Product GuideAdministering CA Access Control for Virtual EnvironmentsHypervisor HardeningHypervisor Hardening Policies › Configure a Hypervisor Hardening Policy in CA Access Control Enterprise Management

Previous Topic: Hypervisor Hardening Policies

Next Topic: Audit Collection
Configure a Hypervisor Hardening Policy in CA Access Control Enterprise Management

The hypervisor hardening policy helps you to limit users access to the hypervisor, configure remote system logging, time synchronization and configure the SNMP agent settings.

Note: You must have the System Manager role assigned to manage virtual machines access permissions.

Important! Verify that you configure the connection to the VMware vCenter Server before you complete this procedure. Also, create a PUPM endpoint for each hypervisor that you want to apply the hardening policies to.

Follow these steps:

  1. Go to WorldView, Security Groups, Security Groups Management.

    The Security Groups Management page appears displaying the security groups on the VMware vCenter Server and the CA Access Control Server details.

  2. Select a security group.

    CA Access Control Enterprise Management displays the security group details and members.

    Important! Verify that the security group you select has at least one ESX server as a member of the group.

  3. From the Actions menu, select Add Hypervisor Hardening Policy.

    The Manage Security Group Hypervisor Hardening host group name page opens.

  4. Complete the following fields:
    Comment

    Specifies a description of the hardening policy.

    Lockdown

    Specifies to block remote access to the hypervisor.

    Direct Console UI

    Specifies that the local administrative control is disabled.

    Tech Support Mode

    Specifies that the tech support mode is disabled.

    Tech Support Mode Timeout

    Specifies the interval, in seconds, after which to disable the tech support mode.

    Local Datastore Path

    (ESXi Only) Specifies the full pathname of the datastore where syslog logs messages.

    Example: [storage1]/var/log/messages

    Remote Syslog Host

    Defines the remote syslog host name.

    Remote Port

    Defines the remote syslog host port number.

    NTP Server

    Specifies the NTP (Network Time Protocol) server name.

    Enabled

    Specifies that SNMP configuration is enabled.

    SNMP Port

    Defines the SNMP listening port number.

    Read-only Communities

    Specifies the name of the communities that has read-only access.

    Example: snmp-server community public RO

    Trap Targets

    Defines the SNMP traps target hostname, port and community.

    Format: target_hostname@port/community

    Example: SNMP_host@55222/comm

    VMSafe Network API

    Specifies to disable the use of VMSafe Network API.

    Hypervisor Administrator

    Defines the name of a hypervisor administrator account. CA Access Control for Virtual Environments uses this account to connect to the hypervisor.

  5. Click Submit.

    CA Access Control Enterprise Management deploys the hardening policies to the group.