Contents

Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide PDF

1 of 29
1 of 29

Summary of Content for Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide PDF

Dell AMP Security Configuration Guide

September 2021 Rev. 3

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2020 - 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Revision history..........................................................................................................................................................................4

Chapter 1: Introduction................................................................................................................. 5

Chapter 2: Security overview........................................................................................................ 6 Legal disclaimers..................................................................................................................................................................6 Report security vulnerabilities.......................................................................................................................................... 6 Security deployment models............................................................................................................................................. 7 Product and subsystem security......................................................................................................................................7

Chapter 3: AMP hardening guidelines............................................................................................8 Compute layer...................................................................................................................................................................... 8

iDRAC hardening............................................................................................................................................................8 Cisco IMC security hardening.................................................................................................................................... 11

Virtualization layer..............................................................................................................................................................13 VMware vSphere VM hardening (VMware vSphere 7.0)...................................................................................13 VMware vSphere VM hardening (VMware vSphere 6.x)...................................................................................17

Storage layer...................................................................................................................................................................... 22 Dell Unity and Dell Unity XT hardening controls.................................................................................................. 22 VMware vSAN hardening.......................................................................................................................................... 23

Chapter 4: Administrative user accounts..................................................................................... 25 AMP ports and protocols.................................................................................................................................................27 iDRAC ports and protocols............................................................................................................................................. 29

Contents

Contents 3

Revision history

Date Document revision Description of changes

September 2021 3 Added support for Microsoft Windows 2019.

November 2020 2 Added VMware vSphere 7.0 security controls.

July 2020 1 Initial version

4 Revision history

Introduction This document provides guidance to mitigate security vulnerabilities and risks on the AMP Central and AMP-VX.

Security controls are provided for the AMP components. For security controls for VxBlock Systems, see the Dell VxBlock System Security Configuration Guide.

Not every function and security control is supported for all software or platform versions. Contact your Dell Technologies Sales Engineer if a product does not function properly or does not function as described in this document.

Audience The target audience for this guide includes partners and customers to plan, implement, administer, or audit security controls in AMP environments.

The document assumes that the audience is familiar with:

Dell storage, Cisco compute and networking, and VMware virtualization technologies AMP and VxBlock System concepts and terminology AMP and VxBlock System troubleshooting skills

Resources and support Technical support, documentation, release notes, or software updates for Dell products can be found at Dell Support. A valid support agreement must be in place to open a service request. Contact your Dell Technologies Sales Engineer to obtain a support agreement or answer questions about your account.

1

Introduction 5

Security overview Product documentation, release notes, and security advisories and recommendations are provided as part of the Secure Development Cycle (SDL).

Security controls are provided for physical infrastructure, network, compute, storage, virtualization, and management layers of the VxBlock System. A security control map indicates the connections of a product or subsystem and security controls. Perform the following to assess overall security:

Review security documentation from manufacturers of VxBlock System components that may be part of the deployment and integration of Dell Technologies products.

Review the appropriate architecture overview or product guide for more information about system components. Use compensating security controls to reduce risk levels when known vulnerabilities exist in a product or one or more of its

components. Assess what controls should be configured as part of the risk management and compliance process. Review available product documentation and engage with the sales account team and support personnel for specific security

concerns. Use a risk-based approach to harden AMP Central and AMP-VX with VxBlock System components to ensure an appropriate

balance between security and manageability.

Guidance is leveraged from Dell Technologies, VMware, and Cisco for security controls. The security controls provide a baseline that can be built on to meet the specific security needs of your organization.

Legal disclaimers The information in this publication is provided "as is." Dell makes no representations or warranties regarding the information in this publication, and disclaims implied warranties or merchantability or fitness for a particular purpose.

Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by Dell, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding by laws or rules of governmental agencies.

Report security vulnerabilities If you discover a security and compliance-related issue or vulnerability, report the issue to Dell.

See the Dell Vulnerability Response Policy

The following security and compliance-related issues are addressed: Multitenant concerns Interface management:

Separation of duties Identification Authorization Auditing Access control

Common security technologies Compliance frameworks and outcomes Advanced cloud solutions

2

6 Security overview

Security deployment models This security configuration guide and the Dell VxBlock System Security Configuration Guide provide security best practices to enhance the security posture of the AMP Central or AMP-VX environment.

Be familiar with the default AMP deployment model with the VxBlock System and other deployment scenarios that are defined in the architecture overview or product guide. These deployment options impact the security posture for the AMP and the management security zone where many security controls impact deployment into your data center environment.

Network security services to protect the management security zone are not part of the standard AMP deployment model. Consider deploying firewalls at the edge of the AMP management network to control access to management components.

References are provided to network management interfaces, ports, and protocols required for management and administrative operations. This can be used to create a baseline firewall rule set to provide required network access control for the management zone.

Product and subsystem security Dell uses the security development life-cycle (SDL) process for product life-cycle programs. Dell makes every effort to detect and mitigate known vulnerabilities for each product release.

Certain product components or subcomponents may contain residual risks that could not be mitigated at the time of final release. Dell practices a responsible disclosure process for known vulnerabilities in its products.

SDL process

Dell provides product documentation, release notes, and security advisories and recommendations. Review security documentation from component manufacturers for scenarios that may be part of the deployment and integration of Dell products into production environments.

Dell may use compensating security controls to reduce risk levels when known vulnerabilities exist in a product or one or more of its components.

As part of the risk management and compliance process, assess what available controls should be. Review available product documentation and engage with the sales account team and support personnel for specific security concerns.

Strong passwords

Create strong passwords that you can remember but cannot be guessed. Do not write passwords down, or store them online.

Strong passwords use the following criteria:

Contain both upper and lower case characters. Contain numerals and punctuation and letters. Are at least five alphanumeric characters long. Are not a word in any language, and are not slang, dialect, or jargon. Are not based on any type personal information.

Weak passwords have the following attributes: Contain fewer than eight characters Appear in a dictionary (English or foreign) Use any other term that is guessed or found in common usage, such as:

The name of family, pet, or friend A computing term or name, such as a command, site, company, model, or application Is a birthday, address, or telephone number Is a predictable letter pattern or number pattern, such as aaabbb or 123321 Any of the above, preceded, or appended by a digit

Cisco NX-OS enables strong password checking when you create a password. If strong password checking is enabled after passwords are set, passwords are not retroactively validated.

Security overview 7

AMP hardening guidelines Specific configuration guidance on how to mitigate security risks for AMP Central and AMP-VX components.

Back up configurations and data prior to applying any security configuration change and test changes in a non-production environment.

Compute layer AMP Central uses 4 to 16 Cisco UCS C220 M5 servers which include Cisco Integrated Management Controller (IMC) firmware and server operating system for OOB management. AMP-VX provides a 4 to 8 Dell PowerEdge R640 generation 14 rack servers with iDRAC to host virtual workloads for OOB management.

iDRAC hardening

Control descriptions, risk, vulnerabilities, and remediation procedures are provided for iDRAC for AMP-VX only.

Modify iDRAC passwords

Description Change passwords for all default account configured during the initial system build.

Risk and vulnerability If default passwords are not changed, attackers may use these accounts to compromise the production system.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select iDRAC Settings > Users. 3. Select the root username and click Edit. 4. Enter a new root password and click Save.

Disable Telnet for iDRAC

Description Telnet provides clear text data to virtual terminals.

Risk and vulnerability If Telnet is not disabled, attackers may gain unauthorized access and compromise the system.

Remediation 1. Log in to the iDRAC interface as root.

2. Under iDRAC settings, select Services > Telnet. 3. Select Disabled and click Apply.

Disable SSH for iDRAC

Description SSH provides a secure, encrypted channel for communication with remote terminals.

Risk and vulnerability If unnecessary services are used, attackers may gain unauthorized access and compromise the system.

Remediation 1. Log in to the iDRAC interface as root.

2. Under iDRAC Settings > Services > SSH. 3. Select Disabled and click Apply.

3

8 AMP hardening guidelines

Disable IPMI for iDRAC

Description Disable IPMI protocol.

Risk and vulnerability If IPMI is not disabled, attackers may enumerate IPMI privileged accounts and bypass authentication to perform low-level operations against the servers.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar of the iDRAC interface, select iDRAC Settings > Connectivity > Network.

3. Select IPMI Settings. 4. Under Enable IPMI over LAN, select Disabled and click Apply.

Use secure communications

Description Use secure communication such as HTTPS (TCP port 443) for remote access to Dell servers.

Risk and vulnerability If secure communication is not used for remote sessions, attackers may access sensitive information and data transmissions.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select iDRAC Settings > Services. 3. Select Web Server. 4. Next to Enabled, select Enabled. 5. Next to TLS Protocol, select TLS 1.2 Only. 6. Click Apply.

Configure SNMP v3

Description SNMPv3 introduces encryption, integrity checks, and an improved user authentication model over previous versions of SNMP.

Risk and vulnerability If SNMPv3 is not used, security is not as robust and does not include encryption or integrity checks.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select iDRAC Settings > Services. 3. Select SNMP Agent. 4. From the SNMP Protocol, select SNMP v3 and click Apply.

Disable VNC for iDRAC

Description Disable VNC.

Risk and vulnerability If VNC is not disabled for remote access to iDRAC for administrative tasks, attackers may have a greater attack surface.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar of the iDRAC interface, select Configuration > Virtual Console. 3. Under VNC Server, next to Enable VNC Server, select Disabled and click Apply.

Disable the USB XML import

Description Disable the XML configuration file import directly from the USB port. The USB port allows iDRAC management access from a laptop or tablet that is connected to the USB port.

Risk and vulnerability If the XML configuration file is not disabled, arbitrary configuration files may be uploaded to the server.

AMP hardening guidelines 9

Remediation 1. See the Dell AMP-VX Product Guide to evacuate VMs and place the VMware vSphere ESXi server in maintenance mode. Perform this action before the reboot since this host is part of a VMware vSAN cluster.

2. Log in to the iDRAC interface as root.

3. From the top menu bar of the iDRAC interface, under Dashboard, use the drop-down menu next to Graceful Shutdown, and select Restart system(warm boot).

4. Click Launch Virtual Console to access the server virtual console as system restarts. 5. During system startup, press F2 to enter BIOS. 6. Go to System Setup and select iDRAC Settings. 7. From iDRAC Settings, select Settings. 8. Select Management USB Settings. 9. From iDRAC Managed: USB XML Configuration, select Disabled from the drop-down menu. 10. Click Apply.

Configure syslog

Description Centralizing logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis, and searches are possible and provide visibility into events impacting multiple hosts.

Risk and vulnerability

If logs are not centrally managed, operational, or security-related alerts and events may be missed.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar of the iDRAC interface, select Configuration > System Settings. 3. Select Remote Syslog Settings. 4. Next to Remote Syslog, select enabled. 5. Enter up to three syslog server IP addresses specific to your site. 6. Click Apply.

Configure NTP

Description NTP is used to synchronize time updates from a centralized source to systems on a network. Setting all system components to the same time source ensures system stability and accuracy of log timestamps.

Risk and vulnerability

If a consistent time source is not used, event detection and audits are difficult and inaccurate.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select iDRAC Settings > Settings. 3. Under Time Zone and NTP Settings, next to Enable Network Protocol (NTP), select enabled. 4. Enter up to three NTP server IP addresses specific to your site. 5. Click Apply.

Disable BIOS USB

Description Disable unused, integrated USB ports.

Risk and vulnerability If unused USB ports are not disabled, attackers may use the ports to introduce malware to the server.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select Configuration > BIOS Settings. 3. Select Integrated Devices. 4. Next to Internal USB Port, select Off. 5. Click Apply.

10 AMP hardening guidelines

Disable RACADM remote

Description The RACADM provides CLI scripting capability to control and configure the servers. Remote RACADM allows RACADM tools to run on a workstation to remotely run commands against the iDRAC interface on the server.

Risk and vulnerability If the RACADM interface is not disabled, attackers may remotely issue commands against the server.

Remediation 1. Log in to the iDRAC interface as root.

2. From the top menu bar, select iDRAC Settings > Services. 3. Select Remote RACADM. 4. Next to not disabled, select Disabled. 5. Click Apply.

Disable iDRAC SOL

Description You can access iDRAC through serial-over-LAN (SOL) for remote access to the server using SSH. iDRAC can connect to server serial ports (com1 or com2, depending on BIOS setting) to run commands.

Risk and vulnerability If iDRAC over SOL is not disabled, attackers may remotely issue commands against the server.

Remediation 1. From the iDRAC interface, select iDRAC Settings > Connectivity. 2. Select Serial Over LAN. 3. Next to Enable Serial Over LAN, select Disabled. 4. Click Apply.

Cisco IMC security hardening

Control descriptions, risks, vulnerabilities, and remediation are provided for the Cisco IMC CLI.

Modify the Cisco IMC password

Description Default accounts and passwords are set up during the initial system build.

Risk and vulnerability

If default passwords are not changed, attackers may gain unauthorized access to the system.

Remediation 1. From the Cisco IMC CLI, SSH as root.

2. Enter:

Server# show user Server# scope user server /user

3. To set the password, enter:

Server/user# set password

Disable Cisco IMC HTTP or redirect to HTTP to HTTPS

Description HTTPS uses an SSL certificate which creates a secure, encrypted connection between the server and the browser.

Risk and vulnerability

If HTTP service is not disabled and redirected to HTTPS, sensitive information may be stolen when transferred between the server and the browser.

Remediation 1. From the Cisco IMC CLI, SSH as root.

AMP hardening guidelines 11

2. Enter:

Server# scope http 3. To disable HTTP, enter:

Server/http# set disabled yes 4. To enable HTTP and redirect to HTTPS, enter:

Server/http# set enabled yes set http-redirect yes

5. To commit changes, enter:

commit

Configure NTP for Cisco IMC

Description NTP synchronizes time updates from a centralized source to systems on a network. Setting all system components to the same time source ensures system stability and accuracy of log timestamps.

Risk and vulnerability

If a centralized, consistent time source is not used, event detection and audits may be inaccurate.

Remediation 1. From the Cisco IMC CLI, SSH as root.

2. Enter:

Server# scope CIMC Server/CIMC# scope network Server/CIMC/network# scope ntp

3. To enable NTP service, enter:

Server/CIMC/network/ntp# set enabled yes set [ntp server-1 | ntp server-2]

4. To commit changes, enter:

Server/CIMC/network/ntp# commit

Configure Cisco IMC remote logging

Description Secure centralized logging allows aggregate analysis and the ability to monitor for coordinated attacks on multiple hosts. Remote logging also helps prevent log tampering and provides a long-term audit record.

Risk and vulnerability

If remote logging is not enabled, log review or event order may be compromised, and important system events may be missed.

Remediation 1. From the Cisco IMC CLI, SSH as root.

2. Enter:

Server# scope CIMC Server/CIMC# scope log Server/CIMC/log# scope server Server/CIMC/log/server# show server

3. If IPv4 is used, enter:

Server/CIMC/log/server# set server-ipv4 4. If IPv6 is used, enter:

Server/CIMC/log/server# set server-ipv6

12 AMP hardening guidelines

Enable the security configuration for FIPS 140-2 compliance in Cisco IMC (optional)

Description The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard that is used to approve cryptographic modules. The module provides FIPS 140 validated cryptographic algorithms and KDF functionality for services such as IPSec (IKE), SRTP, SSH, TLS, and SNMP.

Risk and vulnerability

FIPS 140-2 is a requirement to many customers such as financial customers and Federal entities. If FIPS is not enabled, it is not meet the standard for cryptographic modules.

Remediation 1. From the Cisco IMC CLI, SSH as root.

2. Enter:

Server# scope CIMC Server/CIMC# scope security-configuration

3. To enable, enter:

Server/chassis/security-configuration# set fips enabled or disabled Server/chassis/security-configuration# commit

Virtualization layer Data at Rest Encryption (D@RE) and Data in Transit Encryption are provided for data security in the VMware vSphere virtualization environment. Virtualization hardening often uses VMware Tools which may not be the best choice for security- sensitive environments.

D@RE: Data encryption prevents access to data from an unauthorized entity. VMware vSphere provides VM level encryption capability using a KMIP key management server (KMS). Once enabled,

VMware vCenter Server requests key encryption keys (KEKs) from the KMS. VMware vSphere ESXi hosts generate data encryption keys (DEKs) and use KEKs to encrypt those keys. DEKs are used to encrypt and decrypt the VM VMDK files.

VMware vSphere offers VMware vSAN encryption at the datastore level. Data in Transit Encryption

VMware vSphere vMotion encryption protects VM data when it traverses across data centers or over long distances. VMware vSphere ESXi hosts that participate in the VMware vSphere vMotion use a VMware vCenter AES key to encrypt

and decrypt VMware vSphere vMotion traffic. A key is generated for each VMware vSphere vMotion session and discarded at the end of the session.

VMware vSphere VM hardening (VMware vSphere 7.0)

Control descriptions, risks, vulnerabilities, and remediation are provided for VMware ESXi VMs to be conducted on-site.

Limit informational messages from the VM to the VMX file

Description Informational messages from the VM to the VMX file may fill the datastore to capacity.

Risk and vulnerabilit y

If informational messages are not limited and datastore capacity is exceeded, excessive messages may cause a DoS.

Remediatio n

1. From the VMware vSphere client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Click VM Options. 4. Click Advanced and click Edit Configuration. 5. Add or edit the tools.setInfo.sizeLimit parameter.

NOTE: The default setting for tools.setInfo.sizeLimit is 1 MB even if the parameter is not

displayed.

6. Click OK.

AMP hardening guidelines 13

Prevent virtual disk shrinking

Descriptio n

Nonadministrative users in a guest operating system may shrink virtual disks and reclaim unused space on the disk.

Risk and vulnerabilit y

If the virtual disk is repeatedly shrunk, the disk may become unavailable and cause a DoS.

Remediatio n

1. From the VMware vSphere client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Click VM Options. 4. Click Advanced and click Edit Configuration. 5. Add or edit the isolation.tools.diskWiper.disable parameter.

6. Click OK.

Minimize use of the VM console

Description Users with access to the VM console have access to VM power management and removable device connectivity controls.

Risk and vulnerabilit y

If VM console access is not managed, attackers may launch a malicious attack on a VM.

Remediatio n

Limit connections to the VM console. Use native remote management services (terminal services and SSH) to interact with VMs. Grant access to the VM console only when necessary.

In a highly secure environment, limit the VM console connection to one. 1. In the VMware vSphere Client, power off the VM. 2. Right-click the VM and select Edit Settings. 3. Select the VM Options tab. 4. Expand VMware Remote Console Options enter the maximum number of sessions.

Prevent VMs from excessive consumption of resources

Description All VMs on a VMware vSphere ESXi host equally share resources, by default. Leave shares set to the default in each resource pool to ensure that each VM receives the same resource priority. With this setting, a single VM cannot use more resources than other VMs in the resource pool.

Risk and vulnerability

If one VM consumes excessive host resources, functions may be limited for other VMs and cause a DoS.

Remediation Provision each VM with enough resources (CPU and memory) to function properly. Use shares to guarantee resources to critical VMs. Limit connections to the VM console. Group VMs with similar requirements into resource pools.

Disable unnecessary VM functions

Description Evaluate whether a particular service or function is necessary for a VM. VMs do not require as many services or functions as physical servers.

Risk and vulnerability

If unnecessary services are running on a VM, attackers may launch a malicious attack on a VM.

Remediation Perform the following: Disable unused services in the operating system. Disconnect unused CD/DVD drives, floppy drives, and USB adapters. Disable unused functionality, such as unused display features or VMware Shared Folders. Turn off screen savers. Do not run the X Window system on top of Linux, BSD, or Solaris guest operating systems.

14 AMP hardening guidelines

Remove unnecessary hardware devices

Description Users and processes with privileges on a VM can manage hardware devices and breach VM security. Remove unnecessary hardware devices to help prevent attacks.

Risk and vulnerability

If an attacker is able to connect to a disconnected hardware device, they may access sensitive information. If an attacker disconnects a NIC to isolate the VM from its network, they may cause a DoS.

Remediation Do not connect unauthorized devices to the VM. Ensure that only required devices are connected to a VM. VMs rarely use serial or parallel ports. CD or

DVDs are connected only temporarily during software installation.

1. From the VMware vSphere Client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Disable hardware devices that are not required. 4. Include checks for the following devices:

Floppy drives Serial ports Parallel ports USB controllers CD-ROMs

Disable unused display features

Description Disable privileges to connect to NIC and CD-ROMs. User modification of devices is disabled by default.

Risk and vulnerability

Attackers may use an unused display feature as a vector to insert malicious code into your environment.

Remediation 1. From the VMware vSphere Client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Select VM Options. 4. Click Advanced and click Edit Configuration. Use the following table to set options:

Option Description

svga.vgaonly If you set this parameter to TRUE, advanced graphics functions no longer work. Only character-cell console mode is available. If you use this setting, mks.enable3d has no effect.

Note

Apply this setting only to VMs that do not need a virtualized video card.

mks.enable3d Set this parameter to FALSE on VMs that do not require 3D functionality.

Disable unexposed features

Description VMware VMs can work both in a VMware vSphere environment and on hosted platforms such as VMware Workstation and VMware Fusion. VM parameters are not required when you run a VM in a VMware vSphere environment.

Risk and vulnerability

Disable these parameters to reduce the potential for vulnerabilities.

Remediation 1. Turn off the VM. 2. From the VMware vSphere Client inventory, browse to the VM. 3. Right-click the VM and click Edit Settings. 4. Select VM Options 5. Select Advanced and click Edit configuration.

AMP hardening guidelines 15

6. Set the following parameters to TRUE by adding them or editing them: isolation.tools.unity.push.update.disable isolation.tools.ghi.launchmenu.change isolation.tools.memSchedFakeSampleStats.disable isolation.tools.getCreds.disable isolation.tools.ghi.autologon.disable isolation.bios.bbs.disable

Disabled VMware shared folders from sharing host files to VMs

Description In high-security environments, disable shared folders from sharing hosts files to certain components to minimize the risk.

Risk and vulnerability

An attacker may use the HGFS to transfer files and compromise the guest operating system.

Remediation 1. From the VMware vSphere Client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Select VM Options 4. Select Advanced and click Edit configuration. 5. Verify that the isolation.tools.hgfsServerSet.disable parameter is set to TRUE (prevents

the VMX process from receiving notification from each service, daemon, or upgrade process). 6. (Optional) Verify that the isolation.tools.hgfs.disable parameter is set to TRUE (disables the

unused VMware Shared Folders feature for sharing host files to the VM.

NOTE: Modifying the parameters affects the Shared Folders feature, but does not affect the HGFS server running as part of tools in the guest VMs. These parameters do not affect the autoupgrade and VIX commands that use the tools file transfers.

Prevent a VM user or process from disconnecting devices

Description Prevent VM users and processes running in the guest operating system, from making any changes to the devices.

Risk and vulnerability

If VM users are able to connect or disconnect devices (NIC and CD-ROM drives) and can modify device settings, the system may be compromised.

Remediation 1. From the VMware vSphere Client inventory, browse to the VM. 2. Right-click the VM and click Edit Settings. 3. Select VM Options. 4. Click Advanced and click Edit Configuration. 5. Verify that the isolation.device.connectable.disable and isolation.device.edit.disable are set to

TRUE. NOTE: These settings do not affect a VMware vSphere admins ability to connect or disconnect the devices that are attached to the VM.

Prevent guest operating system processes from sending configuration messages to the host

Description Prevent guest operating system processes from sending messages to the host that may modify configuration settings.

Risk and vulnerability

Guest operating system processes that are able to write name-value pairs to the configuration file may cause a DoS.

Remediation 1. Turn off the VM. 2. From the VMware vSphere Client inventory, browse to the VM.

16 AMP hardening guidelines

3. Right-click the VM and click Edit Settings. 4. Select VM Options 5. Select Advanced and click Edit configuration. 6. Verify that theisolation.tools.setinfo.disable parameters is set to TRUE.

VMware vSphere VM hardening (VMware vSphere 6.x)

Control descriptions, risks, vulnerabilities, and remediation are provided for VMware ESXi VMs.

Disable nonpersistent disk mode for VMs

Description Nonpersistent disk mode allows attackers to remove traces they were on a machine with a shutdown or reboot.

Risk and vulnerability

Without evidence of activity or a persistent record of activity on a VM, administrators may not know whether they have been hacked.

Remediation Set production VMs to persistent disk mode. Log VM activity on a separate server, such as a syslog or equivalent event collector. 1. From the PowerCLI, to add the setting to all VMs, enter:

Get-VM | Get-HardDisk | Set-HardDisk-Persistent "IndependentNonPersistent" 2. To verify settings, enter:

Get-VM | Get-HardDisk | where {$_.Persistence -ne "Persistent"} | Select Parent,Name,Filename,DiskType,Persistence

From the vCLI, enter:

grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator. 2. From the navigation Menu, select Shortcuts > VMs and Templates, then power off VMs. 3. For each VM, select Edit Settings > VM Options. 4. On the VM Options tab, expand Advanced. 5. Click Edit Configuration. 6. Click Add Configuration Params. 7. Enter the name and value and click OK. 8. Click OK to close the settings screen.

Disable unused services on VMs (on-site)

Description Some VM parameters that apply to other virtualization platforms are not required on VMware vSphere.

Risk and vulnerability

Unused services provide attackers a greater attack vector.

Remediation 1. For the PowerCLI, power off VMs. 2. Create the following text file:

isolation.tools.ghi.autologon.disable isolation.bios.bbs.disable isolation.tools.getCreds.disable isolation.tools.ghi.launchmenu.change isolation.tools.memSchedFakeSampleStats.disable isolation.tools.ghi.protocolhandler.info.disable isolation.ghi.host.shellAction.disable isolation.tools.dispTopoRequest.disable isolation.tools.trashFolderState.disable

AMP hardening guidelines 17

isolation.tools.ghi.trayicon.disable isolation.tools.unity.disable isolation.tools.unityInterlockOperation.disable isolation.tools.unity.push.update.disable isolation.tools.unity.taskbar.disable isolation.tools.unityActive.disable isolation.tools.unity.windowContents.disable isolation.tools.vmxDnDVersionGet.disable isolation.tools.guestDnDVersionSet.disable isolation.tools.autoinstall.disable isolation.tools.hgfsServerSet.disable isolation.monitor.control.disable isolation.tools.diskWiper.disable

3. For each VM, enter:

(get-content C:\isolation_para.txt).split("`n") | foreach {get-vm | new-AdvancedSetting -Name $_ -value $true}

4. To verify the settings, enter:

(get-content C:\isolation_para.txt).split("`n") | foreach {get-vm | Get-AdvancedSetting -Name $_ -value $true}

Disable VM shared folders from sharing files to the VM (on-site only)

Description VM tools use the host guest files system to transfer files between guest operating system and host operating system.

Risk and vulnerability

If the host guest files system is not disabled, attackers may be able to transfer files inside the guest operating system.

Remediation 1. From the VMware ESXi host or VMware vCenter Server, to verify settings with PowerCLI, enter:

Get-VM | New-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable -Value true

2. To disable HGFS, enter:

Get-VM | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable | Set-AdvancedSetting -Value true

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator. 2. From the navigation Menu, select Shortcuts > VMs and Templates. 3. For each VM, click Edit Settings. 4. Select VM Options > Advanced > Edit Configuration. 5. Verify that the isolation.tools.hgfsServerSet.disable parameter is set to TRUE.

TRUE prevents the VMX process from receiving a notification from each tools service, daemon, or upgrader processes of its host guest files system server capability.

6. (Optional) Verify that the isolation.tools.hgfs.disable parameter is set to TRUE.

Power off VMs to configure the advanced settings through the VMware vSphere HTML5 Client. Configure these settings with PowerCLI while the VM is turned on.

Disable VM console copy and paste (on-site only)

Description Explicitly disable copy/paste operations.

Risk and vulnerability

Copy and paste operations are disabled by default. If you explicitly disable this feature, audit controls can check that this setting is correct.

Remediation 1. From the PowerCLI, to list the VMs and copy settings, enter:

18 AMP hardening guidelines

Get-VM | Get-AdvancedSetting -Name "isolation.tools.copy.disable"| where {$_.value -eq "false"} | Select Entity, Name, ValueList the VMs and their disk types

2. To disable paste for all VMs, enter:

Get-VM | New-AdvancedSetting -Name "isolation.tools.paste.disable" -value $true

3. To list the VMs and their current paste settings, enter:

Get-VM | Get-AdvancedSetting -Name "isolation.tools.paste.disable"| where {$_.value -eq "false"} | Select Entity, Name, ValueList the VM's and their disk types

4. To disable copy for all VMs, enter:

Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true

From the vCLI, enter:

esxcli software acceptance get esxcli software vib list esxcli software acceptance set --level

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator. 2. From the navigation Menu, select Shortcuts > VMs and Templates. 3. For each VM, right click and select Edit Settings. 4. On the VM Options tab, expand Advanced. 5. Click Edit Configuration. 6. Click Add Configuration Params and add isolation.tools.copy.disable with a value of True. 7. Click OK. 8. Click OK to close the settings screen.

Disable VM virtual disk shrinking wiper and shrink (on-site only)

Description Shrinking a virtual disk on the host and reduces disk file size by the amount of disk space that is reclaimed in the wipe process. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Users and processes without root or administrator privileges in VMs can shrink a virtual disk. A nonroot user cannot wipe the parts of the virtual disk that require root-level permissions.

Risk and vulnerability

If virtual disk shrinking is not disabled, attackers may access sensitive information.

Remediation 1. From the PowerCLI, turn off VMs before restricting shrinking. 2. To restrict shrinking of virtual disks, enter:

Get-VM -name | New-AdvancedSetting -Name isolation.tools.diskWiper.disable -value $true Get-VM -name | New-AdvancedSetting -Name isolation.tools.diskShrink.disable -value $true

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | where {$_.value eq false} | Select Entity, Name, Value Get-VM -name | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | where {$_.value eq false} | Select Entity, Name, Value

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator.

AMP hardening guidelines 19

2. From the navigation Menu, select Shortcuts > VMs and Templates. 3. For each VM right-click the VM and Edit Settings. 4. Select VM Options. 5. Click Advanced > Edit Configuration. 6. Click Add Configuration Params. 7. Add or edit the following parameters:

isolation.tools.diskWiper.disable: True isolation.tools.diskShrink.disable: True

8. Click OK. 9. Click OK to close the settings screen.

Remove VM virtual drives

Description The autoinstall tool may initiate a reboot after installation.

Risk and vulnerability

If autoinstall is not disabled, some tools may initiate an automatic reboot that disrupts the environment.

Remediation 1. For the PowerCLI, power off VMs. 2. To delete all virtual drives that are attached to VMs, enter:

Get-VM -name | Get-FloppyDrive | Remove- FloppyDrive Get-VM -name | Get-CDDrive | Remove-CDDrive

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name isolation.tools.autoinstall.disable | Select Entity, Name, Value Get-VM -name | Get-CDDrive | Select -property *

From the VMware vCenter HTML5 Client, ensure that floppyX.present is NOT present or is set to FALSE, unless floppy drives are required.

Prevent VM user modification of devices (on-site only)

Description Disable privileges to connect to NIC and CD-ROM drives. User modification of devices is disabled by default.

Risk and vulnerability

If devices can be modified, attackers connect to a disconnected CD-ROM drive and access sensitive information about the media that are left in the drive. An attacker may also disconnect a NIC to isolate the VM from its network.

Remediation 1. For the PowerCLI, power off VMs. 2. To disable edit access to the VM devices, enter:

Get-VM -name | New-AdvancedSetting -Name isolation.device.edit.disable -Value true Get-VM -name | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting - Value true

4. To add the setting to all VMs, enter:

Get-VM -name | New-AdvancedSetting -Name isolation.tools hgsfServerSet.disable-value true

5. To verify settings, enter:

20 AMP hardening guidelines

Get-VM -name | Get-AdvancedSetting -Name isolation.tools.hgsfServerSet.disable | Select Entity, Name, Value

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator. 2. From the navigation Menu, select Shortcuts > VMs and Templates. 3. Power off each VM. 4. Browse to the VM. 5. Right-click the VM and select Edit Settings. 6. Select VM Options. 7. Select Advanced > Edit Configuration. 8. Click Add Configuration Params. 9. Verify that the following values are in the Name and Value columns.

isolation.device.connectable.disable: True isolation.device.edit.disable: True

10. Click OK twice.

Configure the VM informational message limit

Description The configuration file containing name-value pairs is limited to 1 MB. You can increase this value if large amounts of custom information are stored in the configuration file.

Risk and vulnerability

If the size of the informational message .vmx file is not controlled, the system may deny service if the datastore is filled. Ensure the VMware VMX configuration file is configured to 1 MB.

Remediation 1. For the PowerCLI, power off VMs. 2. To add the setting to all VMs, enter:

Get-VM -name | New-AdvancedSetting -Name tools.setInfo sizeLimit -value 1048576

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name tools.setInfo.sizeLimit | Select Entity, Name, Value

Disable VM host performance information (on-site only)

Description Disable host performance information unless a particular VM requires this information for performance monitoring.

Risk and vulnerability

If host performance information about a physical host is no disabled, an attacker may use this information to perform attacks on the host.

Remediation 1. For the PowerCLI, power off VMs. 2. To add the setting to all VMs, enter:

Get-VM -name | New-AdvancedSetting -Name tools.guestlib.enableHostInfo -Value $false

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select Entity, Name, Value

1. Log in to the VMware vSphere Client (HTML5) as an SSO local administrator. 2. From the navigation Menu, select Shortcuts > VMs and Templates. 3. Power off each VM. 4. Select each VM, and click Edit Settings > VM Options. 5. On the VM Options tab, expand Advanced. 6. Click Edit Configuration. 7. Click Add Configuration Params. 8. Add tools.guestlib.enableHostInfo with a value of False and click OK.

AMP hardening guidelines 21

9. Click OK to close the settings screen.

Configure NTP service for VMs

Description NTP synchronizes time updates from a centralized source to systems on a network. Setting all system components to the same time source ensures system stability and accuracy of log timestamps.

Risk and vulnerability

If a centralized, consistent time source is not used, event detection and audits may be inaccurate.

Remediation 1. From PowerCLI, power off VMs. 2. Disable VM tools time sync with the VM host on:

view=get-vm -name | Get-View timesync=$view.config.tools timesync.SyncTimeWithHost=$false

3. To verify settings, enter:

timesync.SyncTimeWithHost

Configure a console session for VMs

Description By default, more than one user can simultaneously create remote console sessions.

Risk and vulnerability

If a VM administrator is using a VMware remote console, a nonadministrator in the VM may connect to the console and observe their actions.

Remediation 1. From PowerCLI, power off VMs. 2. To add the setting to all VMs, enter:

Get-VM -name | New-AdvancedSetting -Name RemoteDisplay.maxConnections -value 1

3. To verify settings, enter:

Get-VM -name | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select Entity, Name, Value

Storage layer Storage for AMP Central is provided by Dell Unity XT or VMware vSAN software-defined storage. Storage for AMP-VX is provided by VMware vSAN software-defined storage.

Dell Unity and Dell Unity XT hardening controls

Control descriptions, risks, vulnerabilities, and remediation are provided for Dell Unity and Dell Unity XT hybrid arrays.

Modify Dell Unity or Dell Unity XT passwords

Description Default passwords are set up during the initial system build. See your site policy for guidance on password strength. Passwords must be of sufficient length and meet complexity requirements to mitigate guessing or cracking of credentials.

Risk and vulnerability

If default passwords are not changed and complex passwords are not configured, attackers may more easily gain unauthorized access to the system.

Remediation Log in to Unisphere to change the password.

22 AMP hardening guidelines

Configure NTP

Description NTP synchronizes time updates for Dell Unity or Dell Unity XT storage from a centralized source to systems on a network. Set system components to the same time source to ensure system stability and accuracy of log timestamps.

Risk and vulnerability

If a centralized, consistent time source is not used, event detection and audits may be inaccurate.

Remediation From the Unisphere CLI client, enter:

uemcli -d -u -p /net/ntp/server create -server

Configure remote logging

Description Secure centralized logging for Dell Unity or Dell Unity XT storage enables aggregate analysis to prevent attacks on multiple hosts. Remote logging prevents log tampering and provides a long-term audit record.

Risk and vulnerability

If remote logging is not enabled, log review or event order may be compromised, and important system events may be missed.

Remediation From the Unisphere CLI client, enter:

uemcli -d -u -p /sys/rlog set -enabled yes -host -facility Syslog

See the Dell Unity Family Dell Unity All Flash, Unity Hybrid, UnityVSA Security Configuration Guide for more information.

VMware vSAN hardening

Control descriptions, risks, vulnerabilities, and remediation are provided for VMware vSAN configurations.

Verify that health check is enabled for VMware vSAN

Description VMware vSAN health check is used for additional alerting and performance stress testing before to production usage. Health check verifies that the underlying hardware is compliant with the VMware vSAN Hardware Compatibility Guide.

Risk and vulnerability

If VMware vSAN health check is not enabled, there is a risk of potential data loss or impact to system availability.

Remediation 1. From the VMware vSphere Web Client, select Hosts and Clusters > Select a Cluster . 2. Select Manage > Settings. 3. Select Virtual SAN > Health. 4. Verify that Health Service Status is set to Enabled.

Disable Internet access for VMware vSAN health check and hardware comparability list downloads

Description Security checks may prevent the hardware comparability list (HCL) from downloading for VMware vSAN health checks.

Risk and vulnerability

If security requirements prevent the HCL from downloading, disable Internet access for the VMware vSAN cluster.

Remediation 1. From the VMware vSphere Web Client, select Hosts and Clusters > Select a vSAN Enabled Cluster .

AMP hardening guidelines 23

2. Select Manage > Settings. 3. Select General > Internet connectivity > Edit. 4. If the HCL Internet download is required, verify that Enable Internet access for this cluster is

enabled and a proxy host is configured.

Verify that VMware vSAN naming conventions conform with VMware best practices

Description Verify that VMware vSAN datastore naming conventions conform with VMware best practices. The default datastore name for VMware is vsanDatastore. The VMware default vsanDatastore is used for the first VMware vSAN datastore as part of AMP logical build.

Risk and vulnerability

If more than one VMware vSAN cluster exists in the VMware vCenter, both datastores with the same name may lead to confusion and misplaced workloads. See the VMware vSphere ESXi 6.0 Security Technical Implementation Guide, DISA STIGIDESXI-06-000076 for the information about network that the AMP is to be deployed in.

Remediation 1. From the VMware vSphere Web Client, select Hosts and Clusters > Select a Cluster. 2. Select Related Objects > Datastores. 3. Review the datastores for vsan as the type. 4. Verify VMware vSAN datastore naming conventions are unique if multiple VMware vSAN clusters are

used.

Verify the VMware default policy

Description The default datastore name for VMware is vsanDatastore. The VMware default vsanDatastore is used for the first VMware vSAN datastore as part of AMP logical build.

Risk and vulnerability

If VMware vSAN configuration settings are not accurate, attackers may gain access to sensitive data.

Remediation 1. To connect to each VMware vSphere ESXi host in VMware vSAN cluster, enter: esxcli vsan policy get default

2. Verify that this policy provides the correct fault tolerance level for the system.

Verify the VMware vSAN network configuration

Description Verify that the VMware vSAN network configuration settings are accurate.

Risk and vulnerability

If VMware vSAN network configuration settings are not accurate, attackers may gain access to sensitive data.

Remediation 1. From the VMware vSphere Web Client, select Configuration > Networking and review the VLANs associated with IP-based storage VMkernels.

2. Verify that they are properly dedicated and logically separated from other functions.

Verify the VMware vSAN encryption configuration

Description Verify that the VMware vSAN encryption configuration settings follow VMware best practices.

Risk and vulnerability

If VMware vSAN design and configuration of VMware vSAN encryption is not accurate, there may be a loss or compromise of sensitive data. VMware vSAN encryption is not configured on AMP Central as part of default base logical build.

Remediation To configure VMware vSAN encryption for security or compliance requirements, see the VMware best practices in https://docs.vmware.com/.

24 AMP hardening guidelines

Administrative user accounts Accounts for components and roles for each layer are described.

The following table provides standard usernames and passwords for initial builds:

Component Username

Cisco UCS C220 M5 (AMP Central) admin

Dell iDRAC (AMP-VX) root

VMware vSphere ESXi hosts root

VM operating system administrative passwords administrator

VM operating system root password root

Dell templates (windows) administrator

V01EM01 | M01EM01 administrator

Secure Remote Services root | administrator

VMware Log Insight nodes root | administrator

VMware vCSA (PSC and VC) root

VMware vCSA SSO administrator administrator@vsphere.local

Compute layer The default administrator account is root/calvin. After logging in to iDRAC using root account, an administrator can create additional users and assign the following roles.

The following table provides default accounts and roles:

Role Privileges

Administrator Login Configure Configure users Logs System Control Access Virtual Console Access Virtual Media System Operations Debug

Operator Login Configure System Control Access Virtual Console Access Virtual Media System Operations Debug

Read Only Log in only. User cannot make any changes.

4

Administrative user accounts 25

Virtualization layer An administrator can create users and assign the following system defined roles to the users. An administrator can also create customized roles to suit needs.

For the administrator account, the best practice is to create a user at the root level and assign the Administrator role to that user. After creating a named user with Administrator privileges, remove the root user from any permissions or change its role to No Access.

The following table provides VMware vSphere default accounts and roles:

Role Privileges

Administrator View and perform all actions on the object. Includes all privileges inherent in the Read Only role. You can assign privileges to individual users and groups on objects. If acting in the Administrator role in VMware vCenter Server, you can assign privileges to users and

groups in the default VMware Single Sign-On (SSO) identity source. Windows AD and Open LDAP 2.4 are supported. By default,administrator@vsphere.local has the Administrator role on both VMware SSO

and VMware vCenter Server after installation. That user can then associate other users with the Administrator role on VMware vCenter Server.

No Cryptography Administrator

Same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt VMs or access encrypted data, but that can perform all other administrative tasks.

Read Only View the state of the object and details about the object. Users with this role can view VM, host, and resource pool attributes, but cannot view the remote console for a host. All actions through the menus and toolbars are not allowed.

No Access Cannot view or change the object in any way. New users and groups are assigned this role by default. You can change the role on an object-by-object basis.

The administrator of the VMware SSO domain, administrator@vsphere.local by default, root and vpxuser are assigned the Administrator role by default. Other users are assigned the No Access role by default.

Storage layer The following table shows roles with available tasks for Dell Unity and Dell Unity XT:

Task Admin Security Admin

Storage Admin

Operator VM Admin

View storage configuration and status X X X X

View Unisphere user accounts X X X

Add, delete, modify, lock, or unlock Unisphere user accounts X X

View current software or license status X X X X

Perform software or license upgrade X

Perform initial configuration X

Modify NAS server configuration X

Modify system settings X

Change management interface language X X X X

View log and alert information X X X X

View encryption status X X X X

Perform encryption keystore, audit log, checksum backup X X X

26 Administrative user accounts

Task Admin Security Admin

Storage Admin

Operator VM Admin

Modify FIPS 140-2 mode X X

Modify STIG mode X X

Establish VASA connections between VMware vCenter and the storage system

X X

AMP ports and protocols Ports and protocols for VxBlock System management using element managers inside and outside the AMP are provided.

Element managers in the AMP

The following table provides element managers for VxBlock System management inside the AMP:

Application Description Inbound port Outbound port RBAC types Authentication method

Remote desktop to VMs running VxBlock System element managers

vCenter Server Database Server VUM Server Array and Fabric Manager Server Jump Server

TCP 3389 Administrators Power Users

Active Directory (Preferred) Local (Optional)

TACAS+ (Optional) Authentication of SSH client to TACAS+ Server

TCP 49

Radius (Optional) Authentication of SSH client to Radius Server

TCP 1645, 1646, 1812, 1813

LDAP (Optional) Authentication for: Unisphere SMC/ SYMCLI

TCP 389

LDAPS (Optional) Authentication of SMC/SYMCLI to LDAP SSL Server

TCP 636

NTP Network Time Services for: Cisco UCS Cisco Nexus Cisco MDS

UDP 123 UDP 123

SMTP Email alerting for: Cisco UCS Cisco Nexus Cisco MDS

TCP 25

SNMP SNMP polling of: Cisco UCS Cisco Nexus Cisco MDS

UDP 161

SNMP SNMP traps from: Cisco UCS Cisco Nexus Cisco MDS

UDP 162

SysLog Remote logging to: Cisco UCS Cisco Nexus Cisco MDS

TCP, UDP 514

Administrative user accounts 27

Element managers outside the AMP

The following table lists firewall ports that must be open to the customer network and authentication methods that are used by in element managers who are hosted in the customer network:

Application Description Inbound Port Outbound Port RBAC Types Authentication Method

Cisco UCS Manager Client

GUI access to Cisco UCS Manager

TCP 443 Admin TACAS+ (Optional) Radius (Optional) Local (Optional)

Cisco Nexus Fabric Manager Client

GUI access to the Cisco Nexus 3000 / 9000 Series Switches

TCP 443 Admin TACAS+ (Optional) Radius (Optional) Local (Optional)

Cisco MDS Fabric Manager Client

GUI access to Cisco MDS switches

TCP 443 Admin TACAS+ (Optional) Radius (Optional) Local (Optional)

SMC/SYMCLI CLI and console for Dell VMAX Management

TCP 2707 Admin LDAP/AD (Optional) LDAPS (Optional) Local (Optional)

SSH to Cisco Devices

Cisco UCS Manager Cisco Nexus 3000/9000 Series Switches Cisco Nexus 1000V Cisco MDS switches

TCP 22 TCP 22 Admin TACAS+ (Optional) Radius (Optional) Local (Optional)

TACAS+ (Optional) Authentication of SSH client to TACAS+ Server

TCP 49

Radius (Optional) Authentication of SSH client to Radius Server

TCP 1645, 1646, 1812, 1813

LDAP (Optional) Authentication for: Dell Unisphere SMC/SYMCLI

TCP 389

LDAPS (Optional) Authentication of SMC/SYMCLI to LDAP SSL Server

TCP 636

NTP Network Time Services for: Cisco UCS Cisco Nexus Cisco MDS

UDP 123 UDP 123

SMTP Email alerting for: Cisco UCS Cisco Nexus Cisco MDS

TCP 25

SNMP SNMP polling of: Cisco UCS Cisco Nexus Cisco MDS

UDP 161

SNMP SNMP traps from: Cisco UCS Cisco Nexus Cisco MDS

UDP 162

28 Administrative user accounts

Application Description Inbound Port Outbound Port RBAC Types Authentication Method

Syslog Remote logging to: Cisco UCS Cisco Nexus Cisco MDS

TCP, UDP 514

iDRAC ports and protocols Inbound and outbound ports and protocols for iDRAC with AMP-VX are provided.

The following table provides ports used for inbound communication:

Port Protocol Function

22 TCP SSH

23 TCP Telnet

80 TCP HTTP

443 TCP HTTPS

623 UDP RMCP/RMCP+

161 UDP SNMP

5900 TCP Virtual Console keyboard and mouse redirection

Virtual Media

Virtual Folders

Remote File Share

5901 TCP VNC: when enabled, the port 5901 opens.

The following table provides ports used for outbound communicatio

Manualsnet FAQs

If you want to find out how the 1.2 Dell works, you can view and download the Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide on the Manualsnet website.

Yes, we have the Security Configuration Guide for Dell 1.2 as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Security Configuration Guide should include all the details that are needed to use a Dell 1.2. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell VBlock 240 1.2 Converged Infrastructure Security Configuration Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.