Saturday, 26 November 2016

VCAP-DCV :: Changing password options/strength and MOB

1.) Check the Security options on ESXi host:

[root@kb-e01:~] vim-cmd hostsvc/advopt/view Security
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Security.AccountLockFailures",
      value = 10
   },
   (vim.option.OptionValue) {
      key = "Security.AccountUnlockTime",
      value = 120
   },
   (vim.option.OptionValue) {
      key = "Security.PasswordQualityControl",
      value = "retry=3 min=disabled,disabled,disabled,7,7"
   }
]

2.) Weaken the password quality control e.g. to have VMware1!

[root@kb-e01:~] vim-cmd hostsvc/advopt/update "Security.PasswordQualityControl" string "retry=3 min=8,8,8,7,6"

[root@kb-e01:~] vim-cmd hostsvc/advopt/view "Security.PasswordQualityControl"
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Security.PasswordQualityControl",
      value = "retry=3 min=8,8,8,7,6"
   }
]

3.) Disable the Managed Object Browser (MOB) to reduce attack surface. (on vSphere 6.x MOB is disabled by default)

[root@kb-e01:~] vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.enableMob",
      value = false
   },
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.webServer.enableWebscriptLauncher",
      value = true
   }
]

4.) Enable the MOB to weaken the system:

[root@kb-e01:~] vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool 1
[root@kb-e01:~] vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.enableMob",
      value = true
   },
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.webServer.enableWebscriptLauncher",
      value = true
   }
]








Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)