Solved

Windows 2012 Template / Hardening for Vmware Guest

Posted on 2014-11-07
4
1,361 Views
Last Modified: 2014-11-09
Hello,

Is any body has any document for creating Windows 2012 template / best practice for Vmware guest OS?
0
Comment
Question by:Haresh Nikumbh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 64

Accepted Solution

by:
btan earned 333 total points
ID: 40429993
in fact, it should be hardening of Win2012 guest as it is or even stripping it into server core state and also hardening of VMware ESXi/ESX/vSphere collectively. there are already established guide for each independent based on even standards/practices from NIST and CIS  
Another good start which I do advocate is check the principal recommendations such as

>Server Hardening - Windows Server 2012, you should check out microsoft security compliance mgr for the gpo template http://technet.microsoft.com/en-us/security/jj720323.aspx

>VMware Security Hardening Guides, also can catch this blog on some sample script to automate https://www.vmware.com/support/support-resources/hardening-guides.html

As a whole, probably the below tips can form a summary checklist for collective check (include Guest OS)
http://windowsitpro.com/windows/15-tips-vmware-security
Tip 1: Isolate the Host Network
Tip 2: Use the Host Machine Only for Your Virtual Infrastructure
Tip 3: Secure Remote Access Consoles
Tip 4: Limit Local Logons on Host
Tip 5: Encrypt Virtual Drives
Tip 6: Encrypt VM Backups
Tip 7: Set a User Context
Tip 8: Use Hardened Guest OS Templates
Tip 9: Turn off Host and Guest Interaction
Tip 10: Take Sensitive VMs Offline
Tip 11: Use Startup Passwords
Tip 12: Disable Scripting in the Guest OSs
Tip 13: Remove or Disconnect Devices
Tip 14: Always Log Off a VM Session
Tip 15: Update Written Security Polices to Include VMs
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 167 total points
ID: 40430161
For general template creation stuff, I use most of this (not the def profile copy as sysprep does that for you if you do it right)
http://notesfrommwhite.net/2014/07/20/how-to-build-a-windows-2012-r2-vmware-template/
0
 
LVL 64

Assisted Solution

by:btan
btan earned 333 total points
ID: 40430753
Good to take note besides the hardening on the independent OS and ESX is from VMWare hardening guide pdf
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, application-specific, templates or use the application template to deployvirtual machines

Provide templates for virtual machine creation that contain hardened, patched and properly configured OS deployments. If possible, predeploy applications in templates as well, although care should be taken that the application doesn’t depend upon virtual machine–specific information to be deployed. In vSphere, you can convert a template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware Update Manager also provides the ability to automatically patch the operating system and certain applications in a template, thereby ensuring that they remain up to date.
Another consideration that you may be interested is whether to do it at the template-level or configuration-level. This is depends how you plan to use the application in your organization.  
E.g. Users create configurations from templates so the template approach work;
E.g. Users check out fully-built "gold masters" from library most of (if not all) the time so using templates is less prefer
Also for cloning, it is prefer for configuration cloning (and the Library and sharing), and not at the template level.
0
 
LVL 22

Author Closing Comment

by:Haresh Nikumbh
ID: 40432034
Thanks
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question