Part of the VMware TAM service are Best Practice Reviews, enabled in many cases by the VMware Health Analyser tool. This post is a list of the top five configuration and best practice issues I typically encounter, and how you can resolve them within your estates.
Use persistent and remote syslog logging to improve manageability
“Remote logging both persistently on each host and to a central host (syslog server) can greatly improve administration and management. By making files available when needed and gathering files on a central server, you can easily monitor all hosts and perform event correlation, aggregate analysis, and make root cause analysis easier for troubleshooting. Also, gathering the log files on a remote system allows you to retain more historical information for postmortem analysis of compromised systems.”
A guide to configuring syslog is below;
Use NTP, Windows Time Service, or another timekeeping utility for all ESXi Hosts and virtual machines
“Time synchronization is important for many reasons, including easier correlation of information for troubleshooting and preventing erratic behavior of time-sensitive applications.”
A guide to configuring NTP is below;
https://kb.vmware.com/s/article/1006427 <> Timekeeping best practice for Linux guests
https://kb.vmware.com/s/article/1318 <> Timekeeping best practice for Windows guests
Avoid unnecessary changes to advanced parameter settings
“Advanced parameters can cause unexpected behavior on ESXi hosts, if not configured correctly. It is best to avoid using them unless absolutely necessary. If they are used, it is best to perform a check to determine whether advanced parameters are consistently configured across ESXi hosts in a cluster.”
This finding isn’t flagging the fact that advanced features are being used – it is flagging that there are inconsistencies between hosts, that might result in unexpected behaviour.
To effectively manage this configuration, without going a little insane, we have Host Profiles. There a great resource that can be customisable to meet your specific requirements and will help avoid inconsistencies between host deployments!
Change port group security default settings for Forged Transmits, Promiscuous Mode, and MAC Address Changes to Reject unless required
“VMware recommends that port group security default settings for Forged Transmits, Promiscuous Mode, and MAC Address Changes be set to Reject for improved security. When the MAC address changes option is set to Reject, ESXi does not honor requests to change the effective MAC address to a different address than the initial MAC address. This setting protects the host against MAC impersonation. To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. When the addresses do not match, the ESXi host drops the packet. Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire. By default, the virtual machine adapter cannot operate in promiscuous mode.”
MAC Address Changes
Use vCenter Server roles, groups, and permissions to provide appropriate access and authorization to the virtual infrastructure. Avoid using Windows built-in groups such as the Administrators group
“By default, the administrator access is defined as a part of the Platform Services Controller installation. The configured user or group who has full administrative control of vCenter Server (and the virtual infrastructure). This can allow other system administrators who are not virtual infrastructure administrators access to the infrastructure, if a dedicated group or user is not created.”
With the virtual estates support more and more tier one applications, it is vitally important that you are able to track actions performed against VC to particular users or services, as this helps you troubleshoot if anything goes wrong. Not using the administrative account for everything is also good security hygiene and even has it’s own principle, the principle of least privilege.
User and management task guide
Hopefully this is useful