Virtualization Internal Security Assessment

Why perform a Virtualization Internal Security Assessment?

• We have recently deployed our virtualized environment.
• We are looking for a technical review of virtualization controls.
• Our company is dependent on the security of our virtualized data center.
• We want to know how we compare to similar companies.
• We want to know which high risk issues to focus on.
• We want a second set of eyes on our virtualized systems.

The scope of our Virtualization Internal Security Assessment is informed by a variety of sources:

• Redspin Personnel's Experience — (covered in other sections) and Redspin's proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds on information security assessments over the last ten years.
• Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for an organization's size and business operations complexity and technology presence.
• DISA — ESX Server, Security Technical Implementation Guide (STIG), DISA (Defense Information Systems Agency), April 2008.
• VMWare — vSphere 4.0 Hardening Guide, VMWare, January 2010.
• NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.

• Are roles and responsibilities defined to enforce separation of duties?
• Do a limited number of unique users have access to the server console?
• Is access to the management console adequately documented and restricted to the necessary users?
• Is access to ISO images restricted and documented?
• Is there documentation that identifies who is responsible for each VM?
• Is copying or sharing VM files over networks and removable media restricted?

• How is access to protected information in a virtualized environment monitored?
• Is Network Time Protocol (NTP) enabled and using authentication?
• Are permissions sufficient on critical log files?
• Is centralized logging enabled and archived for a minimum of one year?
• When a virtual machine moves from one physical server to another is the action logged?

• How are unauthorized (end user, department, vendor) VM's prevented?
• Is a process is in place to prevent unpatched and misconfigured systems from being replicated?
• Are all critical VM system components patched on a regular basis?
• Is a procedure in place for the backup and recovery of all management servers and virtual machines?
• Are master templates created for each operating system in the virtualization environment?
• Is a process in place to update Anti-Virus software and signatures, and software patches of all powered-off VMs?

• Does the network architecture adequately segment ESX management functions?
• Does the management server have two physical Network Interface Cards (NICs) (one for VMs the other for service console)?
• Is the management console installed on a dedicated server?
• Is up-to-date documentation of the virtualization infrastructure, including all management servers, virtual machines, IP addresses, MAC addresses, virtual switches, operating systems, and virtual applications in place?
• Are test and development virtual machines separated from production virtual machines?

• Are resource management capabilities in use?
• Are any unnecessary software installed or unnecessary data stored on the management servers?
• Is a firewall used to restrict remote management access to the management servers?
• Has the default administrative password on the management servers been changed? If so, does the password meet best practices?
• Are screen savers and hibernation enabled on VMs?