Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2012 Template / Hardening for Vmware Guest

Posted on 2014-11-07
4
Medium Priority
?
1,550 Views
Last Modified: 2014-11-09
Hello,

Is any body has any document for creating Windows 2012 template / best practice for Vmware guest OS?
0
Comment
Question by:Haresh Nikumbh
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
btan earned 1332 total points
ID: 40429993
in fact, it should be hardening of Win2012 guest as it is or even stripping it into server core state and also hardening of VMware ESXi/ESX/vSphere collectively. there are already established guide for each independent based on even standards/practices from NIST and CIS  
Another good start which I do advocate is check the principal recommendations such as

>Server Hardening - Windows Server 2012, you should check out microsoft security compliance mgr for the gpo template http://technet.microsoft.com/en-us/security/jj720323.aspx

>VMware Security Hardening Guides, also can catch this blog on some sample script to automate https://www.vmware.com/support/support-resources/hardening-guides.html

As a whole, probably the below tips can form a summary checklist for collective check (include Guest OS)
http://windowsitpro.com/windows/15-tips-vmware-security
Tip 1: Isolate the Host Network
Tip 2: Use the Host Machine Only for Your Virtual Infrastructure
Tip 3: Secure Remote Access Consoles
Tip 4: Limit Local Logons on Host
Tip 5: Encrypt Virtual Drives
Tip 6: Encrypt VM Backups
Tip 7: Set a User Context
Tip 8: Use Hardened Guest OS Templates
Tip 9: Turn off Host and Guest Interaction
Tip 10: Take Sensitive VMs Offline
Tip 11: Use Startup Passwords
Tip 12: Disable Scripting in the Guest OSs
Tip 13: Remove or Disconnect Devices
Tip 14: Always Log Off a VM Session
Tip 15: Update Written Security Polices to Include VMs
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 668 total points
ID: 40430161
For general template creation stuff, I use most of this (not the def profile copy as sysprep does that for you if you do it right)
http://notesfrommwhite.net/2014/07/20/how-to-build-a-windows-2012-r2-vmware-template/
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1332 total points
ID: 40430753
Good to take note besides the hardening on the independent OS and ESX is from VMWare hardening guide pdf
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, application-specific, templates or use the application template to deployvirtual machines

Provide templates for virtual machine creation that contain hardened, patched and properly configured OS deployments. If possible, predeploy applications in templates as well, although care should be taken that the application doesn’t depend upon virtual machine–specific information to be deployed. In vSphere, you can convert a template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware Update Manager also provides the ability to automatically patch the operating system and certain applications in a template, thereby ensuring that they remain up to date.
Another consideration that you may be interested is whether to do it at the template-level or configuration-level. This is depends how you plan to use the application in your organization.  
E.g. Users create configurations from templates so the template approach work;
E.g. Users check out fully-built "gold masters" from library most of (if not all) the time so using templates is less prefer
Also for cloning, it is prefer for configuration cloning (and the Library and sharing), and not at the template level.
0
 
LVL 22

Author Closing Comment

by:Haresh Nikumbh
ID: 40432034
Thanks
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look into Log Analysis and Effective Critical Alerting.
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question