Between budget cuts and New Year’s resolutions, improving your security posture is probably near the top of your to-do list. Much has been made of security concerns in a virtual environment, but it is always good to re-visit your configurations and make sure they are still on par with recommended best practices. I began re-reviewing VI security best practices after reading at post by Bob Plankers at The Lone SysAdmin (Bob has been on my reading list for years – he has a great style and always brings fresh insights) on why you would want a second super-user account on your ESX servers.
We certainly all have our own opinions and operations procedures when it comes to configuring and hardening our environments, but I decided to take a look at what the experts had to say on this particular subject and other basic build and hardening recommendations. Here is what I found:
VI3.5 Security Hardening Whitepaper
Defense Informaion Systems Agency (DISA) ESX Server Security Technical Implementation Guide
As a side note, DISA publishes many STIG’s at https://iase.disa.mil/stigs/. Your tax dollars paid for these, so you might as well check them out.
NSA VMware ESX Server 3 Configuration Guide
There are also numerous tips and scripts for locking down your virtual infrastructure in the VMware Community Forums (Start here: https://communities.vmware.com/message/941372).
So back to the question of second super user accounts: It seems that best practices are to create a second user account with sufficient access to the console, granting that user SUDO privledges, and then disabling the default root account.