1.overview
SOP for Building VM’s in ESXI.
2.scope
The scope of this policy defines how to build a Virtual Machines (VM’s) with highly secured in ESXI servers.
- Process to be followed
After hosting the new VM in ESXI inventory with guest OS installation completion you have to go with the below process to provide the high end security for the VM to make the VM’s free from any intruder’s attack.
Protecting the VM via Kaspersky Antivirus
- First thing is you need to protect the VM’s free from any sort of virus attacks for that please install the Kaspersky endpoint security for each windows based VM’s.
- Check the policies are pushed successfully from server to client VM’s
- Check that the antivirus scans are taken up daily to all the VM’s as per the policy created by Sage IT antivirus administrator.
- Check the antivirus database to be updated daily to all the VM’s via Kaspersky net agent.
- Make sure the infected are directly deleted and the system is free from any sort of virus issues. You can monitor the system health report / status on Kaspersky administration server.
Providing VM access only to Trusted Source:
- If you looking to share the VM globally, please create a separate user account for RDP connection with limited access.
- In pfSense firewall create an NAT rule to access the VM from globally and also configure by allowing only the trusted network IP address may able to access the VM’s.
- The local VM’s are accessed from globally using NAT mode.
- Each VM’s Local IP Address are NAT with Single public IP address with different NAT port. So once the users are trying to access the VM’s from outside network they must communicate with pfSense firewall make sure that the NAT rules are working fine and the VM’s are able to accessible from outside of network.
Protecting the Volumes by BitLocker
- Enable the Windows BitLocker encryption in all windows based VM’s Volumes.
- BitLocker is a full disk encryption feature included with Windows. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) with a 128-bit or 256-bit key.
- You must enable BitLocker in each volume so the files inside the volumes will be encrypted and the files are free from any sort on ransomware encryptions attacks.
Protecting the VM using Windows Defender
- Enable the windows defender antivirus application in all windows based VM’s.
- Check the windows defender will be always active and the databases are automatically updated using the windows update settings.
Updating the security Patches frequently
- Check for the recently released security patches for the windows based VM.
- You must download the patches and tested carefully with various prospective instances separately and then with successful result of report you must apply the patches to all Windows VM’s manually with approval of the Sage IT IMS team
Blocking File sharing access
- Make sure to disable the file sharing access with the windows VM’s temporally you can enable it with Sage IT IMS team approval only if it’s required for any urgent / mandatory purpose.
- Also the file sharing ports like SMB – UPD 137, 138 & SMB –TCP 445 has been added to port monitoring in Kaspersky firewall settings to prevent ransomware attacks via network and file sharing is (enabled) make sure the settings are working fine in Kaspersky server.
Other Security Protection things
- created the RDP sessions as local user account with limited privileges.
- Make sure this limited account RDP users can’t able to install or change any sort of system related settings.
- Increase the User Access Control (UAC) to high level of authentication.
- Check If the Kaspersky firewall goes down or the security policy has been manually disabled, the windows firewall will be automatically enabled.
End User Agreement:
Here I have accept and follow the above terms and process while building and configuring new VM’s / Instance in Esxi Server.