line numbers making it easier to see where the next log file begins.
  3. We also see we can Show Next 2000 Lines and Show All Lines if we want. Feel free to click on them if you want to see the results.

NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

vSphere Web Client

At this point, we are done using the "Flash-based" vSphere Web Client. However, leave it open for the first step of the next lesson since we will be using it again.

 

 

Getting to Know the User Interface of vCenter Server 6.7 - Complete

We have completed this lesson which ran through vCenter servers user interface in regards to show updates to security aspects such as log files, events, etc. We also ran through the process of how to export log files in the event we need to do this.

 

An Overview of the vCenter Server 6.7 Logs


Starting with vSphere 6.5, we introduced enhanced audit quality logging. Prior to 6.5, logs were more focused on "troubleshooting" and not on IT operations or security use cases. For example, if a virtual machine was reconfigured from one network to another network, the most that would come out of the log would be "Virtual Machine <name> reconfigured". While accurate, it was incomplete. With vSphere 6.7, we have continued to make improvements on our logging to make day-to-day operations much easier and more useful!


 

Launch vSphere Client (HTML)

 

At this point, we will no longer be working in the old Flash-based web client and want to launch the HTML5-based web client. This link to the HTML5 web client was newly added feature in the Flash-based web client in Sphere 6.7. This saves us the time going from the one version of the client to the other!

  1. Click on Launch vSphere Client (HTML5) in the upper right-hand corner of the web client.

 

 

Launch vSphere Client (HTML)

 

We can now close the Flash-based browser by performing the following step:

  1. Click on "X" for the tab of the Flash-based web client to close it.

 

 

Log Into RegionA vCenter Server (HTML5)

 

If need be, log into the HTML5 web interface. However, it should automatically log you in since we clicked on the link from the Flash-based vSphere web client while logged into it.

  1. Type administrator@corp.local in the User name field.
  2. Type VMware1! in the Password field.
  3. Click the Login button.

 

 

Minimize Recent Tasks Pane

 

Now we will minimize the Recent Tasks pane to give us more real estate from within the vCenter Web Client.

  1. Click on the double down arrows to minimize the Recent Taks pane in the lower right-hand corner of the web client.

 

 

Default vCenter Server View

 

Now we will start to work in the newer web client based on HTML5 which provides a much faster and better user experience than any previous versions.

  1. Click on the Menu drop-down menu at the top of the content pane.
  2. Select Global Inventory Lists from the Home drop-down menu.

 

 

vCenter Home View

 

Now we see the vCenter Home view as well as the numerous other objects. We want to go to the list of vCenter Servers.

  1. Click on the vCenter Servers object in the left navigation pane.

 

 

vCenter Server System Issues

 

For administrators, troubleshooting can be cumbersome and time consuming. But VMware is making it easier for administrators by offering information to help find the issues quicker. This first way they do that is by providing an Issues tab to bring to light ongoing issues. To look at the issues:

  1. Click on the vcsa-01a.corp.local in the left Navigation Pane.
  2. Click on the Monitor tab in the content pane.
  3. Click on the All Issues selection in the Content Pane.

We see that when we click on the All Issues tab, it opens up to the All Issues selection. Because this is a lab environment, there aren't any issues being reported at this time in the screen capture. The lab environment we are working in may or may not show some issues. However, in a live production environment, you more than likely would see some listed.

NOTE: The Issues listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server Tasks

 

In the Tasks & Events tab, you see tasks such as rescans of the VMFS volumes and the HBA's. The Events section shows events such as when a user has logged in/out or made changes and much more. the Scheduled Tasks shows any scheduled tasks that you have created. Again, being a lab environment, we do not have any scheduled tasks configured.

  1. Click on Tasks under Tasks & Events.

NOTE: You may need to use the scroll bar or adjust the screen to see more of the information. Also, the Tasks listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server Events

 

In the Tasks & Events tab, you see tasks such as rescans of the VMFS volumes and the HBA's. The Events section shows events such as when a user has logged in/out or made changes and much more. the Scheduled Tasks shows any scheduled tasks that you have created. Again, being a lab environment, we do not have any scheduled tasks configured.

  1. Click on Events under Tasks & Events.

NOTE: You may need to use the scroll bar or adjust the screen to see more of the information. Also, the Tasks listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server Sessions

 

Sometimes, administrators want to know what and who are connected to the vCenter Server and want to see these open sessions. In order to see these open sessions:

  1. Click on Sessions and review the session information.

NOTE: You may need to use the scroll bar or adjust the screen to see more of the information. Also, the Tasks listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server Health

 

In the Tasks & Events tab, you see tasks such as rescans of the VMFS volumes and the HBA's. The Events section shows events such as when a user has logged in/out or made changes and much more. the Scheduled Tasks shows any scheduled tasks that you have created. Again, being a lab environment, we do not have any scheduled tasks configured.

  1. Click on Health.

NOTE: You may need to use the scroll bar or adjust the screen to see more of the information. Also, the Tasks listed in the screen capture may be different than what you see in the lab environment.

 

 

vSphere Web Client

At this point, you can leave the HTML5-based vSphere Web Client open since we will be working in it for the next lesson.

 

 

vCenter Server User Interface Overview - Complete

Congratulations on completing the An Overview of the vCenter Server 6.7 Logs section of Module 2!

Hopefully this overview of the vCenter Server user interface related to security such as log file, events, tasks, etc. Although system logs tend to be the most important to look at from a security perspective, looking at the other areas can also be very valuable.

 

 

Intro Information on Log Insight Capabilities Beyond Log Insight for vCenter


This lab will demonstrate the audit enhancements for vCenter server inventory changes with vCenter Events and SysLog messages. The lab will also demonstrate the improved event logging in both vCenter and ESXi servers. You will experience a new syslog stream with events based on structured data from the vCenter database. Then we will look at the logging using our vRealize Log Insight log aggregation tool.


 

Menu

 

We now want to go to the Hosts and Clusters view by doing the following:

  1. Click on the Menu Button at the top of the page.
  2. Then click on Hosts and Clusters from the drop-down menu.

 

 

VMs and Templates

 

Now we will use the core-01a template to create new virtual machines that we will use for various purposes of this lab.

  1. Open up everything under the vcsa-01a.corp.local vCenter server until you see the core-01a virtual machine.

 

 

Core-01a - Edit Settings

 

  1. Right-click on the core-01a virtual machine.
  2. Then click on Edit Settings.

 

 

Core-01a - Edit Memory

 

At this point, we want to make some changes to the core-01a virtual machine so that it will trigger some logs that we can go and look at. The first change we will make is to the allocated memory.

  1. Edit the allocated memory from 256 to 128.
  2. Then click on the OK button to complete the change.

 

 

Core-01a Virtual Machine

 

  1. Right-click on the core-01a virtual machine.
  2. Then click on Edit Settings.

 

 

Core-01a - Edit Settings (Adapter)

 

At this point, we want to disconnect the network adapter 1 on the core-01a virtual machine.

  1. De-select the check-box for the Network adapter 1 to disconnect the adapter on the virtual machine.
  2. Then click on the OK button to complete the change.

 

 

Core-01a - Return Settings

 

  1. Right-click on the core-01a virtual machine.
  2. Then click on Edit Settings.

 

 

Core-01a - Edit Settings (Memory & Adapter)

 

At this point, we want to return all the settings that were originally configured for the core-01a virtual machine.

  1. Edit the allocated memory from 128 to 256.
  2. Select the checkbox for the Network adapter 1 to reconnect the adapter on the virtual machine.
  3. Then click on the OK button to complete the change.

 

 

Core-01a - Look at Events Generated

 

  1. Click on the core-01a virtual machine.
  2. Then click on the Monitor Tab in the content pane.
  3. Now select Tasks under Tasks and Events in the content pane.
  4. Looking at the first few task entries, we see the Reconfigured virtual machine tasks that we just performed on the core-01a virtual machine. Feel free to click on each of them and look at the log descriptions associated to the changes we made.

NOTE: You may need to expand some of the columns or move the bar up to see all of what is showing in the bottom of the content pane.

 

 

Open New Tab in Chrome

 

We are now going to go and log into the vRealize Log Insight server to find the logs from when we reconfigured the core-01a virtual machine.

  1. Click on the New Tab button in Google Chrome to open a new tab.

 

 

vRealize Log Insight

 

We are now going to go and log into the vRealize Log Insight server to find the logs from when we reconfigured the core-01a virtual machine.

  1. Click on the New Tab that you just opened.
  2. Now click on the vRealize Log Insight bookmark in the Bookmark Toolbar.

 

 

Log into vRealize Log Insight

 

  1. Type admin for the User name text field.
  2. Type VMware1! for the Password text field.
  3. Click on the LOGIN button.

 

 

Interactive Analytics Tab

 

  1. Click on the Interactive Analytics tab at the top of the page.

 

 

Find Event Change Logs

 

We want to find the change log from when we made changed to the core-01a virtual machine. In order to do that, we will use the search function in the vRealize Log Insight interface to find it.

  1. Type core-01a in the search field.  You will notice that as soon as you start to type, vRealize Log Insight present auto fill choices from all the logs that have already been digested
  2. Click the Time drop-down menu and select Latest hour of data. If need be, you can select longer increments of time in order to find the associated core-01a virtual machine logs.
  3. Click the Magnifying Glass (search) icon to perform the search.
  4. You will notice that you now have any and all the logs that include the core-01a virtual machine. You should see the log entries for changing the memory as well as disabling/enabling the network adapter for the core-01a virtual machine.

 

 

Conclusion

This lesson demonstrated the enhancements in vCenter Server log files and how they offer more detailed information than we had in previous versions making troubleshooting much easier for administrators. Besides the log files, we also covered vCenter Server Issues, Tasks and Events, and Sessions. These can also be useful when troubleshooting an issue within a vSphere environment.

And finally, we showed a quick overview of vRealize Log Insight's ability to provide an even faster and simpler way to view, search, and correlate logs in an environment.

 

Perform Security Audit Actions


Before we get started analyzing the data from within vRealize Log Insight, we will need to perform some security audit actions to mimic events that may occur inside of an organization.

We will restart a virtual machine from the vCenter Server interface as well as log into an ESXi host as root and logging into ESXi as an unauthorized user. We will be using ESXi to showcase this functionality, but the systems could also be any Windows or Linux operating system in addition to storage and network devices. vRealize Log Insight can consume logs from anywhere to include from both virtual and physical devices!


 

Switch to vSphere Web Client Tab

 

We will now switch back to the vSphere Web Client tab of the Google Chrome browser.

  1. Click on the vSphere Web Client tab to return to the vSphere Web Client.

 

 

Hosts and Clusters View

 

Now that we are back in the vSphere Web Client, lets make sure we are in the Hosts and Clusters view. If not, complete the below step.

  1. Click on the Hosts and Clusters icon in the Navigation pane.

 

 

Start core-01a

 

Now lets power on the core-01a virtual machine:

  1. Click on the core-01a virtual machine in the Navigation pane.
  2. Then click on the ACTIONS drop-down menu at the top of the browser window.
  3. Select Power from the drop-down.
  4. Now click on Power On.

 

 

Confirm core-01a Started

 

At this point we want to make sure the core-01a virtual machine is fully up and running by performing the following tasks:

  1. While still having the core-01a virtual machine selected, click on the Summary tab in the Content Pane.
  2. Verify that the virtual machine is fully up and running in the window and that is says Powered On at the lower left hand corner of the black window.

NOTE: We may need to give it a minute to fully come up and we may need to refresh the vSphere Web Client to see that the virtual machine looks like the screen shot.

 

 

Restart core-01a

 

We now want to restart the core-01a virtual machine so we can have a log file created for the reboot action.

  1. Right-click on the core-01a virtual machine.
  2. Select Power from the drop-down menu.
  3. Click on Restart Guest OS from the Power drop-down menu.  

 

 

Confirm core-01a Restart

 

  1. Click on the YES button to confirm the guest restart.

 

 

Minimize Google Chrome

 

You are now done performing tasks inside of the vSphere Web Client. For the moment, you can minimize Google Chrome browser if you want because you will need to use again in the next lesson:

  1. Click the Minimize icon in the upper right-hand corner of the browser window to minimize it. .

 

 

Open Putty

 

We are now going to connect to the host that core-01a is running on via the Putty application. Putty is a command-line application that we can use to connect to a host using the SSH protocol. The purpose of this is to again create new user login logs that we can search for.

  1. Click the putty icon in the Windows Taskbar to launch the Putty application.

 

 

Log Into esx-02a.corp.local

 

We will now log into esx-02a.corp.local as root using a saved session that also has the correct password already saved.

  1. Scroll down until you see esx-02a.corp.local listed under Saved Sessions.
  2. Double-click on the esx-02a.corp.local in the Saved Sessions field.

 

 

Root Authentication

 

  1. You now see that we were automatically logged into esx-02a.corp.local with the username root successfully and authenticated with a public key.

 

 

New Putty Session

 

We are finished with this putty session and need to open a new putty session. This time we will not log in with the pre-configured session.

  1. Click on the dual monitor icon in the upper left corner of the Putty window.
  2. Select New Session...

 

 

Manually Re-connect to esx-01b.corp.local

 

This time, we will be manually type the hostname in so we don't use the pre-configured username and password. We want to INTENTIONALLY log in with the INCORRECT login information.

  1. Manually type esx-02a.corp.local in the Host Name (or IP address) text field.
  2. Now click on the Open button.

 

 

Access Denied - admin

 

We will now purposefully attempt to login as the admin user account with a bad password.

  1. Type the following next to login as: then press the Enter key on the keyboard.
admin
  1. Type the following next to Password: then press the Enter key on the keyboard.
admin
  1. Exit BOTH Putty sessions by clicking on the red X in the top right corner of each Putty window.

Note: Access denied is the desired response after Step 2.

 

 

Putty Exit Confirmation

 

After clicking the red X on the last Putty window, we get a Putty Exit Confirmation window,

  1. Click the OK button to confirm closing the last Putty session.

 

 

Perform Security Audit Actions - Complete

That completed the Perform Security Audit Actions section of Module 2. We performed several actions that caused the creation of audit logs to include rebooting a virtual machine, connect to a host via Putty using both the correct and incorrect password. These logs can now be viewed from within the vRealize Log Insight solution in the next section.

 

Create Audit Query & Dashboard


VMware vRealize Log Insight delivers heterogeneous and highly scalable log management with intuitive, actionable dashboards, sophisticated analytics and broad third party extensibility, providing deep operational visibility and faster troubleshooting.

Intelligent and Extensible

Highly Scalable

Intuitive and Affordable

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.  


 

Restore Google Chrome

 

We should still have the tab open for vRealize Log Insight from the previous lesson:

1. Click the Google Chrome browser in the Task Bar where it is currently minimized in order to maximize it.

NOTE: If we no longer have vRealize Log Insight open in Chrome from the previous session, open a new tab and click on the vRealize Log Insight bookmark and log back into it.

 

 

Open vRealize Log Insight

 

We should still have the tab open for vRealize Log Insight from the previous lesson:

1. Click the vRealize Log Insight tab to switch back to it.

 

 

Re-Authenticate to vRealize Log Insight (if needed)

 

We may get a pop-up window saying the vRealize Log Insight session has expired and that we need to re-authenticate. If so, do the following steps, otherwise skip to the next step:

  1. Type VMware1! into the Password field.
  2. Then click on the LOGIN button.

 

 

Dashboards

 

If not already on the Dashboards tab, perform the following step:

  1. Click on the Dashboards tab at the top of the user interface.

 

 

Dashboards General Overview

 

In the left Navigation Pane, we have several dashboard types. This list can vary depending on what VMware and 3rd Party Management Packs may be installed in vRealize Log Insight.  

  1. Custom Dashboards - Which include the My Dashboards and Shared Dashboards.
  2. Content Pack Dashboards -  These are the list of dashboards that have been installed via Content Packs.

NOTE: From within vRealize Log Insight, there is a link to the VMware Marketplace where we can find the various free and non-free VMware and 3rd party management packs. There are also management packs for VMware's other management solutions such as vRealize Operations Manager. The VMware Marketplace with the management packs for vRealize Log Insight can be found here (https://marketplace.vmware.com/vsx/?product=2054,2055,2052,3509,2056,2058,2061,2059,2057,3397,2060).

 

 

Dashboards - Content Pane

 

Now let's look at the default Content Pane that is showing to the right of the Navigation Pane. We see some filtering options at the top of the Content Pane as well as numerous widgets below the filter options.

  1. Time Range. Here you can set the data time range from 5 minutes - 48 hours, or a custom time range, for the selected dashboard.
  2. Filters. Filters available to the selected dashboard are defined here, to focus the query only to relevant information.
  3. Widgets. The main panel contains Widgets for the selected dashboard. Widgets are a representation of the data selected in the preceding areas, displayed using graphs, charts, figures, and more.

NOTE: You may need to use the scroll bar to see all of the widgets within the dashboard. The various dashboards in our lab will most likely reflect slightly different data in them compared to what is in the the screen shot.

 

 

Widget Information

 

  1. In the upper right-hand corner of each widget, we see there are some option menus available.

The (3) options you have are:

 

 

Interactive Analytics

 

Interactive Analytics allows administrators and engineers to drill down into log messages to determine problem areas and to perform root cause analysis troubleshooting.

1. Click on Interactive Analytics tab.

 

 

Create Query

 

  1. In the query bar text field, type the word reboot.
  2. Click on the drop-down and select Last hour of data.
  3. Then click on +ADD FILTER link to add an additional search criteria.

 

 

Create Query

 

In the previous lesson, we powered on the core-01a virtual machine and then rebooted it. Now we will do a search for the log that reflects the reboot of the virtual machine. To do the search for the reboot task we accomplished:

  1. In the drop-down that has does not contain currently selected, change it to contains.
  2. Then type core-01a into the text field to the right of the drop-down you just changed.
  3. Click the Magnifying glass button to search for the criteria that we have entered.
  4. We now see the logs which reflect the reboot of the core-01a virtual machine in which we accomplished earlier.

Note: vRealize Log Insight provides suggested queries and phrases based on indexed log files when typing for each input.  

 

 

Create Dashboard Based On Query

 

A very useful feature within vRealize Log Insight is the ability to create dashboards from queries we perform. So if an administrator has a query that they run on a daily basis, they can create a dashboard from a specific query. That enables the user to just review the dashboard without the need to run the query each time.

To create our own dashboard from the query we just ran for the reboot, perform the following tasks:

  1. Click the "Add current query to dashboard" button to save the query we just completed.

 

 

Create Dashboard

 

  1. Type Reboot Dashboard in the Name text field.

 

 

Save Dashboard

 

  1. Type My Dashboard in the Name text field.
  2. Click on the SAVE button.

 

 

Save Dashboard

 

  1. Now click on the ADD button.

NOTE: Feel free to take a look at the Dashboard and Widget drop-down menu options to see what the different options are.

 

 

Dashboards Tab

 

Now we will return to the Dashboards tab to go and look at the Reboot Dashboard that we just created.

  1. Click the Dashboards tab at the top of the screen.

 

 

My Dashboards

 

vRealize Log Insight users have the ability to create custom dashboards and queries for a variety of items based on their needs. The out of the box content packs provide an idea of some common scenarios, but think about what other dashboards might be important to you.

  1. Expand My Dashboards until you see My Dashboard, then click on it.
  2. Then select the time drop-down menu and select Latest hour of data.
  3. We now see the reboot(s) that we had previously accomplished in the lab.

NOTE: If it has been longer than an hour since you rebooted the core-01a virtual machine previously, you will need to adjust the time drop-down to cover a longer period of time.

NOTE: The Reboot Dashboard widget may look a little different in the lab environment than what we see in the screenshot. The important part is that we see the reboot events that we performed earlier in the lab.

 

 

Create Audit Query & Dashboard - Complete

In this lesson on how to Create Audit Query & Dashboard, we did a query to look for a reboot action completed by the Administrator account. We then saw the entries for the reboot action. Then we saved that query as a dashboard and saved it to our My Dashboards dashboard. We also went to our My Dashboard and looked at the newly created widget on our My Dashboards. vRealize Log Insight makes searching through logs, so much so it is like having a Google Search Engine to search for unstructured logs within vRealize Log Insight,  

 

Security Operations Center (SOC) Content Pack


In this lesson, we will walk through a vRealize Log Insight Content Pack that one of VMware's own created and has been certified by VMware to be used in vRealize Log insight. This content pack is all about providing useful day-to-day operational security awareness for the virtual administrators. This is just one example of many that are available for vRealize Log Insight that are available in the VMware Solutions Exchange (https://marketplace.vmware.com).

The Security Operations Center (SOC) content pack provides event notifications related to numerous security events such as:

We will change some configurations of hosts and virtual machines in order to cause events and see them in their related dashboards. Some of these changes may not show up in the associated widgets in the SOC content pack since it has not been updated yet for vSphere 6.7. However, you will see the number of activities increase as you make changes.


 

Content Packs

 

We now want to go to where we can install a content pack into vRealize Log Insight.

  1. Click on the icon with the three lines in the upper right-hand corner of the vRealize Log Insight user interface.
  2. Then select Content Packs from the drop-down menu.

 

 

Import Content Pack

 

  1. Click on the + IMPORT CONTENT PACK link in the upper left-hand corner of the navigation pane.

 

 

Browse For File

 

  1. Click on the BROWSE button in the Import Content Pack pop-up window.

 

 

Security Operations v1.0-RC7.vlcp

 

We have provided the Security Operations v1.0-RC7.vlcp file on the drive of the Control virtual machine we are working off of. To install this management pack, perform the following tasks:

  1. Browse to the following path:  "C:\LabFiles\HOL-1911\"
  2. Select the Security Operations v1.0-RC7.vlcp file.
  3. Then click on the Open button.

 

 

Install as content pack

 

  1. Click on the IMPORT button.

 

 

Security Operations Setup Instructions

 

  1. Click on the OK button on the pop-up window to complete the import of the content pack.

 

 

Security Operations Content Pack

 

After clicking the OK button, it brings you directly into the Security Operations content pack dashboard.

  1. In the content pane, we see the details related to this content pack such as the different widgets and widget types that have been automatically installed as a part of this content pack.
  2. Use the Scroll bar to scroll down the page so we can see all of the associated content pack information.

 

 

SOC Content Pack Installed

 

We see that the SOC content pack was installed successfully. Feel free to click on the different tabs (Dashboards, Queries, Alerts, Agent Groups, and Extracted Fields) to see what's in them.

NOTE: In order to see all of the widgets in the content pane, we will need to scroll down the page or potentially to the right to see all content.

 

 

Security Operations Dashboards

 

  1. Click on the Dashboards tab at the top of the user interface.
  2. Then click on the arrow next to Security Operations under Content Pack Dashboards to expand the list of dashboards for the content pack. By default, it opens up to the Activity dashboard.

NOTE: In order to see all of the widgets in the content pane, we will need to scroll down the page or potentially to the right to see all content.

 

 

Other Widgets

 

  1. Go through each one of the below preconfigured dashboards under Security Operations to get an idea of what each of the associated dashboards show. Shortly, we will perform actions in order to log events so we can see them in the Security Operations dashboards.
    • Activity
    • Login/Logout & API Invocations
    • Firewall Events
    • ESXi Configuration Changes
    • VM Configuration Changes
    • VMRC/MKS Events
    • Datastore Browser Events
    • Permission Changes

 

 

Google Chrome - New Tab

 

  1. In the Google Chrome browser, click on the New Tab icon.

 

 

vCenter Server Appliance Login

 

We now will log in and out of the vcsa-01a vCenter Server Appliance admin portal in order to create log files that we can view in the dashboards of the management pack.

  1. Click on the HOL Admin folder in the Bookmark Toolbar.
  2. Then click on vcsa-01a Mgmt from the drop-down menu.

 

 

Log Into vCenter Server Appliance

 

  1. Type root into the Username text field.
  2. Type VMware1! into the Password text field.
  3. Click on the Login button to log into the vCenter Server Appliance.

 

 

Log Off the vCenter Server Appliance

 

  1. Click on the Logout link in the upper right-hand corner of the content pane.

 

 

Log Into vCenter Server Appliance

 

Now we will log in again, but with the incorrect credentials intentionally.

  1. Type admin into the Username text field.
  2. Type VMware1! into the Password text field.
  3. Click on the Login button to log into the vCenter Server Appliance.

NOTE: As expected, we get a "Unable to authenticate user" error message in red.

 

 

Close vCenter Server Appliance Tab

 

  1. Click on the "X" on the VMware Appliance Management tab to close it since we no longer need it open.

 

 

vCenter Server Tab

 

  1. Click on the vCenter server Google Chrome tab so we can return to vCenter and perform some additional actions.

 

 

esx-01a-corp.local - Edit Settings

 

Now lets change some settings on an ESXi host.

  1. Right-click on the esx-01a.corp.local virtual machine.
  2. Click on the Configure tab in the Content pane.
  3. Use the scroll bar to scroll down until you see Firewall under the System heading.
  4. Then click on Firewall under the System heading.

 

 

esx-01a-corp.local - Firewall

 

  1. Click on the EDIT button.  

 

 

esx-01a-corp.local - Firewall

 

  1. Click on the SSH Client check box to ENABLE it.
  2. Use the scroll bar to scroll down until you see SNMP server.
  3. Click on the SNMP Server check box to DISABLE it.  
  4. Then click on the OK button.

 

 

Virtual Machine Configuration Changes

 

Now lets change the Memory and Hard Drive size of a virtual machine in order to see these virtual machine modifications in a dashboard.

  1. Right-click on the core-01a virtual machine.
  2. Click on Edit Settings from the drop-down menu.

 

 

Edit VM Settings

 

  1. Change the Memory size from 256 to 128.
  2. Change the Hard Disk size from 100 to 101.
  3. Then click on the OK button.

 

 

Virtual Machine Configuration Changes

 

  1. Right-click on the core-01a virtual machine.
  2. Click on Edit Settings from the drop-down menu.

 

 

Edit VM Settings

 

Now lets change the Memory of a virtual machine back to what it originally was.

  1. Change the Memory size back to 256.
  2. Then click on the OK button.

 

 

core-01a - Power On

 

We will now turn on the virtual machine and launch the web console.

  1. Right-click on core-01a virtual machine.
  2. Click on Power from the drop-down menu.
  3. Then click on the Power On from the Power drop-down menu.

NOTE: Give the virtual machine a minute to boot up.

 

 

Launch Web Console

 

One of the new dashboards monitors the launching of a virtual machine web console, so we are going to do that with one of the virtual machines.

  1. Click on the Launch Web Console link.

 

 

Close Google Chrome Tab

 

  1. Click on the "X" for the core-01a tab to close it.

 

 

Return to vRealize Log Insight

 

  1. To return to vRealize Log Insight, click on the Google Chrome tab for it.

 

 

Activity Dashboard

 

  1. Click on Activity in the left Navigation Pane to see all event types.
  2. Click on the Refresh icon next to the time drop-down menu.
  3. We should see the number of events has increased because of performing the previous actions in this lesson.  

NOTE: The information and events in the dashboards will most likely look different than what is currently in the lab environment. We should see the two events.

NOTE:  Some of these changes may not show up in the associated widgets in the SOC content pack since it has not been updated yet for vSphere 6.7. However, you will see the number of activities increase as you make changes.

 

 

Login/Logout & API Invocations Dashboard

 

  1. Click on the Login/Logout & API Invocations link in the left Navigation Pane to see the associated events.
  2. We see a few events from logging into the vCenter server Admin portal both times.

NOTE: The information and events in the dashboards will most likely look different than what is currently in the lab environment. We should see the two events.

NOTE:  Some of these changes may not show up in the associated widgets in the SOC content pack since it has not been updated yet for vSphere 6.7. However, you will see the number of activities increase as you make changes.

 

 

SOC Management Pack - ESXi Config Changes

 

In order to see the event where we turned on the ESXi Shell service, perform the following tasks:

  1. Click on the ESXi Config Changes link in the left Navigation Pane.
  2. We see that there are now events listed from when we modified the settings and turned on the ESXi Shell service. The events will look different in the screen shot compared to the lab environment as far as their colored bars and where they are located in the time-line.

NOTE: The information and events in the dashboards will most likely look different than what is currently in the lab environment. We should see the two events.

NOTE:  Some of these changes may not show up in the associated widgets in the SOC content pack since it has not been updated yet for vSphere 6.7. However, you will see the number of activities increase as you make changes.

 

 

SOC Management Pack - VMRC/MKS Events

 

We should now be able to see the VMRC/MKS Events by performing the following tasks:

  1. Click on VMRC/MKS Events in the left navigation pane under Security Operations.
  2. We now see that there is an few event(s) from opening the console of a virtual machine.

NOTE: The information and events in the dashboards will most likely look different than what is currently in the lab environment. We should see the two events.

NOTE:  Some of these changes may not show up in the associated widgets in the SOC content pack since it has not been updated yet for vSphere 6.7. However, you will see the number of activities increase as you make changes.

 

 

Close vRealize Log Insight Tab

 

  1. Click on the "X" on the vRealize Log Insight tab to close it out since we no longer need it open.

 

 

Security Operations Center (SEC) Content Pack - Complete

That completes this lesson on the vRealize Log Insight Security Operations Center (SEC) Content Pack. We walked through the process of installing a content pack into vRealize Log Insight and then looked at the pre-configured dashboards that this content pack provides related to security events. We then made configuration changes to a virtual machine and host in order to see some of these triggered security events in the dashboards.

 

Conclusion


Congratulations on completing Module 2!

Leveraging vRealize Log Insight to audit users to see whom did what, is a valuable solution for security administrators to analyze security incidents in the Software Defined Data Center. In this module we take some time look at the logging features in vSphere 6.7 as well as the Linux Content Pack. We were able to build out a helpful query to understand whom exactly rebooted a machine.

Proceed to the next module (Module 3: VM Encryption and Encrypted vMotion), or feel free to skip to any other module below which interests you most.


 

vSphere & vCenter Server Enhanced Log Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources from within the lab environment. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided. Also keep in mind some of these links could be depreciated in the future and no longer available due to new version releases.  

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue on to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 3 - VM Encryption and Encrypted vMotion (60 minutes)

Introduction


This module (Module 3 - VM Encryption and Encrypted vMotion), shows us the vSphere 6.7 security feature of encrypting virtual machines. Encryption in vSphere 6.7 is implemented via Storage Policies. The application of an encryption storage policy to an existing powered off virtual machine will encrypt the disk. This is has become a highly requested feature for businesses to provide the level of security they need to meet today’s security requirements.

The key differentiators between this solution and others is that encryption is done below the virtual machine and is virtual machine agnostic and policy based and most of all, easy to incorporate into your management workflows. Follow-on examples of PowerCLI will drive that home.

In this module, we have already deployed the (2) HyTrust KMS servers required to take advantage of encrypting Virtual Machines.

In this module, we will perform the following actions:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.


 

Key Features

Below are the key features of vSphere virtual machine encryption:

 

 

Encrypting a Virtual Machine

 

Encryption is managed via Storage Policies, this is an overview of the steps involved:

  1. Register a virtual machine on a host and configure the (new or existing ) virtual machine with Encryption Enabled storage policy and Key Management Interoperability Protocol (KMIP) server.
  2. vCenter gets a key from the KMIP server, that key is used to encrypt the virtual machine files and the virtual machine disks.
  3. vCenter server loads the key into the ESXi hosts. All hosts that don’t have the key will get the key to support Distributed Resource Scheduler (DRS) / High Availability (HA).
  4. Once the key is loaded into the KeyCache on the ESXi host, encryption and decryption of the disk will happen at the IO Filter (introduced in 6.0 U1) level.

 

 

Encrypted vMotion

 

In this lesson, we will show you how to perform the steps for doing encrypted vMotion of a virtual machine. You can encrypt the vMotion of any virtual machine, encrypted or not. Encrypted virtual machines will always use encrypted vMotion. The point to make is that if we are running a mixed cluster and we have a requirements of encrypted vMotion, then setting to "Required" will not let you vMotion to a host that doesn't support it such as vSphere 6.0 hosts.

With the rise in popularity of Hybrid Cloud Computing, where VM sensitive data leaves the traditional IT environment and traverses over the public networks, IT administrators and architects need a simple and secure way to protect critical virtual machine data that traverses across clouds and over long distances. The Encrypted vMotion feature available in VMware vSphere 6.7 addresses this challenge by introducing a software approach that provides end-to-end encryption for vMotion network traffic. The feature encrypts all the vMotion data inside the vmkernel by using the most widely used AES-GCM encryption standards, and thereby provides data confidentiality, integrity, and authenticity even if vMotion traffic traverses untrusted network links.

A new white paper, “VMware vSphere 6.5 Encrypted vMotion Architecture, Performance and Best Practices”, is now available. In that paper, we describe the vSphere 6.7 Encrypted vMotion architecture and provide a comprehensive look at the performance of live migrating virtual machines running typical Tier 1 applications using vSphere 6.7 Encrypted vMotion. Tests measure characteristics such as total migration time and application performance during live migration. In addition, we examine vSphere 6.7 Encrypted vMotion performance over a high-latency network, such as that in a long distance network. Finally, we describe several best practices to follow when using vSphere 6.7 Encrypted vMotion.

 

 

Encryption With PowerCLI

VMware announced that our virtual machine encryption engineering team has released a PowerCLI module for virtual machine Encryption! In case you weren’t aware, there’s a Github repository of VMware PowerShell modules. Check them out!

Included in there is the new PowerCLI module for virtual machine encryption. It’s chock full of lots of great cmdlets and new VI Properties that make your day to day management of vSphere 6.7 VM Encryption easier to automate. The goal here is to help you operationalize security as easily as possible. If you can’t make security easy to incorporate into your day to day operations then people will find a way to not do it.

Encrypting a virtual machine should not mean having to manage an encryption solution IN the virtual machine. It should be as simple as “Get-VM” and piping that to “Enable-VMEncryption”, right? Well, with VM Encryption it IS! We will take a look at some of the PowerCLI commands to use for encrypting virtual machines in this lab.

Performing encryption tasks is a more advanced topic in which we will cover in more detail  in Module 7: PowerCLI for VM Encryption.

 

 

vSphere 6.7 Encryption Gotchas!

Limitations:

Consider the following caveats when you plan your virtual machine encryption strategy.

Virtual Machine Locked State:

Virtual Machine Encryption Caveats: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-AE7BECB0-1BBC-4123-AAA9-A07EB8D458DF.html

 

 

Some KMIP 1.1 Compatible Key Mangers

 

 

 

Configure Hytrust KMS Server in vCenter Server


In this lesson, we will add (2) HyTrust KMS servers which allows us to encrypt virtual machines as well as use encrypted vMotion. Without a trust established between the vCenter server and a KMS server, we would not be able to take advantage of the new vSphere 6.7 encryption capabilities.


 

Launch Google Chrome

 

If Google Chrome is not already open, perform the following step, otherwise skip this step:

  1. Click the Google Chrome icon on the Quick Launch bar.

 

 

RegionA

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionA folder in the Bookmark Toolbar.
  2. Then click on RegionA vSphere Client (HTML).

 

 

Log into RegionA vCenter Server

 

If already logged into the RegionA vCenter server, you can skip the below steps. If you aren't, complete the following steps:

  1. Type administrator@corp.local in the the User name: text field.
  2. Type VMware1! into the Password: text field.
  3. Click on the Login button.

 

 

Menu Drop-down

 

  1. Click on the Menu drop-down icon at the top of the screen.
  2. Then select Global Inventory Lists from the Menu drop-down menu.

 

 

Select vCenter Server

 

  1. Click on vCenter Servers from the Global Inventory List.

 

 

vcsa-01a.corp.local

 

  1. Click on the vcsa-01a.corp.local vCenter Server.

 

 

Add HyTrust Key Manager (KMS) Server

 

In order to use any type of encryption in vSphere, we must first have a Key Management Server (KMS) server up and running. Then we have to add at least (1) KMS server to vCenter server and configure the trust relationship between the KMS and vCenter servers. So the first thing we need to do is add a KMS server to vCenter, perform the following tasks to accomplish this:

  1. Click on the Configure tab in the content pane.
  2. Click on Key Management Servers under the More category.
  3. Click ADD in the content pane to add a KMS server.

 

 

vcsa-01a.corp.local - Add KMS

 

  1. Type HOL-KMS-01a in the New cluster name text field.
  2. Type kms-01a in the Server name text field.
  3. Type kms-01a.corp.local in the Server address text field.
  4. then type 5696 in the Server port text field.
  5. Now click the ADD button.

 

 

kms-01a.corp.local - Trust

 

  1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.

 

 

Make KMS Trust vCenter

 

We see that the HyTrust KMS server is showing its Connection State with nothing in it, so at this point we need to finish setting up the trust between the vCenter server and the HyTrust KMS server.

To create the trust relationship between the HyTrust KMS Server and the vCenter server:

  1. Select the radius button next to the kms-01a KMS server name.
  2. Click on the MAKE KMS TRUST VCENTER link.

 

 

KMS Certificate and Private Key

 

  1. Select the radius button next to KMS certificate and private key.  
  2. Click on the NEXT button.

 

 

Import KMS Certificate and Private Key

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01a\"
  2. Select the KMIPvcsa01a.pem file.
  3. Click on the Open button.

NOTE:  Be sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a folder and not from the KMIPvcsa01b folder!

 

 

Upload Certificate

 

  1. Click on the Upload file button.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01a\"
  2. Select the KMIPvcsa01a.pem file.
  3. Click on the Open button.

NOTE:  Be sure that you selected the KMIPvcsa01a.pem file from the KMIPvcsa01a folder and not from the KMIPvcsa01b folder!

 

 

Establish Trust

 

  1. Click on the ESTABLISH TRUST button.

 

 

Confirm Trust and Connection Status

 

To validate a trust relationship has been established between the HyTrust KMS Server and the vCenter server:

  1. Verify that it shows the HyTrust KMS server with a status of Connected under Connection State column and it says Valid under vCenter Certificate Status column.

 

 

Select vcsa-01b.corp.local

 

Now we will add the kms-01b.corp.local HyTrust KMS server to the vcsa-01b.corp.local vCenter server.

  1. In the left Navigation pane, click on the vcsa-01b.corp.local vCenter server.

 

 

Add HyTrust Key Manager (KMS) Server

 

We will not repeat the same process to add this second HyTrust KMS server as we just did earlier in this lesson.

  1. Click on the Configure tab in the content pane.
  2. Click on Key Management Servers under the More category.
  3. Click ADD in the content pane to add a KMS server.

 

 

vcsa-01b.corp.local - Add KMS

 

  1. Type HOL-KMS-01b in the New cluster name text field.
  2. Type kms-01b in the Server name text field.
  3. Type kms-01b.corp.local in the Server address text field.
  4. then type 5696 in the Server port text field.
  5. Now click the ADD button.

 

 

kms-01b.corp.local - Trust

 

  1. Click on the TRUST button in the Make vCenter Trust KMS pop-up window.

 

 

Make KMS Trust vCenter

 

We see that the HyTrust KMS server is showing its Connection State with nothing in it, so at this point we need to finish setting up the trust between the vCenter server and the HyTrust KMS server.

To create the trust relationship between the HyTrust KMS Server and the vCenter server:

  1. Select the radius button next to the kms-01b KMS server name.
  2. Click on the MAKE KMS TRUST VCENTER link.

 

 

KMS Certificate and Private Key

 

  1. Select the radius button next to KMS certificate and private key.  
  2. Click on the NEXT button.

 

 

Import KMS Certificate and Private Key

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01b\"
  2. Select the KMIPvcsa01b.pem file.
  3. Click on the Open button.

NOTE:  Be sure that you selected the KMIPvcsa01b.pem file from the KMIPvcsa01b folder and not from the KMIPvcsa01a folder!

 

 

Upload Certificate

 

  1. Click on the Upload file button.

 

 

Select Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1911\KMIPvcsa01b\"
  2. Select the KMIPvcsa01b.pem file.
  3. Click on the Open button.

NOTE:  Be sure that you selected the KMIPvcsa01b.pem file from the KMIPvcsa01b folder and not from the KMIPvcsa01a folder!

 

 

Establish Trust

 

  1. Click on the ESTABLISH TRUST button.

 

 

Confirm Trust and Connection Status

 

To validate a trust relationship has been established between the HyTrust KMS Server and the vCenter server:

  1. Verify that it shows the HyTrust KMS server with a status of Connected under Connection State column and it says Valid under vCenter Certificate Status column.

 

 

Configure HyTrust KMS Server in vCenter Server - Complete

You have completed the first lesson "Configure HyTrust KMS Server in vCenter Server" in this module!

We have completed this lesson of adding (2) HyTrust KMS servers and creating and the associated trusts between it and the vCenter server. We also see that the first HyTrust KMS server that is added is always automatically selected as the Default KMS server for the cluster.

 

Encrypt VMs Using HyTrust KMS Server


In this lesson, we will encrypt a virtual machine using a HyTrust KMS server that is already installed. We will use the vSphere Web Client (HTML5) to do the encrypting and decrypting of the virtual machine.


 

Menu Drop-down

 

Lets first look at the Policies and Profiles section of vCenter to look at the default VM Encryption Policies:

  1. Click on the Menu icon at the top of the page.
  2. Select Policies and Profiles from the Menu drop-down.

 

 

Default VM Encryption Policies

 

  1. Click on VM Storage Policies from the Navigation pane.
  2. We see that there are already (2) VM Encryption Policies, where there is one on each of the vCenter servers by default.  

NOTE: Although VMware creates the default VM Encryption Policies for us, you can also create your own policies if you wish.

 

 

Default Encryption Properties

 

  1. Click on the Storage Policy Components in the Navigation pane.
  2. We see both Default encryption properties components listed, one for each vCenter server.
  3. We also see a description in the bottom of the Content pane.

 

 

Menu Drop-down

 

At this point, lets return to the Hosts and Clusters view so we can start the process of encrypting the core-01a virtual machine:

  1. Click on the Menu icon at the top of the page.
  2. Select Hosts and Clusters from the Menu drop-down.

 

 

Select core-01a

 

We are now going to encrypt the core-01a virtual machine, to do this, perform the following steps:

  1. Right-click on the core-01a virtual machine in the left Navigation Pane.
  2. Click on VM Policies from the drop-down menu.
  3. Then click on Edit VM Storage Policies from the VM Policies drop-down menu.

 

 

core-01a - Edit VM Storage Policies

 

Here we see there are a few default policies that VMware has created already, but we will be selecting the VM Encryption Policy specifically by doing the following:

  1. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy.
  2. Then click on the Configure per disk slider to enable it.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1. In order to encrypt just one item, you must click on the slider in the upper right-hand corner of the window to allow you to select an individual item.

 

 

core-01a - Configure Per Disk

 

We see that once we enabled the Configure per disk option, the VM Home folder and Hard disk 1 are no longer grayed out and we can manage policies individually.

  1. Temporarily click on the drop-down for Hard disk 1 and select VM Encryption Policy. We now see how to individual assign policies for both components of the virtual machine. After reviewing the options, return it to the Datastore Default option.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1.

 

 

core-01a - Edit VM Storage Policies

 

  1. Click on the slider to turn off Configure per disk
  2. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy if it isn't already selected.
  3. Then click on the OK button.

 

 

core-01a - Verify VM Storage Policy Compliance

 

While still having core-01a selected in the Navigation pane, perform the following steps:

  1. In the content pane for core-01a, use the scroll bar to get to the bottom of the page until you see the VM Storage Policies widget.
  2. If need be, click on the arrow in the upper right-hand corner of the VM Storage Policies widget to open it up.
  3. We should now see that the VM Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

 

 

core-01a - Not Compliant (if needed)

 

If for any reason the VM Storage Policy widget has no information in it after a minute or two or says that it is not compliant, perform the following step:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and show complaint. If the status doesn't change, try refreshing the web browser window. After that, if it still hasn't updated to reflect correctly, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Select core-01a

 

We are now going to decrypt the core-01a virtual machine, to do this, perform the following steps:

  1. Right-click on the core-01a virtual machine in the left Navigation Pane.
  2. Click on VM Policies
  3. Select Edit VM Storage Policies

 

 

core-01a - Edit VM Storage Policies

 

  1. Click on the arrow in the VM storage policy drop-down menu and select Datastore Default.
  2. Then click on the OK button.

 

 

core-01a - Verify VM Decrypted

 

  1. Click on the Check Compliance link to update the compliance information.
  2. We should now see that the VM Encryption Policy is no longer listed.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a few minutes and show  the VM Storage Policy widget empty now. If the status doesn't change, REFRESH the web browser window and recheck the VM Storage Policies widget. If still showing an encryption policy, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the VM Encryption Policy to the core-01a virtual machine using the vSphere Web Client. After we applied the policy, it showed that the virtual machine was compliant with the VM Encryption Policy. Then we went through the same steps to remove the encryption policy from the core-01a virtual machine. Once we completed that task, we could see the VM Storage Policy widget went back to a blank widget. This was an expected behavior and means we successfully removed the encryption on the virtual machines files.

Using the vSphere Web Client is not the only method to encrypting or decrypting a virtual machine. We can also use PowerCLI commands to do the same actions to a single or numerous virtual machines at once and in a more efficient manner. If changing the encryption status of a large amount at virtual machines at once, the best practice would to be use the PowerCLI commands to do so.

In an upcoming lesson, we will discuss the use of PowerCLI for the various encryption related tasks in more detail. Also, later in this module, we will actually encrypt and decrypt virtual machines using the PowerCLI commands.

 

Set VM to Encrypted vMotion Mode


In this lesson, we will walk through the steps to setup a virtual machine to use Encrypted vMotion Mode. We will show the process of configuring it from within the vSphere Web Client. However, we will NOT be actually performing a vMotion action in the lab environment due to resource limitations. Not to mention, we can't actually "see" that the virtual machine does a vMotion action and is encrypted.


 

core-01a - Edit Settings

 

  1. Right-click on the virtual machine named core-01a.
  2. Select Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be slightly different in the lab environment from what is in the screen capture.

 

 

core-01a - VM Options

 

In the following lab steps, we will go through the steps of setting up Encrypted vMotion, but we won't actually go through with completing the steps since we can't actually see that a vMotion action is encrypted. Not to mention, this helps reduce the amount of required resources in the labs.

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the arrow next to Encryption to expand it and show the Encrypt VM and Encrypted vMotion settings.
  3. We see that either select None or VM Encryption Policy from here which shows us another way to set the encryption on a virtual machine other than in the Policies and Profiles section.  

 

 

core-01a - Encrypted vMotion

 

As a side note, if the virtual machine settings are already set to encrypted, then it will automatically use encrypted vMotion. But we see that we have (3) options for Encrypted vMotion.

  1. Since the VM was previously encrypted, the Encrypted vMotion setting is already set to Required but can be changed.
  2. Click on the CANCEL button since we don't need to actually make the changes since we won't be doing an actual vMotion action.  

 

 

core-01a - Migrate

 

In the next few steps, we won't actually complete the vMotion action since we can't actually see that a vMotion action is encrypted. Not to mention, this helps reduce the amount of required resources in the lab environment.

  1. Right-click on the virtual machine named core-01a.
  2. Select Migrate from the drop-down menu.

 

 

core-01a - Select a Migration Type

 

  1. Keep the default setting Change compute resource only radius button, then click on the NEXT button.

 

 

core-01a - Select a compute resource

 

Currently, the core-01a virtual machine should be on esx-02a.corp.local, so we would migrate it to esx-01a.corp.local.

  1. Select the esx-01a.corp.local host to migrate to.
  2. Verify it says Compatibility checks succeeded under Compatibility.
  3. Then click on the Next button.

 

 

core-01a - Select Networks

 

  1. Verify it says Compatibility checks succeeded under Compatibility.
  2. Keep the default network selected and click on the Next button.

 

 

core-01a - Ready to Complete

 

NOTE:  We are not actually performing the vMotion action for following reasons:

To finish the last step:

  1. We would then review the information to ensure all of the selections we selected are correct.
  2. Since this is a lab environment, select the CANCEL button so we don't initiate the vMotion task. Normally we would select the Finish button in a true production environment.  

 

 

Set VM to Encrypted vMotion Mode - Complete

That completes this lesson on setting virtual machines to enable encrypted vMotion. We learned that no matter if a virtual machine is already encrypted or not, the virtual machine can be encrypted on the source host and then decrypted on the destination host. We also learned that Encrypted vMotion requires no additional settings when the virtual machine is already encrypted. However, when the virtual machine is not encrypted already, we can manually select to encrypt it just to perform a vMotion from one host to another if we wish.

 

PowerCLI - Connect to vCenter & Encrypted VM List


In this lesson, we will use PowerCLI to connect to the vCenter server. Then we will run a command to get a list of virtual machines on the vCenter server and if they are encrypted or not. But first we need to add the VMware Encryption modules in order to get access to the PowerCLI encryption commands. The (2) files VMware.VMEncryption.psd1 and VMware.VMEncryption.psm1 files are located on the virtual machine you are working from in the "C:\LabFiles\HOL-1911\" folder.


 

Launch PowerCLI

 

  1. Double-click on the VMware PowerCLI icon on the desktop to launch PowerCLI.

 

 

PowerCLI - Import-Modules

 

If you had previously imported the VMware.VMEncryption modules you can skip the following steps:

  1. Type the following command into the PowerCLI text window and then hit the Enter key:
Import-Module -Name "C:\Labfiles\HOL-1911\VMware.VMEncryption.psd1"
  1. Type the following command into the PowerCLI text window and then hit the Enter key:
Import-Module -Name "C:\Labfiles\HOL-1911\VMware.VMEncryption.psm1"

 

 

PowerCLI - Connect to vCenter Server

 

We need to now connect to the vcsa-01a.corp.local vCenter server in PowerCLI.

  1. Type the following command into the PowerCLI text window and then hit the Enter key:
Connect-VIServer -server vcsa-01a.corp.local -user administrator@corp.local -password VMware1!
  1. If we successfully connected to the vCenter server, we will see the name of it, the Port, and the associated User account that we connected with.

 

 

PowerCLI - List Encryption Status

 

As we checked to see if core-01a was encrypted or not in the vSphere Web Client, we can also check using a PowerCLI command.

  1. To check the encryption status of the virtual machines on the vCenter server, type the following command:
Get-VM | Select Name, Encrypted

We see that none of the virtual machines listed (app-01a, kms-01a, core-01a and template-01a) are currently encrypted and reflect this by the False value under the Encrypted column.

NOTE: If after running this command it doesn't provide a TRUE or FALSE status, that means we need to run the two Import-Module commands again. Refer to the steps at the beginning of this lesson for the commands.

NOTE: DO NOT close the PowerCLI window, we will need it open for the next few lessons. Also, if you close the PowerCLI window, you will have to rerun the Import-Module PowerCLI command to import the encryption module again.

 

 

PowerCLI - Connect to vCenter & Encrypted VM List - Complete

In this lesson, we connected to a vCenter server by running the command Connect-VIServer -Server vcenterservername -User username -Password password. Before being able to run any useful commands, you have to connect to a vCenter server first. We also ran the Get-VM | Select Name, Encrypted which provided a list of all the virtual machines on the associated vCenter server we connected to and whether or not they were encrypted by providing a true or false status. The true status confirms that a virtual machine is already encrypted.

 

PowerCLI - Encrypt/Decrypt Virtual Machine


In this lesson, we will use PowerCLI to encrypt and decrypt virtual machines. Then we will verify that a virtual machine is actually encrypted afterward by running another PowerCLI command.


 

PowerCLI - Encrypt core-01a

 

  1. Type the following command into the PowerCLI text window and then hit the Enter key to encrypt the core-01a virtual machine:
Get-VM -Name "core-01a" | Enable-VMEncryption
  1. We then see it returns the Task-1723 under Type Value which we can use to reference in the Tasks section under the monitoring tab of the vSphere Web Client for the virtual machine.

NOTE: The Task Number will be different in the lab environment than what is in the screen capture. Each time you run the encrypt/decrypt PowerCLI command, it will give you a different Task-#### number.

 

 

vSphere Web Client - core-01a

 

  1. Type the following command into the PowerCLI text window and then hit the Enter key to verify that core-01a now shows as encrypted:
Get-VM | Select Name, Encrypted
  1. We see that the core-01a virtual machine has a status of True which proves it is encrypted now.

NOTE: The name and order of the virtual machines may be different in the lab environment than in this screen shot based on if you had completed the previous modules in this lab or not.

NOTE: If after running this command it doesn't provide a TRUE or FALSE status, that means we need to run the two Import-Module commands again. Refer to the steps at the beginning of this lesson for the commands.

 

 

vSphere Web Client - Maximize Google Chrome

 

Now we will verify that the core-01a virtual machine is indeed encrypted via the vSphere Web Client this time.

  1. Return to the vSphere Web Client by clicking on the minimized Google Chrome icon in the Task bar to maximize it.  

 

 

vSphere Web Client - core-01a

 

  1. Click on the core-01a virtual machine listed under the vcsa-01a.corp.local vCenter server in the Navigation Pane.

 

 

vSphere Web Client - Verify Compliance

 

While still having core-01a selected in the Navigation pane, perform the following steps:

  1. In the content pane for core-01a, use the scroll bar to get to the bottom of the page until you see the VM Storage Policies widget.
  2. Click on the Check Compliance link.
  3. We should now see that the VM Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

 

 

Minimize Chrome

 

  1. Click on the Minimize icon to minimize Google Chrome.  

 

 

PowerCLI - Maximize (if needed)

 

If the PowerCLI window is not already maximized, perform the following steps. Otherwise, we can skip the below step.

  1. Return to the PowerCLI by clicking on the minimized PowerCLI icon in the Task bar to maximize it.  

 

 

PowerCLI - Decrypt core-01a

 

  1. Type the following command into the PowerCLI text window and then hit the Enter key to disable encryption on the core-01a virtual machine:
Get-VM -Name core-01a | Disable-VMEncryption
  1. We then see it returns the Task-1724 which we can use to reference in the Tasks section under the monitoring tab of the vSphere Web Client for the virtual machine.

NOTE: The Task Number will be different in the lab environment than what is in the screen capture. Each time you run the encrypt/decrypt PowerCLI command, it will give you a different Task-#### number.

 

 

PowerCLI - core-01a Encryption Status

 

  1. Type the following command into the PowerCLI text window and then hit the Enter key to verify that core-01a virtual machine now shows as NOT being encrypted:
Get-VM | Select Name, Encrypted
  1. We see that for the status of the core-01a, it reflects a False status again proving it is not encrypted any longer.

NOTE: The name and order of the virtual machines may be different in the lab environment than in this screen shot based on if you had completed the previous modules in this lab or not.

 

 

Maximize Google Chrome

 

Now we will verify that the core-01a virtual machine is indeed been decrypted via the vSphere Web Client this time.

  1. Return to the vSphere Web Client by clicking on the minimized Google Chrome icon in the Task bar to maximize it.  

 

 

vSphere Web Client - core-01a

 

  1. Click on the core-01a virtual machine listed under the vcsa-01a.corp.local vCenter server in the Navigation Pane.

 

 

vSphere Web Client - Verify Compliance

 

While still having core-01a selected in the Navigation pane, perform the following steps:

  1. In the content pane for core-01a, use the scroll bar to get to the bottom of the page until you see the VM Storage Policies widget.
  2. Click on the the Check Compliance link in the VM Storage Policies widget.
  3. We should now see that the VM Storage Policies is now empty since we decrypted the virtual machine.

 

 

PowerCLI - Encrypt/Decrypt Virtual Machines - Complete

In this lesson, we learned how we can encrypt and decrypt virtual machines using PowerCLI. This is especially useful when wanting to encrypt/decrypt numerous virtual machines at once because it is easier and a more efficient way of performing the task. We also verified each step by using the PowerCLI command Get-VM | Select Name, Encrypted which provides a list of all the virtual machines and then provides a True/False depending on if they are encrypted or not.

 

PowerCLI - Show What VMs Encrypted and by Which KMS Server


In this lesson, we will run PowerCLI commands to return the status of encrypted virtual machines, clear the screen, get the default KMS server being used, and list the virtual machines providing if they are encrypted or not and by which KMS server.


 

Minimize Chrome

 

  1. Click on the Minimize icon to minimize Google Chrome.  

 

 

Clear The Screen

 

  1. In the PowerCLI window, clear the screen by typing the following command:
clear

 

 

PowerCLI - Encrypt core-01a

 

  1. Type the following command into the PowerCLI text window and then hit the Enter key to encrypt the core-01a virtual machine:
Get-VM -Name core-01a | Enable-VMEncryption
  1. We then see it returns the Task-1723 under Type Value which we can use to reference in the Tasks section under the monitoring tab of the vSphere Web Client for the virtual machine.

NOTE: The Task Number will be different in the lab environment than what is in the screen capture. Each time you run the encrypt/decrypt PowerCLI command, it will give you a different Task-#### number.

 

 

PowerCLI - Get-VM -Name core-01a | Get-VMEncryptionInfo

 

  1. To get some additional encryption related information on core-01a, type the following command:
Get-VM -Name core-01a | Get-VMEncryptionInfo
  1. We see the core-01a has the VM Encryption Policy assigned to it, is connected to the KMS server, and what KeyId it is using.

NOTE: In this example, we used "Get-VM core-01a | Get-VMEncryptionInfo" to specifically pull info on core-01a. If you wanted to pull information for all the virtual machines on the vCenter server, then you would just use "Get-VM | Get-VMEncryptionInfo" instead.

 

 

PowerCLI - Get-VM | Select name, KMSServer

 

  1. To see which KMS server the encrypted virtual machines were encrypted by, type the following command:
Get-VM | Select Name, KMSServer
  1. We then see that core-01a is encrypted at the moment, so it lists HOL-KMS-01a as the KMS cluster server name.

 

 

PowerCLI - Get-DefaultKMSCluster

 

  1. In order to see what KMS Cluster is the default, type the following command:
VMware.VimAutomation.Storage\Get-KmsCluster
  1. As we see, the HOL-KMS-01a is the default KMS cluster as we expected to see.

NOTE: In previous versions of PowerCLI, we would have used the command Get-DefaultKMSCluster to return the information. However, it has been depreciated.

 

 

Close PowerCLI

 

  1. Click on the "X" to close the PowerCLI application since we are finished with it.

 

 

PowerCLI - Show What VMs Encrypted and by Which KMS Server - Complete

This lesson we used the command Get-VM | Get-VMEncryptionInfo to give us some details on each of the virtual machines and their encryption related information. We also used the Get-VM | Select Name, KMSServer to list all the virtual machines and if they were encrypted, it provided the information on which KMS server. Then we used the VMware.VimAutomation.Storage\Get-KmsCluster command to tell us what was the default KMS cluster being used to encrypt the virtual machines.

 

PowerCLI - Change The Default KMS Server


In this lesson, we WILL NOT be performing the actual PowerCLI commands to change the default KMS server due to the way the lab environment is setup. If we had more than one KMS server connected and trusted to a single vCenter server, then we could run the command successfully. So again, we are showing the command just as reference and not to be performed in the lab environment!


 

PowerCLI - Get-KmsCluster

In order to see what KMS Cluster is the current default cluster, we would type the following command.

Example:  VMware.VimAutomation.Storage\Get-KmsCluster

 

 

Set a New KMS Cluster

In order to set a new default KMS Cluster, we would type the following command. 

Example:  Set-DefaultKMSCluster -KMSCluster "New_KMS_Cluster_Name"

 

 

PowerCLI - Encrypt VM to New KMS Server

We want to be sure now that we switched to a new default KMS server and we can encrypt a virtual machine with the new default KMS server.

Example:  Get-VM -Name "VM-Name" | Enable-VMEncryption

When we type this, it returns a task number showing it successfully ran the command with no errors. So we know that we were able to encrypt the virtual machine using the new default KMS server.

 

 

PowerCLI - Get-KmsCluster

In order to see what KMS Cluster is now the default after changing it, we would rerun the following command:

Example:  VMware.VimAutomation.Storage\Get-KmsCluster

 

 

 

PowerCLI - Change The Default KMS Server - Complete

That completes this module which covered using PowerCLI to do various encryption related tasks on virtual machines. First we ran the VMware.VimAutomation.Storage\Get-KmsCluster command to see which KMS Cluster/server was the default. Then we ran the command Set-DefaultKMSCluster -KMSCluster "New_KMS_Cluster_Name" to change the default cluster to now be HyTrust KMS Cluster 2. We then verified that the default cluster had changed and finally, we encrypted a virtual machine to ensure that we could using the new default KMS server.

 

Conclusion


Congratulations on completing Module 3!

In this lab we learned how to add a HyTrust KMS server into the vCenter server to create a trust between them. We then used the vSphere Web Client to review the default VM Encryption Storage Policy. Then performed numerous PowerCLI commands to encrypt/decrypt a virtual machine and learn the commands to change to a new KMS server, and much more!

Proceed to the next module (Module 4 - Secure Boot for Hosts and VMs), or feel free to skip to any other module below which interests you most.


 

VM Encryption Resources:

Below are a few additional resources available to help you get more familiar with the new encryption related vSphere 6.7 feature sets.

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources from within the lab environment. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided. Also keep in mind some of these links could be depreciated in the future and no longer available due to new version releases.  

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 4 - Secure Boot for Hosts and VMs (30 minutes)

Introduction


In this module (Module 4 - Secure Boot for Hosts and VMs), we will walk through the steps to configure Secure Boot for Hosts and Virtual Machines (VM). Secure Boot for ESXi hosts was first introduced in vSphere 6.5. We will also configure the newly added vSphere 6.7 security feature that allows us to add a Virtual TPM (vTPM) to a vSphere host. It does not require to have or to be mapped to a hardware Trusted Platform Module (TPM). This is accomplished by simply adding the vTPM as a new device just like adding a new network card. Standard Microsoft drivers are used. Again, no changes to the OS, no special software needed.

We will perform the following steps:


 

Secure Boot and UEFI Overview

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

UEFI, or Unified Extensible Firmware Interface, is a replacement for the traditional BIOS firmware that has its roots in the original IBM PC.  I would highly recommend reading the Wikipedia overview on UEFI to get a better understanding of all the capabilities it can present. We will focus on how UEFI and Secure Boot relates to ESXi.

In UEFI parlance, Secure Boot is a “protocol” of the UEFI firmware. This capability was designed to ensure that boot loaders are not compromised by validating their digital signature against a digital certificate in the firmware. A typical compromise on your desktop or laptop would be if malware installed a root kit. This would change the digital signature  and the UEFI firmware would check and not allow further booting. UEFI can store whitelisted/valid digital certificates in a signature database (DB) . There is also a blacklist of forbidden certificates (DBX), a Key Exchange Keys (KEK) database and a platform key. These form the basis of a root of trust that begins with the firmware installed on your host.

These digital certificates are used by the  UEFI firmware to validate the boot loader. Boot loaders are typically cryptographically signed and their digital signature chains to the certificate in the firmware.  The default digital certificate in just about every implementation of UEFI firmware is a x509 Microsoft UEFI Public CA cert. Most UEFI implementations also allow for the installation of additional digital certificates. A typical use for this would be if you were developing a custom boot loader that’s signed against your own certificate. You could install that certificate in the UEFI firmware and UEFI would validate your boot loader against it.

Default certificates are part of the firmware installation from your server vendor, not VMware. When you update your UEFI firmware on your server, the digital certificate(s) are included.

 

 

How ESXi builds Upon UEFI and Secure Boot

With ESXi 6.7, we take this capability of the firmware storing digital certificates and validating the boot loader and we build upon that. ESXi is comprised of a number of components. There is the boot loader, the VM Kernel, Secure Boot Verifier and VIBs, or “vSphere Installation Bundles”. Each of these components is cryptographically signed. Let’s step through each of these.

Boot Loader

As mentioned above, the UEFI firmware itself verifies the bootloader’s digital signature to validate bootloader integrity. Normally, with many operating systems, that’s the limit of what happens because the threat of root kits are now mitigated. But not so with ESXi. We go beyond and ensure that all content shipped is cryptographically signed.

The ESXi boot loader is signed with the Microsoft UEFI Public CA cert. This ensures that standard UEFI Secure Boot firmware can validate the VMware boot loader. The boot loader code also contains a VMware public key. This VMware key is used to validate the VM Kernel and a small subset of the system that includes the Secure Boot Verifier, used to validate the VIBs.

VM Kernel

The VM Kernel itself is also cryptographically signed using the VMware public key. The boot loader validates the kernel using the VMware public key it has. The first thing the VM Kernel runs is the Secure Boot Verifier.

Secure Boot Verifier

The Secure Boot Verifier validates every cryptographically signed VIB against the VMware public key. The VMware public key is part of the Secure Boot Verifier codebase. (You can see in the graphic that the VMware Public Key is in two places, the ESXi Boot Loader and the Secure Boot Verifier)

VIB

A vSphere Installation Bundle (VIB) is a “package”. It comprises a file archive (TAR g-zipped file), an XML descriptor file and a digital signature file.  (Read more here:  https://blogs.vmware.com/vsphere/2011/09/whats-in-a-vib.html

When ESXi boots, it creates a file system in memory that maps to the contents of the vSphere Installation Bundles (VIB).  If the file never leaves the cryptographically signed “package” then you don’t have to sign every file, just the package.

PREREQUISITES:

If you have upgraded your host to 6.7 and haven’t tried enabling Secure Boot then you can run a validation script located on the ESXi host. The script is called:

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

The output either includes Secure Boot can be enabled or Secure boot CANNOT be enabled. If Secure Boot cannot be enabled then see “Possible upgrade issues” above. You may have a situation that requires a clean installation. ESXi will continue to run just fine. However, you won’t be able to take advantage of Secure Boot for ESXi.

 

PSOD’s, unsigned VIBs and File Integrity Monitoring (FIM)

PSOD – Purple Screen of Death

If you already have unsigned vSphere Installation Bundle (VIB) on your ESXi host and you enable Secure Boot in the firmware then ESXi will boot into a purple screen and tell you which vSphere Installation Bundle (VIB) is unsigned. The error should look similar to this:

To get out of this situation do the following:

You can only get into this situation if you have pre-existing unsigned code installed.

 

Power On Host With Secure Boot Enabled


In this lesson, we will power on a host like normal with the UEFI Secure Boot enabled.


 

Open Google Chrome

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

RegionA vCenter

 

Do the below step If you do not already have the RegionA vCenter server web client open:

  1. Click on the RegionA folder in the Bookmark Toolbar.
  2. Then click on RegionA vSphere Client (HTML).

 

 

 

Log Into RegionA vCenter Server

 

If you are still logged into the RegionA vCenter server, you can skip this step. Otherwise, complete the below steps:

  1. Type administrator@corp.local in the username field.
  2. Type VMware1! in the password field.
  3. Then click the Login button.

 

 

Hosts Menu

 

  1. Click on the Menu icon at the top of the content pane.
  2. Then select Hosts and Clusters from the Menu drop-down.

 

 

esx-03b Nested ESXi Server

 

We are now going to look at the nested ESXi host esx-03b, note that we do not have Secure Boot enabled at this time.

  1. Click on the esx-03b virtual machine in the Navigation pane.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

esx-03b - Open Console

 

While esx-03b is still selected in the Navigation Pane, go to the Content pane and perform the following step:

  1. Select the Launch Web Console link in the Content Pane.

 

 

esx-03b - Console Window

 

After clicking on the Launch Web Console link in the previous step, it should have opened the console in another tab and taken you to it automatically.

  1. We see that the host previously started properly WITHOUT getting the infamous Pink Screen Of Death (PSOD). This is what the screen should look like normally when it is started without Secure Boot on AND having an unsigned VIB installed on the host.

 

 

Minimize Google Chrome

 

  1. Click on the Minimize icon in the upper right-hand corner of the Google Chrome window.

 

Install Unsigned VIB


In this lesson, we will copy an unsigned vSphere Installation Bundle (VIB) ZIP file to the ESXi virtual host (esx-03b) directory to prepare to install it. Then we will connect to the virtual ESXi host to run the command to install the unsigned vSphere Installation Bundle (VIB). Once the unsigned VIB is installed and we reboot the ESXi host with Secure Boot enabled, we should see the Purple Screen of Death (PSOD).


 

Programs Menu

 

We now need to copy the unsigned vSphere Installation Bundle (VIB) file to the esx-03b virtual machine, we will use the WinSCP application to do this.

  1. Click on the Windows button in the lower left-hand corner of the virtual machine.
  2. Then click on the All Programs item from the menu.

 

 

Open WinSCP

 

  1. Click on the WinSCP application from the All Applications drop-down menu.

 

 

Connect to esx-03b

 

  1. Click on New Site in the menu on the left side of the application.
  2. Type esx-03b.corp.local into the Host name text field.
  3. Type root into the User name text field.
  4. Type VMware1! into the Password text field.
  5. Then click on the Login button to connect to esx-03b.corp.local.

 

 

WinSCP - Security (if needed)

 

If this is the first time connecting to esx-03b.corp.local via WinSCP, you will get this security pop-up and will need to perform the following step. If you have already accepted earlier in the lab, you won't need to perform this step again.

  1. Click on the Yes button to allow the connection to the nested host.

 

 

WinSCP - Root of Drive

 

  1. Click on the folder icon with the Backslash on it to take you to the root of the C:\ drive on the Control virtual machine on the left side of the window.

 

 

WinSCP - LabFiles Folder

 

  1. Double-click on the LabFiles folder to open it.

 

 

WinSCP - HOL-1911 Folder

 

  1. Double-click on the HOL-1911 folder to open it.

 

 

net-tulip-1.1.15-1-offline_bundle.zip

 

  1. Click on the net-tulip-1.1.15-1-offline_bundle.zip file.

 

 

esx-03b - /tmp Folder

 

 

 

Copy net-tulip-1.1.15-1-offline_bundle.zip to Host

 

  1. Drag and Drop the net-tulip-1.1.15-1-offline_bundle.zip file from the left side (Control VM) to the /tmp folder of the esx-03b host on the right side of the window.

 

 

Close WinSCP

 

  1. Click on the "X" in the upper right-hand corner of the WinSCP window to close the application.

 

 

Confirm Close of WinSCP

 

  1. Click on the OK button to confirm closing the WinSCP application.

 

 

Open Putty

 

We now will use Putty to connect to the virtual host and run the commands to install the unsigned vSphere Installation Bundle (VIB).

  1. Click on the Putty icon in the Task Bar.

 

 

esx-03b - Connect via Putty

 

  1. Use the scroll bar to scroll down until you see esx-03b.corp.local in the list.
  2. Click on esx-03b.corp.local.
  3. Click on the Load button.
  4. Then click on the Open button.

 

 

Putty Security Alert (if needed)

 

If this is the first time connecting to esx-03b using Putty, you will need to perform the following step. Otherwise, you can skip this step and move to the next step:

  1. Click on the Yes button in the Putty Security Alert pop-up window to connect to the host.

 

 

esx-03b - Login via Putty

 

  1. Type the following for the Password and hit the Enter key.
VMware1!
  1. Then type the following and hit the Enter key to clear the screen to make it easier to read.
clear

 

 

esx-03b - Install VIB

 

We will now try yo install the Unsigned VIB onto esx-03b.

  1. Type the following command into Putty: (you can copy the text from the lab manual and drop it into the Putty window, just be sure not to copy any additional characters before or after the command text field.
esxcli software vib install -d /tmp/net-tulip-1.1.15-1-offline_bundle.zip --force --no-sig-check
  1. We see that we get an "The Update Completed successfully, but the system needs to be rebooted for the changes to be effective". This is actually what we want to see to know it installed correctly with no issues.
  2. Now type the following command to exit Putty.
exit

 

 

esx-03b - Maximize Chrome

 

We need to disable Secure Boot on esx-03b so we can install the unsigned VIB.

  1. Click on the minimized Google Chrome window in the Task Bar to maximize it again.

 

 

esx-03b - Close Tab

 

  1. Click on the "X" on the Google Chrome tab to close it.

 

 

esx-03b - Shut Down Guest OS

 

  1. Right-Click on esx-03b.
  2. The click on Power from the drop-down menu.
  3. Then click on Shut Down Guest OS.  

 

 

Install Unsigned VIB - Complete

We have completed this lesson by installing an unsigned vSphere Installation Bundle (VIB) to the esx-03b host. Using this method of installing the vSphere Installation Bundle (VIB), can also be used to install vSphere patches and updates as well if so desired. We then powered it off in order to prepare for the next lesson.

 

Enable Secure Boot and Power On Host


Before powering on the host, we will need to enable Secure Boot in the settings of the host. If working with a normal physical host, we would enable secure boot in the BIOS settings of the host. The precise setting and location in the BIOS of a physical server are usually slightly different from one server's vendor to another.


 

esx-03b - Edit Settings

 

NOTE:  Be sure that the virtual machine is completely powered off before performing these steps.

  1. Right-Click on esx-03b.
  2. The click on Edit Settings from the drop-down menu.

 

 

esx-03b - VM Options

 

  1. Click on the VM Options tab.
  2. Select the check-box to the right of the Secure Boot setting.
  3. Then click on the OK button.

 

 

esx-03b - Power On

 

  1. Right-Click on esx-03b.
  2. Select Power from the drop-down menu.
  3. Then click on Power On.

 

 

esx-03b - Launch Web Console

 

Before continuing to the next step, give the esx-03b a minute to completely boot up.

  1. Click on the link Launch Web Console while having esx-03b selected in the Navigation pane to open a console session in a browser tab.

 

 

esx-03b - Pink Screen of Death (PSOD)

 

  1. After it finishes booting, we will see that the Pink Screen of Death (PSOD) will appear showing the status that "UEFI Secure Boot: Failed" Failed to verify signatures of the following vib(s): [ProFTPD]. All tardisks validated".

NOTE: This is what was expected because we installed an unsigned vSphere Installation Bundle (VIB) to the host previously. By enabling Secure Boot, it checks to see if there are unsigned vSphere Installation Bundles (VIB) installed and prevents the host from fully booting if there is. It only allows signed vSphere Installation Bundle (VIB) files and allow the host to boot.

 

 

esx-03b - Close Tab

 

  1. Click on the "X" on the Google Chrome tab to close it.

 

 

esx-03b - Shut Down Guest OS

 

At this time, we want to power off the host since we no longer need it anymore.

  1. Right-click on the esx-03b virtual machine.
  2. Select Power from the drop-down menu.
  3. Click on Shut Down Guest OS (if available) or Power OFF from the Power drop-down menu.

 

 

esx-03b - Power Off Host - Confirm

 

We then get a pop-up asking if we are sure that we want to power off the virtual machine.

  1. Click on the Yes button to power off the virtual machine.

 

 

Enable Secure Boot and Power On Host - Complete

In this lesson, we went into the esx-03bl virtual machines VM Options settings and enabled Secure Boot for it. We then powered on the virtual machine and saw that we received the Pink Screen of Death (PSOD) which was what we expected to see. That is because we had previously installed an unsigned vSphere Installation Bundle (VIB) on the host which is not allowed when Secure Boot is enabled. Lastly, we then powered off the esx-03b virtual machine in order to get ready for the next lesson.

 

Disable Secure Boot


In this lesson, we will disable Secure Boot on the esx-01c.corp.local virtual host to allow it to boot normally even when Secure Boot is enabled.


 

esx-03b - Edit Settings

 

  1. Right-Click on esx-03b.
  2. The click on Edit Settings from the drop-down menu.

 

 

esx-03b - Disable Secure Boot

 

  1. Click on the VM Options tab.
  2. De-select the check-box to the right of the Secure Boot setting to disable it.
  3. Then click on the OK button.

 

 

Disable Secure Boot - Complete

We have completed the lesson on disabling the Secure Boot for the esx-03b.corp.local virtual machine.

 

Remove Unsigned VIB


In this lesson, we will remove the unsigned vSphere Installation Bundle (VIB) that we had previously installed on esx-03b.


 

esx-03b - Power On

 

  1. Right-Click on esx-03b.
  2. Select Power from the drop-down menu.
  3. Then click on Power On.

 

 

Minimize Google Chrome

 

Before you perform the below step to minimize the Google Chrome window, make sure that esx-03b.corp.local has booted up fully.

  1. In the upper right-hand corner of the browser window, click on the Minimize icon to minimize Google Chrome.

 

 

Launch Putty

 

If you still have the previous instance of Putty open and connected to esx-03b.corp.local, you can skip this step. We now need to launch Putty and connect to esx-03b in order to remove the unsigned vSphere Installation Bundle (VIB).

  1. Click on the Putty icon in the Task Bar.

 

 

esx-03b - Connect via Putty

 

If you still have the previous instance of Putty open and connected to esx-03b.corp.local, you can skip this step:

  1. Click on esx-03b.corp.local in the Saved Sessions list. (if need be, we made need to scroll down to see it in the list)
  2. Click on the Load button.
  3. Then click on the Open button to connect to esx-03b.

 

 

esx-03b - Login

 

  1. Type the below command into the Putty text field after Password: and hit the Enter key.
VMware1!
  1. Once we are logged in, type the below command and hit the Enter key to clear the screen.  
clear

 

 

esx-03b - Remove VIB

 

  1. Type the following command and hit the Enter key to remove the previously installed unsigned vSphere Installation Bundle (VIB):
esxcli software vib remove -n net-tulip

NOTE: We didn't have to type the full name (net-tulip-1.1.15-1-offline_bundle.zip) of the unsigned vSphere Installation Bundle (VIB) that we installed previously since it is the only VIB installed with that naming scheme.

  1. We see that we get an "The Update Completed successfully, but the system needs to be rebooted for the changes to be effective". This is actually what we want to see to know it was removed successfully.  

 

 

Exit Putty

 

  1. Type the following command and hit the Enter key to exit the Putty session.
exit

 

 

esx-03b - Maximize Chrome

 

We need to return to the vSphere Web Client.

  1. Click on the minimized Google Chrome window in the Task Bar to maximize it again.

 

 

esx-03b - Shut Down Guest OS

 

At this time, we want to power off the host to prepare for our next lesson.

  1. Right-click on the esx-03b virtual machine.
  2. Select Power from the drop-down menu.
  3. Click on Shut Down Guest OS from the Power drop-down menu.

 

 

esx-03b - Power Off Host - Confirm

 

We then get a pop-up asking if we are sure that we want to power off the virtual machine.

  1. Click on the Yes button to power off the virtual machine.

 

 

Remove Unsigned VIB - Complete

In this lesson, we used the "esxcli software vib remove -n ProFTPD" to remove the unsigned vSphere Installation Bundle (VIB) that we had previously installed. At this point, we can now power on and off the host even with Secure Boot enabled and it would power up normally without getting the Purple Screen of Death (PSOD). Then we powered down the host to conserve on lab resources.

 

Configure ESXi Host for vTPM 2.0


In this lesson, we will use PowerCLI to add a vTPM to our esx-03b nested host. Since this is a double nested host, we can't use the vSphere Web Client to add the vTPM to esx-03b. So instead, we will show how the vTPM can be added using the command-line.

NOTE: If you add a TPM 2.0 chip to an ESXi host that vCenter Server already manages, you must first disconnect the host, then reconnect it. See vCenter Server and Host Management documentation for information about disconnecting and reconnecting hosts.


 

esx-03b - Edit Settings

 

  1. Right-click on the esxi-03b host.
  2. Then click on Edit Settings from the drop-down menu.

 

 

esx-03b - Boot Options

 

  1. Click on the VM Options tab at the top of the Edit Settings pop-up window.
  2. Click on the down-arrow next to the Boot Options.
  3. Click inside the checkbox to enable Secure Boot for the host.
  4. Then click on the OK button.

 

 

esx-03b - Power On

 

We are now going to power on the nested ESXi host esx-03b.

  1. While still having the esx-03b virtual machine selected, click on ACTIONS.
  2. Select Power from the Menu drop-down menu.
  3. Then click on Power On.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

Minimize Google Chrome

 

  1. Click on the Minimize icon in Google Chrome.

 

 

PowerCLI - Launch

 

  1. Double-click on the VMware PowerCLI icon on the desktop to launch PowerCLI.

 

 

PowerCLI - Import-Modules (if needed)

 

NOTE:  If you had previously imported the VMware.VMEncryption PowerShell modules in lab Module 3 "VM Encryption and Encrypted vMotion" and have not ended the lab since then, you can skip the following steps:

  1. Type the following command into the PowerCLI text window and then hit the Enter key:
Import-Module -Name "C:\Labfiles\HOL-1911\VMware.VMEncryption.psd1"
  1. Type the following command into the PowerCLI text window and then hit the Enter key:
Import-Module -Name "C:\Labfiles\HOL-1911\VMware.VMEncryption.psm1"

 

 

PowerCLI - Connect to esx-03b.corp.local

 

  1. Type the following command in the PowerCLI window to connect to the vcsa-01b.corp.local vCenter server.
Connect-VIServer -Server vcsa-01b.corp.local -User administrator@corp.local -Password VMware1!
  1. We see that we were successful connecting to the esx-01b.corp.local  vCenter server.

 

 

PowerCLI - Add vTPM to esx-03b

 

Since this is a double nested host, we can't use the vSphere Web Client to add the vTPM to esx-03b. So instead, we will show how the vTPM can be added using the command-line. It encrypts the VM Home and adds the Virtual TPM to the host.

We will use a variable ($vm1) that is random in order to run the two commands to add the vTPM to esx-03b. So the variable $vm1 is equal the virtual machine name esx-03b because of the Get-VM -Name cmdlet. Then we will use the Add-Vtpm cmdlet along with that variable $vm1 which again equals the esx-03b virtual machine.

  1. Type the following command into the PowerCLI window:
$vm1 = Get-VM -Name esx-03b
  1. Type the following command into the PowerCLI window. (pay attention to the case of the letters for the command)
Add-Vtpm $vm1
  1. We see that it returns a Task number which means the command ran successfully.

NOTE: The task number is different each time you run a PowerCLI command. This is meant to be a reference number to look at in the various logs. So the Task Number in the screen shot WILL be a different number than what you get in the lab environment.

  1. type the following command to exit out of PowerCLI.
exit

 

 

 

Maximize Google Chrome

 

  1. Click on the Google Chrome tab in the Task Bar to maximize it.

 

 

esx-03b - Verify vTPM

 

Now if we were working in a real production environment, we would then go to the vSphere Web Client to look at the status of the Attestation. Again, this is a nested host in a lab environment, so we can't see it listed like usual. Lets take a look at where you would go to look at this in a production environment.

  1. Click on the RegionB01 datacenter in the Navigation pane.
  2. Click on the Monitor tab in the Content pane.
  3. The click on Security at the bottom under Tasks and Events.
  4. We currently only see our (2) hosts and not the esx-03b since it is a double nested host. In a production environment, the esx-03b host would be listed here and you would see the TPM version column filled in for it.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

Configure ESXi Host for vTPM 2.0 - COMPLETE

We have completed this lesson on adding a vTPM 2.0 to an ESXi host!

Again, since we are working with virtualized ESXI hosts to show this, we were limited in what we can do and see in regards to adding a vTPM to an ESXi host..

 

Secure Boot for Virtual Machines


In this lesson, we will walk through the steps to verify if a virtual machine is enabled for Secure Boot or not using a PowerShell command.


 

win10 - Shut Down Guest OS

 

  1. Right-click on the win10 virtual machine.
  2. Select Power from the drop-down menu.
  3. Then click on Shut Down Guest OS from the Power drop-down menu.

 

 

win10 - Confirm Shut Down

 

  1. Then click on Edit Settings from the drop-down menu.

 

 

win10 - Edit Settings

 

  1. Right-click on the win10 virtual machine.
  2. Then click on Edit Settings from the drop-down menu.

 

 

win10 - Enable Secure Boot

 

  1. Click on the VM Options tab in the Edit Settings pop-up window.
  2. Click on the down-arrow next to Boot Options to expand it.
  3. Click on the Enabled check box for Secure Boot to enable Secure Boot.  
  4. Then click on the OK button.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

win10 - Power On

 

  1. Right-click on the win10 virtual machine.
  2. Select Power from the drop-down menu.
  3. Then click on Power On from the Power drop-down menu.

 

 

win10 - Launch Web Console

 

  1. Click on the win10 virtual machine.
  2. Then click on the Launch Web Console link to open the console in another tab.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

win10 - Console Window

 

  1. Click anywhere on the desktop of the virtual machine to get to the Login screen.

 

 

win10 - Login

 

  1. Type in VMware1! for the Password text field.
  2. Then click on the arrow icon to log into the virtual machine.

 

 

win10 - Launch PowerShell (Admin)

 

Once fully logged into the virtual machine, we now want to launch the PowerShell command-line tool by:

  1. Right-click on the Windows Start icon in the Task Bar.
  2. Click on Windows PowerShell (Admin) in the Start menu.

 

 

win10 - Confirm VM Secure Boot

 

  1. Type the following command and hit the Enter key to change directories to C:\Windows\system32\:
cd C:\Windows\system32\
  1. Type the following command into the PowerCLI text field and then hit the Enter key.
Confirm-SecureBootUEFI
  1. We get a return of True from running the command which is expected since we enabled Secure Boot.

 

 

Exit PowerShell

 

  1. Type the following command into the PowerCLI text field and then hit the Enter key.
exit

 

 

Close Google Chrome Tab

 

  1. Click on the "X" of the win10 Google Chrome tab to close it.

 

 

Secure boot for Virtual Machines - Complete

In this lesson, we logged into a Windows 10 virtual desktop and then launched PowerShell with administrative permissions. We then typed the command Confirm-SecureBootUEFI to return a status of False since we had not yet configured Secure Boot for the virtual machine. In the next lesson, we will enable Secure Boot for the virtual machine.

 

Conclusion


Congratulations on completing Module 4!

In this module, we covered the vSphere 6.7 feature Secure Boot for Hosts and Virtual Machines. This feature ensures that administrators can only install and boot into ESXi images that are authorized by the company ensuring the hosts are secure at all times. Feel free to continue onto module 6, or you can skip ahead to another module.

Proceed to the next module (Module 5- No Cryptography Administrator Roles and Permissions), or feel free to skip to any other module below which interests you most.


 

Secure Boot for Hosts & VMs Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 5 - No-Cryptography Administrator Roles and Permissions (15 minutes)

Introduction


IMPORTANT NOTE: If you have started this module and have continued directly after completing Module 3 (VM Encryption and Encrypted vMotion), you can skip the first two lessons and go directly to the third lesson (Log In Using No-Cryptography User Account). If you have NOT performed Modules 3 prior to starting this module (module 5), we will need to do some extra steps to get the lab ready. First, we will add a single HyTrust KMS server to the vCenter Server which allows us to encrypt virtual machines. Then we will need to encrypt a virtual machine before starting the Log In Using No-Cryptography User Account lesson.

In this module, (Module 5 - No-Cryptography Administrator Roles and Permissions), we will discuss the new No-Cryptography Role that has been added in vSphere 6.7. When wanting to use the new security features of virtual machine encryption and encrypted vMotion, we get into needing Key Management Servers (KMS). However, we don't want every single administrator that has administrative access to a vCenter server to be able to encrypt and decrypt objects.

Users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.

Only vCenter Server has the credentials for logging in to the KMS. Your ESXi hosts do not have those credentials. vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts. vCenter Server does not store the KMS keys, but keeps a list of key IDs. vCenter Server checks the privileges of users who perform cryptographic operations. You can use the vSphere Web Client to assign cryptographic operation privileges or to assign the No cryptography administrator custom role to groups of users.

Encryption tasks are possibly only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. If virtual machine encryption tasks require a change to the host encryption mode, additional privileges are required.

Cryptography Privileges and Roles by default, the user with the vCenter Server Administrator role has all Cryptographic Operations privileges. You can assign the No cryptography administrator role to all vCenter Server administrators who do not need cryptographic privileges. The user with the vCenter Server Administrator role has all privileges by default. You can assign the No cryptography administrator role to vCenter Server users who do not need Cryptographic Operations privileges. The No cryptography administrator lacks the following privileges for cryptographic operations:

To further limit what users can do, you can clone the No cryptography administrator role and create a custom role with only some of the Cryptographic Operations privileges. For example, you can create a role that allows users to encrypt but not to decrypt virtual machines, or that does grant privileges for management operations. See the vSphere Security manual for details.

In this module, we will perform the following tasks:


 

Lab Assumptions

We have already created an Active Directory user account (nocrypto@corp.local) and assigned that account to the No cryptography role. We will use the pre-defined account to log into the vCenter Server.

 

Encrypt VMs Using HyTrust KMS Server


In this lesson, we will encrypt a virtual machine using a HyTrust KMS server that is already installed. We will use the vSphere Web Client (HTML5) to do the encrypting and decrypting of the virtual machine.


 

Menu Drop-down

 

Lets first look at the Policies and Profiles section of vCenter to look at the default VM Encryption Policies:

  1. Click on the Menu icon at the top of the page.
  2. Select Policies and Profiles from the Menu drop-down.

 

 

Default VM Encryption Policies

 

  1. Click on VM Storage Policies from the Navigation pane.
  2. We see that there are already (2) VM Encryption Policies, where there is one on each of the vCenter servers by default.  

NOTE: Although VMware creates the default VM Encryption Policies for us, you can also create your own policies if you wish.

 

 

Default Encryption Properties

 

  1. Click on the Storage Policy Components in the Navigation pane.
  2. We see both Default encryption properties components listed, one for each vCenter server.
  3. We also see a description in the bottom of the Content pane.

 

 

Menu Drop-down

 

At this point, lets return to the Hosts and Clusters view so we can start the process of encrypting the core-01a virtual machine:

  1. Click on the Menu icon at the top of the page.
  2. Select Hosts and Clusters from the Menu drop-down.

 

 

Select core-01a

 

We are now going to encrypt the core-01a virtual machine, to do this, perform the following steps:

  1. Right-click on the core-01a virtual machine in the left Navigation Pane.
  2. Click on VM Policies from the drop-down menu.
  3. Then click on Edit VM Storage Policies from the VM Policies drop-down menu.

 

 

core-01a - Edit VM Storage Policies

 

Here we see there are a few default policies that VMware has created already, but we will be selecting the VM Encryption Policy specifically by doing the following:

  1. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy.
  2. Then click on the Configure per disk slider to enable it.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1. In order to encrypt just one item, you must click on the slider in the upper right-hand corner of the window to allow you to select an individual item.

 

 

core-01a - Configure Per Disk

 

We see that once we enabled the Configure per disk option, the VM Home folder and Hard disk 1 are no longer grayed out and we can manage policies individually.

  1. Temporarily click on the drop-down for Hard disk 1 and select VM Encryption Policy. See we see now how we can individual assign policies for both components of the virtual machine. After reviewing the options, return it to the Datastore Default option.

NOTE: In this lab exercise, we are encrypting all the components of the virtual machine. But as we can see, we have the option to select to encrypt just the VM Home folder or the Hard disk 1.

 

 

core-01a - Edit VM Storage Policies

 

  1. Click on the arrow in the VM storage policy drop-down menu and select VM Encryption Policy if it isn't already selected.
  2. Then click on the OK button.

 

 

core-01a - Verify VM Storage Policy Compliance

 

While still having core-01a selected in the Navigation pane, perform the following steps:

  1. In the content pane for core-01a, use the scroll bar to get to the bottom of the page until you see the VM Storage Policies widget.
  2. If need be, we may have to click on the arrow to open up the VM Storage Policies widget.
  3. We should now see that the VM Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

 

 

core-01a - Not Compliant (if needed)

 

If for any reason the VM Storage Policy widget has no information in it after a minute or two or says that it is not compliant:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and show complaint. If the status doesn't change, try refreshing the web browser window. After that, if it still hasn't updated to reflect correctly, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the VM Encryption Policy to the core-01a virtual machine using the vSphere Web Client. After we applied the policy, it showed that the virtual machine was compliant with the VM Encryption Policy. Then we went through the same steps to remove the encryption policy from the core-01a virtual machine. Once we completed that task, we could see the VM Storage Policy widget went back to a blank widget. This was an expected behavior and means we successfully removed the encryption on the virtual machines files.

Using the vSphere Web Client is not the only method to encrypting or decrypting a virtual machine. We can also use PowerCLI commands to do the same actions to a single or numerous virtual machines at once and in a more efficient manner. If changing the encryption status of a large amount at virtual machines at once, the best practice would to be use the PowerCLI commands to do so.

In an upcoming lesson, we will discuss the use of PowerCLI for the various encryption related tasks in more detail. Also, later in this module, we will actually encrypt and decrypt virtual machines using the PowerCLI commands.

 

Log In Using No-Cryptography User Account


In this lesson, we will log in as the nocrypto@corp.local Active Directory user account which has the No-Cryptography Role assigned to the account already.


 

Navigating vCenter

 

In order to show the No-Cryptography role, we need to first navigate to the Roles selection in vCenter.

 

 

Global Permissions

 

  1. Under Access Control, click on Global Permissions.
  2. We see that the CORP.LOCAL\nocrypto Active Directory account is assigned the role No cryptography administrator already.

 

 

Logout of vCenter Server

 

At this point, we want to log out of the vCenter Server since we are currently logged in as the administrator:

  1. Click on Administrator@CORP.LOCAL drop-down arrow.
  2. Select Logout to log out of the vCenter Server.

 

 

Log in as nocrypto User

 

In order to prove that a user assigned the role No cryptography role can't look at encrypted virtual machines files, etc., we must log in with the pre-defined nocrypto Active Directory user account.

  1. Type nocrypto@corp.local in the User name: text field.
  2. Type VMware1! in the Password: text field.
  3. Click on the Login button.

 

 

Log In Using No-Cryptography User Account - Complete

In this lesson, we verified that the Active Directory account nocrypto user account was assigned to the No-Cryptography Role in the vCenter server. Then we logged in with the nocrypto@corp.local user account. In the next lesson, we will verify that this account is unable to browse the datastore of an encrypted virtual machine or download one of its files.

 

Attempt to Download Encrypted Virtual Machine File


While logged in as the nocrypto@corp.local Active Directory user account, we will try to download a file of an encrypted virtual machine.

IMPORTANT NOTE: If prior to starting this module (Module 5 - No-Cryptography Administrator Roles and Permissions) you performed all the steps in Module 3 & 4, you can skip to the "Verify Virtual Machine Encryption is Enabled" section of this manual. Otherwise, start from the beginning and work your way through all the steps.


 

Minimize Recent Tasks Pane

 

If the Recent Objects and Recent Tasks panes are maximized, proceed with the following steps, otherwise you can skip these three steps:

  1. Click on the Recent Tasks double downward arrows icon to minimize the pane at the bottom of the vSphere Web Client.

 

 

Host And Clusters

 

If already in the Hosts and Clusters view already, you can skip the below steps. Otherwise, perform the below steps to get to the Hosts and Clusters view:

  1. Click on the Menu button at the top of the page.
  2. Then click on Hosts and Clusters.

 

 

core-02a - Verify Host

 

  1. Expand the list of objects under vcsa-01a.corp.local if need be until you see the list of virtual machines.
  2. Click on the core-01a virtual machine in the Navigation pane.
  3. Then verify what ESXi host that core-01a resides on, In this case it is esx-02a.corp.local.

NOTE: The list of virtual machines may be different in the lab environment than what is in the screen capture depending on if you completed the previous modules prior to doing this module.

 

 

Storage Tab

 

One test to ensure that this nocrypto Active Directory user is correctly restricted is to have the user try to download an encrypted virtual machines file. If configured correctly, they should not be able to download the virtual machines files.

To confirm the role is configured properly for this user:

  1. Click on the Storage icon in the Navigation pane.
  2. Click the arrow next to vcsa-01a.corp.local to expand it until you see the RegionA01-ISCSI01-COMP01 datastore.
  3. Click on the RegionA01-ISCSI01-COMP01 datastore.
  4. Then click on the Files tab in the Content pane.

 

 

 

core-01a VMX File

 

  1. Click on the folder for the core-01a virtual machine.
  2. Select the core-01a.vmx file.
  3. Then click on the Download button.  

NOTE:  We may need to expand the "Name" column so we can see the file extension types to find the .vmx file.

 

 

Login Pop-Up Window

 

Since we are logged into vCenter with the nocrypto@corp.local account, we see that we are unable to download the VMX file because the virtual machine and all its files are encrypted. We know this because of the pop-up box asking for login credentials. If we were logged in as a user that has administrative access to vCenter and is NOT assigned the No Cryptography Role, they would be able to download the VMX file.

  1. Click on the Cancel button.

 

 

Close Google Chrome Tab

 

  1. Click on the "X" of the Google Chrome tab to close it.

 

 

Attempt to Download Encrypted Virtual Machine File - Complete

In this lesson, we logged into the vCenter server with the Active Directory user account nocrypto@corp.local. This account was already assigned to the No-Cryptography Administrators Role in the vCenter Servers. By being assigned to the No-Cryptography Administrators Role, that means that the user is not authorized to download an encrypted virtual machines files. It also means that a No-Cryptography Administrator is unable to encrypt/decrypt a virtual machine as well.

 

Attempt to Open a Console of an Encrypted VM


In this lesson, we are going to attempt to open the remote console of a virtual machine that is encrypted. If it is configured correctly, we should not be able to open and see the console of a virtual machine that is encrypted.


 

core-01a - Power On

 

  1. Click on the Hosts and Clusters icon in the Navigation pane.
  2. Right-click on the core-01a virtual machine.
  3. Click on Power in the drop-down menu.
  4. Then click on Power On in the Power drop-down menu.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

core-01a - Launch Web Console

 

  1. Click on the core-01a virtual machine in the Navigation pane.
  2. Click on the Launch Web Console link in the Content pane.

NOTE: The list of virtual machines may be different in the lab environment than what is in the screen capture depending on if you completed the previous modules prior to doing this module.

 

 

core-01a Summary Tab

 

  1. We see that we are unable to connect to the console of the core-01a virtual machine because we are logged in with the nocrypto@corp.local account.
  2. Then click on the "X" to close the Google Chrome tab.

 

 

Attempt to Open a Console of an Encrypted VM - Completed

We have completed this lesson which we proved that a user assigned to the No-Cryptography Administrator role should not be able to open the console of a virtual machine that is encrypted.

 

Attempt to Decrypt a VM


While logged in as the nocrypto@corp.local Active Directory user account, we will try to download a file of an encrypted virtual machine.


 

core-01a - Power Off

 

We need to power off the core-01a virtual machine in order to try and decrypt the virtual machine.

  1. Right-click on the core-01a virtual machine.
  2. Click on Power from the drop-down menu.
  3. Then click on Shut Down Guest OS from the Power drop-down menu.

 

 

core-01a - Confirm Power Off (if needed)

 

  1. If you get the confirmation pop-up, click on the YES button. Otherwise, you can skip this step.

 

 

core-01a - Edit VM Storage Policies

 

  1. Right-click on the core-01a virtual machine.
  2. Click on VM Policies from the drop-down menu.
  3. Click on Edit VM Storage Policies from the VM Policies menu.

 

 

Datastore Default Policy

 

  1. Select Datastore Default from the VM Storage Policy drop-down menu.
  2. Then click on the OK button.

 

 

core-01a - Tasks

 

In order to see that we were denied from decrypting the core-01a virtual machine as the nocrypto@corp.local user, we need to look in the Monitor tab.

  1. Click on the core-01a virtual machine in the Navigation pane
  2. Click on the Monitor tab.
  3. Then click on Tasks under Tasks and Events section in the Content pane.

 

 

core-01a - Permission

 

  1. We see that we received an error stating Permissions to perform this operation was denied to decrypt the core-01a virtual machine while logged in with the nocrypto@corp.local account. This was the expected behavior.

 

 

Log Off nocrypto User

 

We are now finished with the nocrypto@corp.local user account in the web client.

  1. Click on the nocrypto@CORP.LOCAL user account in the upper right-hand corner of the web client.
  2. Then click on Logout.

 

 

Log In With Administrator@corp.local

 

If already logged into the RegionA vCenter server, you can skip the below steps. If you aren't, complete the below steps:

  1. Type administrator@corp.local in the the User name: text field.
  2. Type VMware1! into the Password: text field.
  3. Click on the Login button.

 

 

Attempt to Download Encrypted Virtual Machine File - Complete

In this lesson, we logged into the vCenter server with the Active Directory user account nocrypto@corp.local. This account was already assigned to the No-Cryptography Administrators Role in the vCenter Servers. By being be assign the No-Cryptography Administrators Role, that means that the user is not authorized to encrypt or decrypt virtual machines.

 

Conclusion


Congratulations on completing Module 5! 

In this module, we discussed that users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.

In this lesson, we performed several tasks such as:

In this lab (HOL-1911-04-SDC - vSphere 6.7 Security Concepts and Implementation), we covered the following modules:  

Feel free to go back and skip to any other module below in which you may be interested in doing again.


 

No-Cryptography Role Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

Below are some links to additional resources that we think you will find useful regarding the No-Cryptography Administrator Role.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 6 - vTPM 2.0 and VBS for VMs (30 minutes)

Introduction


This module (Module 6: vTPM 2.0 and VBS for VMs)shows us the newly added vSphere 6.7 security feature that allows us to add a virtual TPM (vTPM) to a vSphere host. It does not require to have or to be mapped to a hardware Trusted Platform Module (TPM). This is accomplished by simply adding the vTPM as a new device just like added a new network card. Standard Microsoft drivers are used. Again, no changes to the OS, no special software needed. We will also show you how to enable Virtualized-Based Security (VBS) on a Windows 10 virtual machine.

In this module, we will:

 

vTPM 2.0 for ESXi Hosts:

ESXi can use Trusted Platform Modules (TPM) chips, which are secure cryptoprocessors that enhance host security by providing a trust assurance rooted in hardware as opposed to software.

TPM is an industry-wide standard for secure cryptoprocessors. TPM chips are found in most of today's computers, from laptops, to desktops, to servers. vSphere 6.7 supports TPM version 2.0.

A TPM 2.0 chip attests to an ESXi host's identity. Host attestation is the process of authenticating and attesting to the state of the host's software at a given point in time. UEFI secure boot, which ensures that only signed software is loaded at boot time, is a requirement for successful attestation. The TPM 2.0 chip records and securely stores measurements of the software modules booted in the system, which vCenter Server remotely verifies.

The high-level steps of the remote attestation process are:

  1. Establish the trustworthiness of the remote TPM and create an Attestation Key (AK) on it.
  2. When an ESXi host is added to, rebooted from, or reconnected to vCenter Server, vCenter Server requests an AK from the host. Part of the AK creation process also involves the verification of the TPM hardware itself, to ensure that a known (and trusted) vendor has produced it.
  3. Retrieve the Attestation Report from the host.
  4. vCenter Server requests that the host sends an Attestation Report, which contains a quote of Platform Configuration Registers (PCRs), signed by the TPM, and other signed host binary metadata. By checking that the information corresponds to a configuration it deems trusted, a vCenter Server identifies the platform on a previously untrusted host.
  5. Verify the host's authenticity.
  6. vCenter Server verifies the authenticity of the signed quote, infers the software versions, and determines the trustworthiness of said software versions. If vCenter Server determines the signed quote is invalid, remote attestation fails and the host is not trusted.

To use a TPM 2.0 chip, your vCenter Server environment must meet these requirements:

Ensure that the TPM is configured in the ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). For information about setting these required BIOS options, refer to the vendor documentation.

 

vTPM 2.0 for Virtual Machines:

Virtual Trusted Platform Module Overview

vTPMs perform cryptographic coprocessor capabilities in software. When added to a virtual machine, a vTPM enables the guest operating system to create and store keys that are private. These keys are not exposed to the guest operating system itself. Therefore, the virtual machine attack surface is reduced. Usually, compromising the guest operating system compromises its secrets, but enabling a vTPM greatly reduces this risk. These keys can be used only by the guest operating system for encryption or signing. With an attached vTPM, a third party can remotely attest to (validate) the identity of the firmware and the guest operating system.

You can add a vTPM to either a new virtual machine or an existing virtual machine. A vTPM depends on virtual machine encryption to secure vital TPM data. When you configure a vTPM, VM encryption automatically encrypts the virtual machine files but not the disks. You can choose to add encryption explicitly for the virtual machine and its disks.

You can also back up a virtual machine enabled with a vTPM. The backup must include all virtual machine data, including the *.nvram file. If your backup does not include the *.nvram file, you cannot restore a virtual machine with a vTPM. Also, because the VM home files of a vTPM-enabled virtual machine are encrypted, ensure that the encryption keys are available at the time of a restore.

A vTPM does not require a physical Trusted Platform Module (TPM) 2.0 chip to be present on the ESXi host. However, if you want to perform host attestation, an external entity, such as a TPM 2.0 physical chip, is required. See Securing ESXi Hosts with Trusted Platform Module.

Note:

By default, no storage policy is associated with a virtual machine that has been enabled with a vTPM. Only the virtual machine files (VM Home) are encrypted. If you prefer, you can choose to add encryption explicitly for the virtual machine and its disks, but the virtual machine files would have already been encrypted.

 

Virtualization-Based Security (VBS) for Virtual Machines:

Microsoft VBS, a feature of Windows 10 and Windows Server 2016 operating systems, uses hardware and software virtualization to enhance system security by creating an isolated, hypervisor-restricted, specialized subsystem. Starting with vSphere 6.7, you can enable Microsoft virtualization-based security (VBS) on supported Windows guest operating systems.

Below are examples of PowerShell commands to manage VBS.

  1. You can enable Microsoft virtualization-based security (VBS) on existing virtual machines for supported Windows guest operating systems.
    • Enable Virtualization-based Security on the Guest Operating System
  2. You can enable Microsoft virtualization-based security (VBS) for supported Windows guest operating systems. 
    • Disable Virtualization-based Security
  3. If you no longer use virtualization-based security (VBS) with a virtual machine, you can disable VBS. When you disable VBS for the virtual machine, the Windows VBS options remain unchanged but might induce performance issues. Before disabling VBS on the virtual machine, disable VBS options within Windows. 
    • Identify VBS-Enabled Virtual Machines

Configure Windows 10 for VBS


In this lesson, we will show how to enable Virtualized-Based Security (VBS) on a Windows 10 virtual machine.


 

Launch Google Chrome

 

If Google Chrome is not already open, perform the following step, otherwise you can skip this step if already open:

  1. Or click the Google Chrome icon on the Quick Launch bar.

 

 

RegionA

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionA folder in the Bookmark Toolbar.
  2. Then click on RegionA vSphere Client (HTML).

 

 

Log into RegionA vCenter Server

 

If already logged into the RegionA vCenter server, you can skip the below steps. If you aren't, complete the below steps:

  1. Type administrator@corp.local in the the User name: text field.
  2. Type VMware1! into the Password: text field.
  3. Click on the Login button.

 

 

Hosts and Clusters

 

  1. Click on the Hosts and Clusters icon in the Navigation pane.
  2. If need be, click on the arrow next to vcsa-01a.corp.local vCenter server and expand everything until you see the list of virtual machines.  

 

 

win10 - Power Off

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. Click on Power from the drop-down menu.
  3. Then click on Power Off from the Power drop-down menu.

 

 

win10 - Confirm Power Off

 

  1. Click on the YES button in the pop-up window to confirm power off.

 

 

win10 - Edit Settings

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. The click on Edit Settings.

 

 

win10 - Enable Secure Boot

 

We are now going to verify that Secure Boot is enabled for the win10 virtual machine. If it isn't, make sure you select the check box to enable Secure Boot.

  1. Click on VM Options in the Edit Settings pop-up window.
  2. Click on the Enabled check box to enable Secure Boot.
  3. Then click on the OK button.

 

 

win10 - Power On

 

  1. Right-click on the win10 virtual machine in the Navigation pane.
  2. Click on Power from the drop-down menu.
  3. Then click on Power On from the Power drop-down menu.

 

 

win10 - VMs

 

  1. Click on the VMs and Templates icon in the Navigation pane.
  2. Click on the vcsa-01b.corp.local vCenter server in the Navigation pane.
  3. Then click on the VMs tab in the Content pane.

 

 

win10 - Show/Hide Columns

 

  1. Click on the down-arrow in the column heading.
  2. Click on the vShow/Hide Columns.
  3. Then scroll all the way to the bottom of the list using the scroll bar.
  4. Check the box to enable the TPM and VBS columns.
  5. Click anywhere in the blank area to get rid of the drop-down menu so you can see the TPM column now.

 

 

win10 - VBS Column

 

  1. We now see that in the VBS column the win10 virtual machine reflects it is Not Present.

 

 

win10 - Launch Web Console

 

  1. Click on the Hosts and Clusters icon in the Navigation pane.
  2. Click on the win10 virtual machine in the Navigation pane.
  3. Click on the Summary tab.
  4. Then click on the Launch Web Console link to open a console window for the virtual machine.

 

 

win10 - Desktop

 

  1. Click anywhere on the desktop to bring up the Login screen.

 

 

win10 - Login

 

  1. Type in VMware1! for the Password text field.
  2. Then click on the arrow icon to log into the virtual machine.

 

 

win10 - Launch PowerShell (Admin)

 

  1. Click on the Windows icon in the lower left-hand corner of the desktop.
  2. Then click on Windows PowerShell (Admin) in the menu.

 

 

PowerShell - Set-ExecutionPolicy

 

We need to first set the execution policy to allow us to run the DG_Readiness_Tool_v3.5.ps1 script.

  1. Type the following command in the PowerShell to change directory location.
Set-ExecutionPolicy Unrestricted
  1. Type the following command in the PowerShell to make the changes on ALL.
A

 

 

PowerShell - Change Directory & Run Script

 

  1. Type the following command in the PowerShell to change directory location.
cd C:\DG_Readiness_Tool_v3.5\
  1. Type the following command in the PowerShell to run the DG Readiness Tool script.
./DG_Readiness_Tool_v3.5.ps1 -Capable -DG -CG -HVCI

 

 

PowerShell - Script Output

 

  1. We see from the output of running the DG Readiness Tool script that Secure Boot for the win10 virtual machine is enabled for it. This is a requirement to enable VBS.

 

 

Configure Windows 10 for VBS - Complete

In this lesson, we verified the win10 virtual machine's settings that EFI Firmware, Secure Boot, and the Virtual Based Security (VBS) was enabled.

 

Enable Device Guard & Credential Guard


 

In this lesson, we will use the Microsoft DG Readiness Tool to check the status, enable, disable for Device Guard and Credential Guard on a Windows 10 machine. Below is some of the content from the ReadMe.txt file contained in the tool folder.

###########################################################################

Readiness Tool Version 3.4 Release.

Tool to check if your device is capable to run Device Guard and Credential Guard.

###########################################################################

OS and Hardware requirements for enabling Device Guard and Credential Guard

1. OS SKUs: Device Guard and Credential Guard are available only on these OS SKUs - Enterprise, Professional, Home, Education, Server and Enterprise IoT

2. OS Version: The minimum OS version to run the tool is Windows 10, Version 1607, or Windows Server 2016

3. Hardware: Recent hardware that supports virtualization extension with SLAT

###########################################################################

If Execution-Policy is not already set to allow running script, then you should manually set it as below and then use the readiness script:

Set-ExecutionPolicy Unrestricted

Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable] -[DG/CG/HVCI] -[AutoReboot] -Path

Log file with details is found here: C:\DGLogs

To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used

Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>

To enable only HVCI

Usage: DG_Readiness.ps1 -Enable -HVCI

To enable only CG

Usage: DG_Readiness.ps1 -Enable -CG

To Verify if DG/CG is e

Usage: DG_Readiness.ps1 -Ready

To Disable DG/CG.

Usage: DG_Readiness.ps1 -Disable

To Verify if DG/CG is disabled

Usage: DG_Readiness.ps1 -Ready

To Verify if this device is DG/CG Capable

Usage: DG_Readiness.ps1 -Capable

To Verify if this device is HVCI Capable

Usage: DG_Readiness.ps1 -Capable -HVCI

To auto reboot with each option

Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot

###########################################################################

Readiness Tool with '-capable' is run the following RegKey values are set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities

CG_Capable

DG_Capable

HVCI_Capable

Value 0 = not possible to enable DG/CG/HVCI on this device

Value 1 = this device is capable of running DG/CG/HVCI, but some firmware/hardware/software needed for additional security qualifications are absent.

Value 2 = fully compatible for DG/CG/HVCI

###########################################################################

Helpful Resources:

PC OEM requirements for Device Guard and Credential Guard: https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx

Deploying Credential Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#hardware-and-software-requirements

Deploying Device Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard

 


 

PowerShell - Clear The Screen

 

  1. Type the following command in the PowerShell to clear the screen.
clear

 

 

PowerShell - Enable Device Guard

 

  1. Type the following command in the PowerShell to change directory location.
./DG_Readiness_Tool_v3.5.ps1 -Enable -DG
  1. We see that we successfully enabled Device Guard (DG) on the win10 virtual machine.

 

 

PowerShell - Enable Credential Guard

 

  1. Type the following command in the PowerShell to change directory location.
./DG_Readiness_Tool_v3.5.ps1 -Enable -CG

2.   We see that we verified that Credential Guard (CG) is enabled on the win10 virtual machin.

 

 

PowerShell - Verify Device Guard

 

  1. Type the following command in the PowerShell to change directory location.
./DG_Readiness_Tool_v3.5.ps1 -Ready

2.   Although we have enabled Device Guard (DG), it reflects as still not running. This is because we would have to reboot the win10 virtual machine and re-run the command to have it reflect that it is running. Because this is a lab environment, it takes too long for it to reconfigure the win10 virtual machine during the reboot. So we will NOT actually reboot the win10 virtual machine and verify due to the time it takes.

 

 

PowerShell - Close

 

  1. Click on the "X" of the PowerShell window to close it.

 

 

Close win10 Tab

 

  1. Click on the "X" of the win10 Google Chrome tab to close it.

 

 

win10 - Verify

 

Because this is a lab environment with limited resources on the virtual machines, we didn't reboot the win10 virtual machine. Normally we would reboot the Windows 10 machine and then re-run the PowerShell commands again to verify the status of Device Guard (DG) and Credential Guard (CG) being enabled.

  1. We see that the output reflects that Device Guard and Credential Guard are ENABLED and RUNNING. This is what we would have seen if we ran it against the win10 virtual machine in the lab environment.

 

 

Enable Device Guard & Credential Guard - Complete

In this lesson, we enabled and verified Device Guard (DG) and Credential Guard (CG) on the win10 virtual machine.

 

Conclusion


Congratulations on completing Module 6 which is the last module of the "HOL-1911-04-SDC - vSphere 6.7 Security Concepts and Implementation" lab!

In this module, we learned about the newly added vSphere 6.7 security feature that allows us to add a virtual TPM (vTPM) to a vSphere host. It does not require to have or to be mapped to a hardware Trusted Platform Module (TPM). This is accomplished by simply adding the vTPM as a new device just like added a new network card. Standard Microsoft drivers are used. Again, no changes to the OS, no special software needed. We will also show you how to enable Virtualized-Based Security (VBS) on a Windows 10 virtual machine.

In this lesson, we performed several tasks such as:

 

Feel free to go back and skip to any other module below in which you may be interested in doing again.


 

Resources (vTPM/Credential Guard/Device Guard):

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

Below are some links to additional resources that we think you will find useful regarding the No-Cryptography Administrator Role.

 

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1911-04-SDC

Version: 20181211-122544