o Set up a separate VLAN or virtual switch for vMotion and network attached storage.
o The iSCSI initiator relies on being able to get MAC address changes from certain types of storage. If you are using ESX iSCSI and have iSCSI
storage, set the MAC Address Changes option to Accept.
o A legitimate need for more than one adapter to have the same MAC address, is if you are using Microsoft Network Load Balancing in unicast
mode. When NLB is used in the standard multicast mode, adapters do not share MAC addresses.
o ESX uses the Pluggable Authentication Modules (PAM) structure for authentication. The PAM configuration in /etc/pam.d/vmware-authd, ESX
uses /etc/passwd authentication, VCP-410 exam but you can configure ESX to use another distributed authentication mechanism.
o CIM transactions also use ticket-based authentication in connecting with the vmware-hostd process.
o Management functions with username/password > vmware-hostd > Service Console
o VM console with ticket > vmkauthd > vm in VMkernel
o vicfg commands do not perform an access check.
o The vpxuser is used for vCenter Server permissions.
o The root user and vpxuser permissions are the only users not assigned the No Access role by default.
o ESX supports SSL v3 and TLS v1.
o All network traffic is encrypted as long as:
o Did not change the Web proxy service to allow unencrypted traffic for the port.
o Service console firewall is configured for medium or high security.
o The default location for your certificate is /etc/vmware/ssl/ on the ESX host. The certificate consists of two files: the certificate itself (rui.crt)
and the private-key file (rui.key).
o The ESX host generates certificates the first time the system is started.
o Each time you restart the vmware-hostd process, the mgmt-vmware script searches for existing certificate files (rui.crt and rui.key). If it cannot
find them, it generates new certificate files.
o SSL timeout settings are set in /etc/vmware/hostd/config.xml.
o Do not set up certificates using passphrases.
o For certificates in a location other than the default location, set the location in /etc/vmware/hostd/proxy.xml.
o If you are performing activities that require root privileges, log in to the service console as a recognized user and acquire root privileges
through the sudo command, which provides enhanced security compared to the su command.
o The service console firewall is configured to block all incoming and outgoing traffic, except for ports 22, 123, 427, 443, 902, 5989, 5988, pings
(ICMP) and communication with DHCP and DNS (UDP only) clients.
o Medium security - All VCP-410 exam questions incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not
blocked.
o Low security - There are no blocks on either incoming or outgoing traffic. This setting is equivalent to removing the firewall.
o Password aging restrictions are enabled for user logins by default.
o Maximum days - By default, passwords are set to never expire.
o Minimum days - The default is 0, meaning that the users can change their passwords any time.
o Warning time - The default is seven days.
o To change this for hosts use esxcfg-auth. Change for users use the command chage.
o By default, ESX uses the pam_cracklib.so plug-in. There is no restrictions on the root password, but the defaults for non-root users is:
o minimum password length is nine
o password length algorithm allows shorter passwords if the user enters a mix of character classes. M – CC = E where the Character Classes
are upper, lower, digits and other.
o retries is set to three
o The pam_passwdqc.so provides a greater number of options for fine-tuning password strength and performs password strength tests for all
users, including the root user.
o setuid allows an application to temporarily change the permissions of the user running the application.
o setgid changes the permissions of the group running the application.
o Default setuid applications: crontab, pam_timestamp_check, passwd, ping, pwdb_chkpwd, ssh-keysign, su, sudo, unix_chkpwd, vmkload_app,
vmware-authd, vmware-vmx. Default setgid Applications: wall, lockfile.
o Virtual Machine Recommendations:
o Install Antivirus Software
o Disable Copy and Paste Operations Between VCP-410 study guide the Guest Operating System and Remote Console
o Removing Unnecessary Hardware Devices
o Limiting Guest Operating System Writes to Host Memory
o Configuring Logging Levels for the Guest Operating System
o Host profiles eliminates per-host, configuration and maintain configuration consistency and correctness across the datacenter.
o Only supported for VMware vSphere 4.0 hosts.
o Host Profiles are only available when the appropriate licensing is in place.
o You can export a profile to a file that is in the VMware profile format (.vpf).
o The iSCSI initiator relies on being able to get MAC address changes from certain types of storage. If you are using ESX iSCSI and have iSCSI
storage, set the MAC Address Changes option to Accept.
o A legitimate need for more than one adapter to have the same MAC address, is if you are using Microsoft Network Load Balancing in unicast
mode. When NLB is used in the standard multicast mode, adapters do not share MAC addresses.
o ESX uses the Pluggable Authentication Modules (PAM) structure for authentication. The PAM configuration in /etc/pam.d/vmware-authd, ESX
uses /etc/passwd authentication, VCP-410 exam but you can configure ESX to use another distributed authentication mechanism.
o CIM transactions also use ticket-based authentication in connecting with the vmware-hostd process.
o Management functions with username/password > vmware-hostd > Service Console
o VM console with ticket > vmkauthd > vm in VMkernel
o vicfg commands do not perform an access check.
o The vpxuser is used for vCenter Server permissions.
o The root user and vpxuser permissions are the only users not assigned the No Access role by default.
o ESX supports SSL v3 and TLS v1.
o All network traffic is encrypted as long as:
o Did not change the Web proxy service to allow unencrypted traffic for the port.
o Service console firewall is configured for medium or high security.
o The default location for your certificate is /etc/vmware/ssl/ on the ESX host. The certificate consists of two files: the certificate itself (rui.crt)
and the private-key file (rui.key).
o The ESX host generates certificates the first time the system is started.
o Each time you restart the vmware-hostd process, the mgmt-vmware script searches for existing certificate files (rui.crt and rui.key). If it cannot
find them, it generates new certificate files.
o SSL timeout settings are set in /etc/vmware/hostd/config.xml.
o Do not set up certificates using passphrases.
o For certificates in a location other than the default location, set the location in /etc/vmware/hostd/proxy.xml.
o If you are performing activities that require root privileges, log in to the service console as a recognized user and acquire root privileges
through the sudo command, which provides enhanced security compared to the su command.
o The service console firewall is configured to block all incoming and outgoing traffic, except for ports 22, 123, 427, 443, 902, 5989, 5988, pings
(ICMP) and communication with DHCP and DNS (UDP only) clients.
o Medium security - All VCP-410 exam questions incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not
blocked.
o Low security - There are no blocks on either incoming or outgoing traffic. This setting is equivalent to removing the firewall.
o Password aging restrictions are enabled for user logins by default.
o Maximum days - By default, passwords are set to never expire.
o Minimum days - The default is 0, meaning that the users can change their passwords any time.
o Warning time - The default is seven days.
o To change this for hosts use esxcfg-auth. Change for users use the command chage.
o By default, ESX uses the pam_cracklib.so plug-in. There is no restrictions on the root password, but the defaults for non-root users is:
o minimum password length is nine
o password length algorithm allows shorter passwords if the user enters a mix of character classes. M – CC = E where the Character Classes
are upper, lower, digits and other.
o retries is set to three
o The pam_passwdqc.so provides a greater number of options for fine-tuning password strength and performs password strength tests for all
users, including the root user.
o setuid allows an application to temporarily change the permissions of the user running the application.
o setgid changes the permissions of the group running the application.
o Default setuid applications: crontab, pam_timestamp_check, passwd, ping, pwdb_chkpwd, ssh-keysign, su, sudo, unix_chkpwd, vmkload_app,
vmware-authd, vmware-vmx. Default setgid Applications: wall, lockfile.
o Virtual Machine Recommendations:
o Install Antivirus Software
o Disable Copy and Paste Operations Between VCP-410 study guide the Guest Operating System and Remote Console
o Removing Unnecessary Hardware Devices
o Limiting Guest Operating System Writes to Host Memory
o Configuring Logging Levels for the Guest Operating System
o Host profiles eliminates per-host, configuration and maintain configuration consistency and correctness across the datacenter.
o Only supported for VMware vSphere 4.0 hosts.
o Host Profiles are only available when the appropriate licensing is in place.
o You can export a profile to a file that is in the VMware profile format (.vpf).
