http://technet.microsoft.com/en-us/library/cc784390.aspx

I ran into this issue when using SysPrep and Virtual Center tempaltes. The username for the Service Account was longer that 20 character and no matter how hard I tried vCenter would not add the newly created machine to the domain. When I tried with just the first 20 characters of the user name account it worked like a charm!

The maximum length of a domain name is 15 characters, and the maximum length of a user name is 20 characters. Adding a character for the backslash (“\”), the field should allow a total of 36 characters.
Active Directory Object Names

http://technet.microsoft.com/en-us/library/cc776019.aspx

NET USER command

http://support.microsoft.com/kb/251394

http://www.ecst.csuchico.edu/~sim/546/notes/w2003NOTE4.htm

This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.

Tools – page 1

Documents – page 2

Tools

Configuresoft

Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from www.configuresoft.com. These CP&C Compliance Toolkits include:

VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices

http://www.configuresoft.com/comptoolkits.aspx

FISMA Compliance Toolkit for Virtual Computing

GLBA Compliance Toolkit for Virtual Computing

HIPAA Compliance Toolkit for Virtual Computing

Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing

DISA STIG Compliance Toolkit for Virtual Computing

http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx

HyTrust

HyTrust Appliance – http://www.hytrust.com/product/overview

The HyTrust™ Appliance offers IT managers and administrators of virtual
infrastructure a centralized, single point of control and visibility for:

configuration management
compliance auditing
access management
best practices
process workflow
security controls

TripWire

http://www.tripwire.com/solutions/virtualization/

ConfigCheck

ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
- Ensure recommended ESX configurations
- Discover possible vulnerabilities
- Deploy virtualization safely and securely
- Increase security posture of the entire enterprise
- Reduce configuration drift
http://www.vwire.com/free-tools/configcheck/

VMinformer

VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
Features:

Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
Pre-defined policies based on industry best practices (VMware security hardening guide)
Policies can be customized for your environment
Provides full visibility and monitoring of your ESX hosts and Virtual machines
Dashboard – Provides a graphical overview of VM’s and Security Posture
Reporting
Remediation guidance

http://www.vminformer.com/

Read the rest of this entry »

InfoSec Survival Guide: Cracking Cisco Passwords with John

http://infosecsurvivalguide.blogspot.com/2008/11/cracking-cisco-passwords-with-john.html

http://www.openwall.com/john/pro/macosx/

http://www.macshadows.com/forums/index.php?showtopic=8506

John the Ripper 1.7.3.1

http://mac.softpedia.com/get/Security/John-the-Ripper.shtml

John the Ripper 1.7.2 for G4 PowerPC, G5 PowerPC and Intel Macs (Universal Binary) (released 11/30/07)

http://www.macunix.net/JTR/john-1.7.2-macosx-universal.zip

Download the pre-patched (for OS X salted SHA1 hashes too) pre-compiled version of John the Ripper here:

http://www.macunix.net/JTR/

Unzip the archive.

Open Terminal.

Drag the file “john” from the folder “run” from within the unzipped “john-1.7.2-macosx-universal” folder to the Terminal window and let go.

Type a space.

Drag the text file containing your hash ( student:078D486A55E9922772C7F6F46113038E4800D6EDF4D31720 ) to the Terminal window and let go.

Click back in the Terminal window and press the return key.
QUOTE
Loaded 1 password hash (Salt SHA1 [salt-sha1])
barlow (student)

procedure to find port by ip arp mac

Assumptions:
You have an IP address and want to find out what switch port it is on.
There is a core switch with edge switches and Cisco CDP is running.
Example: IP address is 10.1.1.69
- find the MAC address of this IP
open ssh console to core switch and run “sh arp”
coreswitch#sh arp | inc 10.1.1.69
Internet 10.1.7.69 0 0007.1234.cd43 ARPA Vlan5
- find port from MAC address
coreswitch#sh mac-address-table dynamic | inc 0007.1234.cd43
* 5 0007.1234.cd43 dynamic Yes 5 Gi7/12
- find edge switch for port
coreswitch#sh cdp nei gi7/12
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
edgeswitch.company.net
Gig 7/12 176 S I WS-C3560G-Gig 0/49
- open ssh console to edge switch and run “sh arp” repeat process

When logging into a PanoLogic virtual desktop console for the first time…

The default display resolution was 1024×768 standard 4:3 XGA

The HP w1707 LCD monitor has a native resolution of 1680×1050@60Hz 16:10 WSXGA+

Using the pano logic control panel I was only able to set the max resolution to 1440×900@69Hz 16:10 WSXGA

http://www.panologic.com/

List of Supported Reslutions: http://help.panologic.com/2.6/wwhelp/wwhimpl/js/html/wwhelp.htm#href=Introduction/Supported_Monitor_Resolutions.html

Follow these steps if you need to reset the root password on an ESX classic.

Note: Ignore the “quote marks” in the instructions below.

1 – turn on system (if it’s on then reboot it with Ctrl-Alt-Del from console)
2 – when grub appears press the “tab” key
3 – highlight VMware ESX line using the “arrow” keys
4 – press the “e” key
5 – scroll to kernel line using the “arrow” keys
6 – press the “e” key (again, I know!)
7 – press the “end” key to move cursor to end of the kernel line
8 – type the word “single” (using the keys)
9 – press the “b” key to boot the ESX host into single user mode
10 – eventually a “sh-3.2#” root prompt will appear
11 – use the command “passwd” to reset the password
12 – use the command “reboot” to reboot the ESX machine
13 – login to the console or the vic using the new password!

That’s it! I hope this procedure works for you. Your feedback is appreciated.

Morale of this story is:
1 – always protect the physical environment where you ESX host is located.
2 – always secure the Lights Out/Remote Access/IP-KVM/console access to your host.
3 – consider using a GRUB password on your ESX host so as to prevent password resets.

Here’s an example hosts.allow:
#begin
sshd:management.host.com:allow
sshd:ALL:deny
xinetd:management-host-ip-or-fqdn-hostname:allow
xinetx:ALL:deny
httpd:management-host-ip-or-fqdn-hostname:allow
httpd:ALL:deny
#eof
But even this may be too simple.

Reference:

http://www.dell.com/downloads/global/…/tnc/dell_vmware_certified_deploy.pdf

http://communities.vmware.com/thread/182964?tstart=0

What this will do is allow all hosts to ssh into the system while only allowing VI client connections from the virtualcenter server. This means you pretty much have to go through virtualcenter to manage the system.