Solved

Windows 2012 Template / Hardening for Vmware Guest

Posted on 2014-11-07
4
1,263 Views
Last Modified: 2014-11-09
Hello,

Is any body has any document for creating Windows 2012 template / best practice for Vmware guest OS?
0
Comment
Question by:Haresh Nikumbh
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 40429993
in fact, it should be hardening of Win2012 guest as it is or even stripping it into server core state and also hardening of VMware ESXi/ESX/vSphere collectively. there are already established guide for each independent based on even standards/practices from NIST and CIS  
Another good start which I do advocate is check the principal recommendations such as

>Server Hardening - Windows Server 2012, you should check out microsoft security compliance mgr for the gpo template http://technet.microsoft.com/en-us/security/jj720323.aspx

>VMware Security Hardening Guides, also can catch this blog on some sample script to automate https://www.vmware.com/support/support-resources/hardening-guides.html

As a whole, probably the below tips can form a summary checklist for collective check (include Guest OS)
http://windowsitpro.com/windows/15-tips-vmware-security
Tip 1: Isolate the Host Network
Tip 2: Use the Host Machine Only for Your Virtual Infrastructure
Tip 3: Secure Remote Access Consoles
Tip 4: Limit Local Logons on Host
Tip 5: Encrypt Virtual Drives
Tip 6: Encrypt VM Backups
Tip 7: Set a User Context
Tip 8: Use Hardened Guest OS Templates
Tip 9: Turn off Host and Guest Interaction
Tip 10: Take Sensitive VMs Offline
Tip 11: Use Startup Passwords
Tip 12: Disable Scripting in the Guest OSs
Tip 13: Remove or Disconnect Devices
Tip 14: Always Log Off a VM Session
Tip 15: Update Written Security Polices to Include VMs
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 167 total points
ID: 40430161
For general template creation stuff, I use most of this (not the def profile copy as sysprep does that for you if you do it right)
http://notesfrommwhite.net/2014/07/20/how-to-build-a-windows-2012-r2-vmware-template/
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40430753
Good to take note besides the hardening on the independent OS and ESX is from VMWare hardening guide pdf
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, application-specific, templates or use the application template to deployvirtual machines

Provide templates for virtual machine creation that contain hardened, patched and properly configured OS deployments. If possible, predeploy applications in templates as well, although care should be taken that the application doesn’t depend upon virtual machine–specific information to be deployed. In vSphere, you can convert a template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware Update Manager also provides the ability to automatically patch the operating system and certain applications in a template, thereby ensuring that they remain up to date.
Another consideration that you may be interested is whether to do it at the template-level or configuration-level. This is depends how you plan to use the application in your organization.  
E.g. Users create configurations from templates so the template approach work;
E.g. Users check out fully-built "gold masters" from library most of (if not all) the time so using templates is less prefer
Also for cloning, it is prefer for configuration cloning (and the Library and sharing), and not at the template level.
0
 
LVL 22

Author Closing Comment

by:Haresh Nikumbh
ID: 40432034
Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question