Table of Contents
Advertisement
5.5 Beware of cross-site scripting attacks
Cross site scripting (XSS) allows an infected web site to attack a web application by injecting commands into the web
application when the user temporarily browses to the infected site while still logged in to the web application. The
malicious site returns hidden script and styles that invoke actions in the login session behind the user's back.
VCM users can minimize the risk of XSS attacks by taking precautions: placing the VCM web server in a trusted
zone, disallowing linking into trusted zones, setting IE to transmit credentials, avoiding direct VCM login in favor of
Windows logins, etc. However, even using these safeguards there is still a risk of XSS attack that warrants additional
precaution. One effective step is to avoid use of the general Internet while logged in to VCM or to use VCM from within
a browser or virtual machine not used for general Internet browsing. Other steps include:
Enable IIS 'Require client certificates'
l
Never placing untrusted hosts in the trusted zone
l
Evaluating entering/exiting trusted zone warnings from IE
l
Examining non-Windows login prompts
l
Never entering VCM from external links
l
Not using VCM while Internet browsing in other windows
l
5.6 Exported data is outside the control of VCM
VCM supports several ways to export collected data, including:
Email notifications and alerts
l
Exported or printed grids
l
Exported SRS summary views and reports
l
Service desk work requests
l
Uploaded and exported files
l
Screen snapshot
l
VCM users must be aware that data exported through these means are outside the scope of control of VCM.
vCenter Configuration Manager Security Environment Requirements
TECHNICAL WHITE PAPER / 14
Advertisement
Table of Contents
