Plain Virtualization

Many of our customers have done vulnerability assessment (VA) on vSphere ESXi and often highlighted out the vulerable items such as SHA1 and TLS 1.0, etc.  Some of it were there but not in used and we could not manually remove them such as SHA1, MD5, etc. While some of them were to support lower version such as TLS 1.1 and 1.0.  With vSphere 8, the security enhancement has made uplift to remove unwanted security bundles and as well to support only secured transport connection via TLS 1.2. On top of that, it also added daemons to now run in their own sandboxes instead of in the hypervisor world needing higher permissions which were unneeded and prone to vulnerability attacks. What is new for security is a timeout for SSH shell when enabled on ESXi host. So administrators, no longer are to leave the SSH shell connected for infinite time or even worse forgetting to disconnect and logout of the endpoint where they are connected to the ESXi shell. Lastly, if your hardware used for ...

For those who ain't aware that in the release of vSphere 7.0, support for Integrated Windows Authentication (IWA) will be deprecated. This has been published in this KB . The existing method of AD over LDAP, OpenLDAP will still works or the new feature in 7.0, AD Federated Identity (AD FS). Check out this article . To be honest, I would recommend to use AD FS if you are using a windows environment since this will prevent vSphere from talking directly to AD. Which in a way much safer and its a session based on the token method via OAUTH2 and OIDC protocol than to have user name and password been exposed. You can refer to the documentation on how to setup AD FS for vCenter Server here and also check out this TAM LAB video . With the support of AD FS, this will allow MFA to be implemented. However, this is still limited as due to the number of support on AD FS.