HyTrust Appliance 2.0 is available. Building on the successes of 2009, which included our initial product launch and numerous awards, we’re happy to see the streak continue into 2010 by delivering a major new release that will empower enterprises to capitalize on the wave of datacenter virtualization and accelerate efforts to virtualize tier-one applications. The features available in HyTrust Appliance 2.0 deliver true enterprise-class policy management and access control capabilities to virtual infrastructure. New features include the following:

* Root Password Vault: Locks down privileged host accounts and provides passwords for temporary use to enable time-limited privileged account access. Root accounts on hypervisors are extremely powerful and, as a consequence, can create a significant liability if not kept out of the wrong hands. With the aid of Root Password Vault, all root account access is attributable to an individual and every action is logged, providing far greater visibility and accountability.
* Federated Deployment: Secure distributed system architecture allows for automated replication of policies and templates across multiple HyTrust Appliances as well as geographic boundaries. For larger enterprises with multiple datacenters and collocation facilities, Federated Deployment of HyTrust Appliances ensures consistency of controls across the entire infrastructure.
* Virtual Infrastructure Search: Enables quick and easy accessibility to all virtual infrastructure objects, policies, and logs within HyTrust Appliance.
* Remote API: Interface to remotely access and automate the administration of the HyTrust Appliance. Provides the greater scalability demanded by large, enterprise-wide deployments of virtualization.
* Object Policy Labels: Creates a policy categorization structure, similar to “Web 2.0 tagging” for virtual infrastructure objects, which enables better organization and tighter, more consistent controls. Object Policy Labels enable access, network segment, and zoning policies, which allows administrators to dictate which virtual machines are allowed to connect to which network segments or hosts via RuleSets and Constraints.
* Router-Mode: a deployment option where all VMware management traffic is forced to flow through the HyTrust Appliance. HyTrust Appliance acts as a router for the “protected” management subnet and ESX/ESXi hosts and vCenter Server use HyTrust Appliance as their default gateway. This adds yet another flexible deployment option to the other existing options, ensuring the HyTrust Appliance will easily adapt to any enterprise architecture.

Along with the new capabilities delivered in 2.0, we’d like to introduce you to the new editions of HyTrust Appliance:

* Community Edition is a free version of the product that supports up to three hosts.
* Standard Edition supports an unlimited number of hosts and offers more flexible deployment options.
* Enterprise Edition supports an unlimited number of hosts, offers more flexible deployment options, supports federation of multiple HyTrust Appliances, enables privileged account management via Root Password Vault, allows two-factor authentication, and offers a remote API for additional management flexibility.

You can download the Community Edition of HyTrust Appliance at http://www.hytrust.com/community.

VMware makes periodic updates to the ESXi Installable version you can download. This page was created to help track and locate those.

Use these numbers to determine when a system was patched last and to make sure the VMware Infrastructure Client is the right one.

Best Practice:

ESXi: Run the VMware Infrastructure Update tool from a windows management station with the VMware Infrastructure Client every month.

ESX: Use vCenter Update Manager to scan and remediate ESX hosts when new security patches are available.

How to Check the Version Numbers:

1. Download the VMware Infrastructure Client from the Web User Interface.
   For example: https://ESX-HOST-IP-ADDRESS/client/VMware-viclient.exe
2. Start the VMware Infrastructure Client
3. Click the Help Menu
4. Select “About”
5. Note the Version and Build for both the Client and Server.
6. Compare to list below to ensure they are at same release.
7. If you update the Server you should connect to the Web User Interface and download the latest VMware Infrastructure Client.

Latest Install ISO is VMware ESXi 3.5 Installable Update 4 Build Number: 153875
Released: (2009.03.20)

ESXe350-200907401-O-SG – PATCH Build 176894 (2009.05.28) – VIC 147633 – Tools 176894 <– Latest Patch

ESXe350-200906401-O-BG – PATCH Build 169697 (2009.05.28) – VIC 147633 – Tools 169697

ESXe350-200905401-O-BG – PATCH Build 163429 (2009.05.28) – VIC 147633 – Tools 158874
ESXe350-200904401-O-SG – PATCH Build 158874 (2009.04.29) – VIC 147633 – Tools 158874
ESXe350-200904201-O-SG – PATCH Build 158869 (2009.04.10) – VIC 147633 -
ESXe350-200903201-O-UG – UPDATE Build 153875 (2009.03.30) – VIC 147633 <– Update 4
ESXe350-200903411-O-BG – PATCH Build 153840 (2009.03.20) – VIC 119801
ESXe350-200901401-O-SG – PATCH Build 143129 (2009.01.30) – VIC 143129
ESXe350-200811401-O-SG – PATCH Build 130755 (2009.12.02) – VIC 119801
ESXe350-200810401-O-UG – UPDATE Build 123629 (2008.11.17) – VIC 119801 Update 3

The typical way to apply patches to ESXi hosts is through the VMware Update Manager. For details, see the VMware Update Manager Administration Guide.

ESXi hosts can also be updated by downloading the most recent “O” (offline) patch bundle from http://support.vmware.com/selfsupport/download/ and installing the bundle using VMware Infrastructure Update or by using the vihostupdate command through the Remote Command Line Interface (RCLI). For details, see the ESX Server 3i Configuration Guide and the ESX Server 3i Embedded Setup Guide (Chapter 10, Maintaining ESX Server 3i and the VI Client) or the ESX Server 3i Installable Setup Guide (Chapter 11, Maintaining ESX Server 3i and the VI Client).

Note: ESXi hosts do not reboot automatically when you patch with the offline bundle.

Reference:

http://support.vmware.com/selfsupport/s3portal.portal?_nfpb=true&_windowLabel=SearchPatch&SearchPatch_actionOverride=%2Fportlets%2Fpatchupdate%2FfindPatchByProductVersion&_pageLabel=s3portal_pages_downloadPatch_page&version=3.5&product=ESXi%20(Embedded%20and%20Installable)

There are some good free AntiVirus tools you can use to scan and protect your Microsoft Windows based computers.

• Panda Free On-Line Scan
  • http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63
• Symantec Security Check Free On-Line Scan
  • http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
• AVG Anti-Virus Free Edition 8.5.339 - Protect your computer from viruses and malicious programs. Read review
  • Added on 05/18/2009 - http://download.cnet.com/3001-20_4-10320142.html
• PC Tools Free AV Software for your desktop
  • http://www.pctools.com/free-antivirus/download/
• Avast / Avira Home Personal Free AntiVirus
  • http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html

Are there others you use? Let me know your feedback on these.

Roles and RBAC on NetApp filers – http://www.netapp.com/us/library/technical-reports/tr-3358.htm or http://media.netapp.com/documents/tr-3358.pdf

http://technet.microsoft.com/en-us/library/cc784390.aspx

I ran into this issue when using SysPrep and Virtual Center tempaltes. The username for the Service Account was longer that 20 character and no matter how hard I tried vCenter would not add the newly created machine to the domain. When I tried with just the first 20 characters of the user name account it worked like a charm!

The maximum length of a domain name is 15 characters, and the maximum length of a user name is 20 characters. Adding a character for the backslash (“\”), the field should allow a total of 36 characters.
Active Directory Object Names

http://technet.microsoft.com/en-us/library/cc776019.aspx

NET USER command

http://support.microsoft.com/kb/251394

http://www.ecst.csuchico.edu/~sim/546/notes/w2003NOTE4.htm

• FISMA Compliance Toolkit for Virtual Computing
• GLBA Compliance Toolkit for Virtual Computing
• HIPAA Compliance Toolkit for Virtual Computing
• Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
• DISA STIG Compliance Toolkit for Virtual Computing
• http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx

InfoSec Survival Guide: Cracking Cisco Passwords with John

http://infosecsurvivalguide.blogspot.com/2008/11/cracking-cisco-passwords-with-john.html

http://www.openwall.com/john/pro/macosx/

http://www.macshadows.com/forums/index.php?showtopic=8506

John the Ripper 1.7.3.1

http://mac.softpedia.com/get/Security/John-the-Ripper.shtml

John the Ripper 1.7.2 for G4 PowerPC, G5 PowerPC and Intel Macs (Universal Binary) (released 11/30/07)

http://www.macunix.net/JTR/john-1.7.2-macosx-universal.zip

Download the pre-patched (for OS X salted SHA1 hashes too) pre-compiled version of John the Ripper here:

http://www.macunix.net/JTR/

Unzip the archive.

Open Terminal.

Drag the file “john” from the folder “run” from within the unzipped “john-1.7.2-macosx-universal” folder to the Terminal window and let go.

Type a space.

Drag the text file containing your hash ( student:078D486A55E9922772C7F6F46113038E4800D6EDF4D31720 ) to the Terminal window and let go.

Click back in the Terminal window and press the return key.
QUOTE
Loaded 1 password hash (Salt SHA1 [salt-sha1])
barlow (student)

procedure to find port by ip arp mac

Assumptions:
You have an IP address and want to find out what switch port it is on.
There is a core switch with edge switches and Cisco CDP is running.
Example: IP address is 10.1.1.69
- find the MAC address of this IP
open ssh console to core switch and run “sh arp”
coreswitch#sh arp | inc 10.1.1.69
Internet 10.1.7.69 0 0007.1234.cd43 ARPA Vlan5
- find port from MAC address
coreswitch#sh mac-address-table dynamic | inc 0007.1234.cd43
* 5 0007.1234.cd43 dynamic Yes 5 Gi7/12
- find edge switch for port
coreswitch#sh cdp nei gi7/12
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
edgeswitch.company.net
Gig 7/12 176 S I WS-C3560G-Gig 0/49
- open ssh console to edge switch and run “sh arp” repeat process

When logging into a PanoLogic virtual desktop console for the first time…

The default display resolution was 1024×768 standard 4:3 XGA

The HP w1707 LCD monitor has a native resolution of 1680×1050@60Hz 16:10 WSXGA+

Using the pano logic control panel I was only able to set the max resolution to 1440×900@69Hz 16:10 WSXGA

http://www.panologic.com/

List of Supported Reslutions: http://help.panologic.com/2.6/wwhelp/wwhimpl/js/html/wwhelp.htm#href=Introduction/Supported_Monitor_Resolutions.html

Follow these steps if you need to reset the root password on an ESX classic.

Note: Ignore the “quote marks” in the instructions below.

1 – turn on system (if it’s on then reboot it with Ctrl-Alt-Del from console)
2 – when grub appears press the “tab” key
3 – highlight VMware ESX line using the “arrow” keys
4 – press the “e” key
5 – scroll to kernel line using the “arrow” keys
6 – press the “e” key (again, I know!)
7 – press the “end” key to move cursor to end of the kernel line
8 – type the word “single” (using the keys)
9 – press the “b” key to boot the ESX host into single user mode
10 – eventually a “sh-3.2#” root prompt will appear
11 – use the command “passwd” to reset the password
12 – use the command “reboot” to reboot the ESX machine
13 – login to the console or the vic using the new password!

That’s it! I hope this procedure works for you. Your feedback is appreciated.

Morale of this story is:
1 – always protect the physical environment where you ESX host is located.
2 – always secure the Lights Out/Remote Access/IP-KVM/console access to your host.
3 – consider using a GRUB password on your ESX host so as to prevent password resets.