VMware very strongly suggests TPM for all servers in tightened vSphere security guide

VMware has published new and tighter security configuration guidance for its flagship vSphere private cloud suite.

Virtzilla went a couple of years without a major update, then published one just after vSphere 7.0 Update 1 appeared in October 2020.

Bob Plankers, a VMware technical marketing architect, announced the updated guidance today and said the 2020 edition “took the opportunity to be more prescriptive about best practices in all parts of a vSphere implementation.”

“Today’s update takes that a bit further,” he wrote without saying why VMware decided on the extra guidance.

The most eye-catching part for The Register is the very strong suggestion that it’s time to only run servers that run Trusted Platform Module (TPM).

“TPM 2.0 is an inexpensive way to get some very advanced security out of VMware vSphere and ESXi, and we feel strongly that you should not be acquiring new hardware without these.”

TPM is still an option in some servers or is not enabled by default. vAdmins take note!

Another change is controls to isolate management, vMotion, and vSAN. Plankers wrote that doing has been “commonly held as a sort of ‘tribal knowledge’.”

“We finally wrote it down,” he said, adding that VMware thinks it should apply to hardware, too, because: “Out-of-band management controllers like Xclarity, iLO, and iDRAC are wonderful, but they can sometimes be configured in ways that present opportunities to attackers, and we’d like you to think about that as part of your system designs.”

The PCIe bus exercised VMware’s security bods, who have re-instated guidance about how and when to allow passthrough to the bus lest bad actors try to exploit a VM’s access to directly access hardware.

The new guide adds a list of deprecated controls, among them one that restricted display output to VGA only.

“Many modern guest OSes do not like that,” Plankers wrote. “It’s a source of friction and confusion and the cause of a lot of calls to support (ours and others).”

TPM 2.0 is an inexpensive way to get some very advanced security out of vSphere

“Beyond that, though, modern guest OSes sometimes don’t display anything at all when they can’t get the video mode they like, and that means important diagnostic information may go unobserved. Security is a trade-off, and the meagre benefits we might get from this control are completely outweighed by the problems the control causes. You can certainly use the control if you want, but we don’t recommend it for general use anymore.”

The complete guide can be found here. The Register suggests it matters because while VMware has extended the supported lifespan of vSphere 6.7, support for version 6.5 expires in November 2021 and the virtual software biz is politely-but-insistently pushing users towards upgrading to its latest offering. With a double dose of recent security guidance to consider, upgrades will likely require a little more attention than previous projects.

VMware also today announced that Accenture has created a new business group dedicated to its wares.

“The Accenture VMware Business Group represents a new multi-year, multi-million-dollar investment from the two companies,” said a canned statement. Some 2,000 Accenture staff will work in the Group, and some will do the consultancy’s usual trick of creating the “assets and accelerators” that services organisations always suggest as a faster way of getting projects moving. ®