Secure Domain Infrastructure; Domain Controller Is Trusted; Network Infrastructure Is Secure; Network Infrastructure Services Are Available - VMware VCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS Configuration

vCenter Configuration Manager Security Environment Requirements

3.0 Secure Domain Infrastructure

VCM security environment requirements are divided into categories for the domain and infrastructure, hosting
environment, personnel, host preparation, safeguarding installation kits, login roles, IIS preparation, SQL Server
preparation, web browser preparation, Agent installation and maintenance, Software Provisioning, and proper
decommissioning.
This section describes the domain and infrastructure. Here and in subsequent sections, each requirement is
numbered, stated, and followed by elaborative text.

3.1 Domain controller is trusted

VCM relies on a domain controller (DC) to authenticate VCM users, to discover machines, to enumerate domain group
members, to run VCM services under Network Authority accounts, and to authenticate administrators who control the
hosts onto which VCM and its databases are installed. The VCM installer and VCM administrator cite the domain
controller in VCM when the system is installed, DC discoveries are conducted, or when new Network Authorities or
VCM users are added. An untrustworthy domain controller should never be configured into VCM and VCM hosts
should never be joined to an untrustworthy domain.

3.2 Network infrastructure is secure

Besides domain controllers, VCM relies on other network infrastructure services such a DNS, WINS, email, time
servers, and DHCP. The DNS and WINS translate domain names into IP addresses. Email is used for various
notifications and alerts. Time servers synchronize time, allowing Kerberos authentication and certificate validation to
work. DHCP, even when not used by VCM servers, assigns IP addresses consistently. These services must be
properly configured, secure, and available in order for VCM to operate correctly and reliably.

3.3 Network infrastructure services are available

All network infrastructure services must not only be correct and secure, but also available and responsive. An active
denial of service or attack on network infrastructure will impact VCM performance.

3.4 'Trusted' certificates, certificate authorities, and certificate servers are trusted

VCM establishes the validity of HTTPS/SSL certificates used by IIS, and of TLS certificates used during Collector-to-
Agent communication by checking the signatures along the certificate chain that extends from the certificate in
question up to a certificate installed in one of the trusted certificate stores.
VCM trusts that:
TECHNICAL WHITE PAPER / 9