ESXi 5.0 STIG (increased security)

Similar Questions

• Password for increased security

  To increase the security in passwords on personal computers come with an idea, but I don't know if it is possible to do. I would call it the «return back» password Type a password for the user, but before hitting enter the user would go back through the whole password and type the password that will be sent to the front. Backspaced password would be also sent forward on the site, but in a separate window or door security system. Is this possible?

  If it is possible, it will depend on some made deals with character recognition.  Back (Ctrl + H or 0x08) is, in fact, an ASCII character valid but how it is treated depends on several factors, such as the operating system and the program accepting characters.

• Format Excel increase security

  I work with a 1997-2003 xls format in Excel 2007.  It is protected by Word and whenever I have save a pop-up appears asking if I "wants to enhance the security of the theis document by converting to the Office Open XML Format?". I don't want to increase.  How can I stop the pop-up to appear?

  FYI - I don't want to increase b/c I tried it on a test file and it disabled all my macros and lost a few links.
  Thank you

  Try the NG Office-

  http://www.Microsoft.com/Office/Community/en-us/FlyoutOverview.mspx#2 TaurArian [MVP] 2005-2010 - Update Services

• The traffic between a host ESXi and vCenter Server is secure?

  Dear team,

  You pray let me know is traffic between a host ESXi and vCenter server (vice versa) is secure?

  The VC and ESXi version is 5.1U1a

  concerning

  Mr. VMware

  Default SSL certificates are installed automatically. However, you can configure the third-party SSL certificates to make the environment more secure.

  Please see:

  VSphere Documentation Centre

  http://pubs.VMware.com/vSphere-51/topic/com.VMware.ICbase/PDF/vSphere-ESXi-vCenter-Server-51-Security-Guide.PDF

• ESXi Server and the DMZ security

  Hello world

  I currently have around 5 physical web servers sitting in a demilitarized zone. My plan is to convert all these web servers to virtual machines and host them on an ESXi server.

  I would like to host the ESXi Server actually in the demilitarized zone, all the VMs on the ESXi box would be public facing anyway. Does anyone know of a good reason not to do from a security point of view.

  I guess my main concern would be the area of ESXi being threaten. Of course, I would limit the traffic through the firewall rules.

  I would like to know your opinion on this and if someone has done this before?

  Thank you very much

  Chris

  Take a look on:

  http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF

• ESXi 4.0 must increase on VMFS blocksize for 1.5 TB VM - answered

  I installed ESXi 4.0 with the default settings, and I want to install 2 VMs on this server with 2 TB of hard drive space. A virtual machine will be FreeBSD with 1.5 TB of hard drive space, but when I try to configure the VM it says that I can not any expansion then 256GB. I've been Googling this problem and it seems to be due to the size of 1 MB of the VMFS partition. I used some methods I found online to increase the size of block, but because as a esxconsole.vmdk (?) is on this partition and is loaded into memory, I can't get a full access to the partition.

  Does anyone know someone else why specify a block size of 8 M?

  Any help is greatly appreciated

  Why not just use rdms if you use such a big vmdk file?

• Impaired download Flash player from January 22, 2016 access increases security concerns

  What madness by Adobe to hinder access to updates of its reader FREE Flash/Animate without pay which Adobe clients would much less spectators of their content.

  
  

  The Adobe Flash Player Distribution | Adobe web page must be put off-limits for Flash player users who need to download on January 22, 2016.  It is software FREE including content authors need Flash/Animate their viewers to have ready to join.  I'm sorry that Adobe seems to do the excellent a lot harder to get Flash Player.  In addition, simple easy access to downloads of Flash player is vital to the security of the computer systems of users by creating immediate access to new updates less vulnerable.  I don't understand why Adobe considers it necessary to impose this restriction.  Those whose concern is the security of the system will be more likely that never remove Flash player capacity of these systems in their custody.

  The link "distribution3" never intended for use by the public. It was hidden behind the application license FPD, but despite a warning in the license e-mail link is confidential, people continue to publish. The binaries are intended for enterprise IT administrators and OEMS who have the expertise to use them properly. Adobe are simply update the application page so that customers who have not obtained a distribution license cannot access the binaries, and licensees must sign so their identity can be verified. The general public must always use the installer negotiated https://get.adobe.com/flashplayer/ and doesn't change anything about it. The only people whose access will be "less" are those who download without permission.

  You always needed a license to distribute binaries of the Flash Player. Capture images of the 'distribution3' page without completing the application process is a violation of the terms of use Adobe. Is not matter a hoot if the program is free or not. You must respect the terms of the license provider.

• install ESX/ESXi on faster disks increases performance of the guest OS?

  for example, if you have installed ESX/ESXi on a faster local SSD or HARD disk, would be the overall performance of the ESXi and hosted OS be improved?

  Or ESX works completely in memory even after the start, so it does not improve a lot?

  If you have an iSCSI storage, I suggest you install ESX (i) on the local disk and attach (s) your storage iSCSI LUN as a VMFS data warehouses.

  André

• I want to make a combination of iTouch to increase security?

  I want my iPhone in camera if it receives a bad combination of ID of contact entries. Can I do this on my iOS to Gooseberry?

  The reason for the question.

  My seven year old nephew has opened my iPhone 6 s while I was asleep with contact ID.

  Post edited by: bact2387

  Define "locked up".   Your phone is already locked, if it is requiring a tactile entry ID.   There is no way that your nephew could unblock unless he knows your password if was already locked.   If your iPhone was actually asleep, he had to be locked if you have been using Touch ID.  Best to put also a long, rather than a simple access code.

  All iPhones require entry of the passcode if more than 3 footprints Touch ID incorrect or illegible sequential entered.

• Objective 7.1 - guarantee the issue of ESX/ESXi hosts

  Hey all,.

  I am currently working on my study guide for the DCA review and have fallen somewhat with the ESX/ESxi Secure objective 7.1 hosts and more specifically the section for "Customize SSH Seetings for increased security. The only documentation I could find about it is in the "ESX Configuration Guide" on page 202 and the VMware KB 1017910. In ESX config guide details how to REDUCE the requirements of security on default (allowing root access, change the version of the SSH protocol, etc.), and the article explains how to set a timeout for the technical support of Mode (both local and remote). I guess these aren't the types of answers they seek, as the section is to increase the level of security.

  Any clarification or possilbe advice that anyone could offer would be greatly appreciated.

  TIA,

  -Jason

  *My apologies if this question type should not be displayed, if not please delete*.

  Hello

  Although I know the stuff covered there is it. Sean sound passed without problem, and a number of friends who have passed the exam, they all used the same resources covered in that and passed fine. But maybe other people who wrote it can contribute and who may be able to add something?

• My router is actually secure?

  I'm wondering if what follows what I've done is the best possible, if there is any means possible to improve security:

  I have a WRT320N

  • SSID: just let it spread. Delete this show will not improve the overal security. SSID will be shown even if you Devil shows periodic.
  • Change the default name of the router to something that leaves not hear it's location or name brand/type
  • change the default password (the one to access the router from your browser)
  • Disable remote management: don't want any person who uses a Wi - Fi connection to try to hack my router
  • Disable Upnp, the automatic configuration of the router has possible security leaks.
  • use WPA2 Personal (just choose the highest encryption) and using the combination of numbers and long, uppercase letter, tiny you can think off.
  • MAC filtering can be set on, but hackers can clone the MAC address, the extra security is questionable.
  • Isolation of the AP: prevent users from wi - fi on my router to access to eachother, isolate all users connection wi - fi to eachother.
  • turn on the SPI Firewall: blocks incoming network packets from the internet. And have not started by me: internet to port 80, my firefox tries to open a Web page, these type of incoming packets will be accepted by the router without the internet to my computer.
  • Use webfilter and prevent any network with proxy, java, activex package to switch my router: at this moment I'm block the proxy. I'm filtering the Web casts.
  • Block all ports except 20,21,25,53,80,110,443. (port range is 0 to 65523) Block protocols UDP and TCP for all IP 192.168.0 to 192.168.0.254 addresses so only the mentioned ports are allowed to use.

  Thanks for helping out.

  • Re SSID broadcast.

    1 correct. Even with the SSID broadcast disabled the router will still broadcast a recurring tag that means a wireless scanner will resume immediately the existence of a wireless network.

    2. the SSID is transferred in plain text in the connection with the router. A network sniffer will learn the SSID for the moment that a (legitimate) device connects to your network.

    3. by sending packets of thugs to the AP, it is easily possible to dissociate a connected wireless forcing a new association. This way you can learn the SSID immediately.

    1-3 means a SSID of the AP wireless with SSID broadcast disabled is unknown as long as no wireless device is connected to the router, because there is no way to force a link to a legitimate device demand. Some people believe so disabled SSID broadcasting is an important way for increased security, particularly when the wireless is not used very often. Of course, if you don't need the wireless for most of the time you need to turn off completely.

    However, to disable the SSID broadcast technically breaks the standard 802.11 standard and is known to cause problems of connectivity and stability with some wireless cards. Therefore, I usually recommend is not to disable the SSID broadcast.

  • Re "the router by default name". If you mean the SSID, of course, change is important. Especially to prevent your wireless devices to connect to the router of your neighbor who is using the default SSID.

    It is not necessary to change the name of "router" on the master installation. It is only necessary to connect internet and only if required by your ISP.

  Change the SSID or "router name" will not change the MAC address on the wireless. The first half of this MAC address will reveal the manufacturer (Linksys or Cisco)

• Relative to the remote management. Disabling remote management is good. Of course, make sure that it really works. Some routers have a bug in the firmware that opened the web interface for the internet, regardless of this setting.
• Re UPnP. Fix. It must be turned off at any time.
• Re personal WPA2 with AES encryption only and a strong password is the best wireless security, you can have it right now. Password can be up to 63 characters.
• Re wireless mac filtering: MAC addresses are always transferred unencrypted (with WPA2) and are easily cloned. So, a simple network sniffer is able to collect the MAC addresses of legitimate devices that you can use to connect.
• Re of isolation AP can be used if no wireless - wireless connection is necessary. Of course, if an attacker has hacked your wireless network, it can try to hack your router here. The protection of the web interface of the side LAN is quite low.
• SPI Firewall re. Must be enabled. This prevents the internet router.

What you write in this topic is protection"because of the NAT, or because you are using private IP addresses. NAT, technically, does not block unsolicited inbound traffic. It simply drops unsolicited inbound traffic because he doesn't know what to do with it, that is, he doesn't know where to deliver unless you configure port forwarding automatic or similar. By design, NAT is not a security mechanism as its design is intended to allow the connections, not to block them. Some implementations of (older) NAT tried to deliver inbound unsolicited by some heuristics. Some (older) NAT implementations have features to support FTP (to do FTP works fine through a NAT router) which led to any open port on the router.
• Re webfilter: depends. Will cause problems with HTTPS web sites like HTTPS requires security to - end.
• Re blocks all ports except 20,21,25,53,80,110,443. Well depends on once again. In your list, for example, you block the port 995 (POP3S) and accept only 110 (POP3). Depending on your e-mail client and the pop server, this can lead to a connection that is not encrypted between the client and the server because port 995 is not accessible. Similar with the port 25 (SMTP). Some web servers running on port 8080 or other ports that will not or only partially work (because some content is on a webserver with the different port number).

  Technically speaking, your block probably list more will affect you and your ability to use the more secure protocol which may be currently on your block list. In addition, as most of the people have ports 80 and 443 open for outgoing traffic most malware uses to talk to the outside. So your good list that the idea seems good probably won't help you.

  So I would say in most home networks such a blocking list based on a list of a few exempt ports will really not help your security and for the most part will cause problems for you and nothing else. Such a list will work in a business setting where you can refine the traffic authority very well. But to use domestic and general habits that it won't really work for navigation.

  In addition, I think that you can not set up such a list on a Linksys router. You can only block the ports, but not all ports except a few.

• Another extremely important point missing from your list: always change the router password (admin) in a password strong. But I guess you already did this, too.

Overall, I would say that all you have reason...

• Interference of security with all the sites box

  How do we stop a security zone that is open to everything we do at any site. It gets pretty agravating. You can't get much done to remove or say yes or no in the box. Indeed, it appears more than once, about whether we want the site to be secure. It just started a couple of weeks. I don't know if it was added to an update from Microsoft. My address is * address email is removed from the privacy *. I hope to hear from someone.

  This message should be that when you visit sites starting https and then only if they are poorly written. If you get it for each Web site, it may indicate that you have installed the software to increase security, or you have a malware infection.

  To disable the message, go to tools > Internet Options > Security > Internet Zone > custom level

  Scroll down to the entry "Display mixed content" and modify command prompt to enable or disable. Disable is the safer choice.

• Standard vs admin accounts: which is preferable for reasons of security online?

  My online safety practices seem to be strong. I use Microsoft Security Essentials for many years and I do practice wise online security. I know that MSE has its detractors, but it's worked for me. last night, I run ESET Online Scanner, and my computer is clean. I also regularly run Windows Defender Offline just in case.

  By reviewing best practices of security online yesterday, I came across a few suggestions do not use an Admin account on a regular basis, which sometimes I do all the time.

  How a Standard account increases security online?

  A standard account increases online security.  There have been recent reports where trust familiar sites (such as the New York Times) have been compromised and any visitor to the Web site will suffer an infection.  If you were logged under an administrator account when the infection occurs, the virus will have all of the capabilities you have (because it runs under your credentials).  If you do not use an admin account, the virus or malware would have less capacity and could not cause damage throughout the system (because never a standard account can affect the whole system).

  UAC, first introduced in Vista, to limit this risk.  Even when you are running under an administrator account, most of your programs still work in a restricted security context.  It is therefore 'raising' by clicking on confirm box user account control when perform you certain actions of admin-level, even if you are already an administrator.

  If you use Internet Explorer in Protected Mode, this means that it protects you by using this restricted security context.  But you can always improve your security just by using a standard account and only by using the account administrator if necessary.

• Cisco Small Business Equipment VLAN security issue

  Hi, I have a RV220W router and a switch SG200-18. I'm trying to set up my network to be as secure as possible...

  The RV220W has the configuration of VLAN next:

  Port 1: Manage, DMZ, Business, Test, Diag, home and anywhere (not identified)

  Port 2-4: not used (unidentified) and people with DISABILITIES

  All ports were excluded from the default VLAN

  SG200-18 has the configuration of VLAN next:

  Port 1 (trunk): manage, DMZ, Business, Test, Diag, home and anywhere (not identified)

  Port 2-17 (access): not used (unidentified) and people with DISABILITIES

  Port 18 (access): manage (unlabeled) * used to configure and manage the switching and routing of a pc

  All ports were excluded from the default VLAN

  I installed this according to the instructions in the Cisco security best practices: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

  My questions regarding my network of quenching of Double-Encapsulated 802. 1 q / attack of VLAN nested. The white paper suggests to disable the VLAN native/unidentified all trunk ports... Unfortunately the RV220W seems to require a VLAN without label on each port (won't allow me to only have the tag VLAN)... Can someone suggest a more secure configuration given that I work with?

  Thank you!

  P.S. the switch allows me to configure a port mode 'General' where I can configure the frame Type to "Admit tag only" to allow only traffic labeled... I don't know if this would increase security?

  In what concerns the vlan tag/UNTAG Yes. You must take into account the limitation of the router.

  -Tom
  Please mark replied messages useful

• New host ESXi 5.1 in DMZ - cannot connect through vCenter Client or web, but can via SSH, if I have activated

  We have a simple DMZ where I set up a host running ESXi 5.1. I have another windows server in the DMZ subnet and I can load the new ESXi her host's web site. From my PC in our LAN I can not pull the top web interface 5.1 ESXi or connect via vSphere Client. If I enable SSH on the new host, can I use Putty to connect to the new host ESXi from my PC in LAN. I watched the event logs in our firewall and nothing seems to be blocked. I guess that the problem is related to a value or a firewall setting in ESXi 5.1 but I don't know. Any help would be appreciated.

  Thank you

  -Kevin

  Just a thought. Why don't run you the ESXi host in your internal network management and only virtual machines in the DMZ? Would make the ESXi host management even more secure, and you wouldn't have to open Firewall ports.

  André