Solved

Windows 2012 Template / Hardening for Vmware Guest

Posted on 2014-11-07
4
1,318 Views
Last Modified: 2014-11-09
Hello,

Is any body has any document for creating Windows 2012 template / best practice for Vmware guest OS?
0
Comment
Question by:Haresh Nikumbh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 40429993
in fact, it should be hardening of Win2012 guest as it is or even stripping it into server core state and also hardening of VMware ESXi/ESX/vSphere collectively. there are already established guide for each independent based on even standards/practices from NIST and CIS  
Another good start which I do advocate is check the principal recommendations such as

>Server Hardening - Windows Server 2012, you should check out microsoft security compliance mgr for the gpo template http://technet.microsoft.com/en-us/security/jj720323.aspx

>VMware Security Hardening Guides, also can catch this blog on some sample script to automate https://www.vmware.com/support/support-resources/hardening-guides.html

As a whole, probably the below tips can form a summary checklist for collective check (include Guest OS)
http://windowsitpro.com/windows/15-tips-vmware-security
Tip 1: Isolate the Host Network
Tip 2: Use the Host Machine Only for Your Virtual Infrastructure
Tip 3: Secure Remote Access Consoles
Tip 4: Limit Local Logons on Host
Tip 5: Encrypt Virtual Drives
Tip 6: Encrypt VM Backups
Tip 7: Set a User Context
Tip 8: Use Hardened Guest OS Templates
Tip 9: Turn off Host and Guest Interaction
Tip 10: Take Sensitive VMs Offline
Tip 11: Use Startup Passwords
Tip 12: Disable Scripting in the Guest OSs
Tip 13: Remove or Disconnect Devices
Tip 14: Always Log Off a VM Session
Tip 15: Update Written Security Polices to Include VMs
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 167 total points
ID: 40430161
For general template creation stuff, I use most of this (not the def profile copy as sysprep does that for you if you do it right)
http://notesfrommwhite.net/2014/07/20/how-to-build-a-windows-2012-r2-vmware-template/
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40430753
Good to take note besides the hardening on the independent OS and ESX is from VMWare hardening guide pdf
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, application-specific, templates or use the application template to deployvirtual machines

Provide templates for virtual machine creation that contain hardened, patched and properly configured OS deployments. If possible, predeploy applications in templates as well, although care should be taken that the application doesn’t depend upon virtual machine–specific information to be deployed. In vSphere, you can convert a template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware Update Manager also provides the ability to automatically patch the operating system and certain applications in a template, thereby ensuring that they remain up to date.
Another consideration that you may be interested is whether to do it at the template-level or configuration-level. This is depends how you plan to use the application in your organization.  
E.g. Users create configurations from templates so the template approach work;
E.g. Users check out fully-built "gold masters" from library most of (if not all) the time so using templates is less prefer
Also for cloning, it is prefer for configuration cloning (and the Library and sharing), and not at the template level.
0
 
LVL 22

Author Closing Comment

by:Haresh Nikumbh
ID: 40432034
Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
When rebooting a vCenters 6.0 and try to connect using vSphere Client we get this issue "Invalid URL: The hostname could not parsed." When we get this error we need to do some changes in the vCenter advanced settings to fix the issue.
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question