vSphere Security Hardening Guide Pitfalls
As you are probably fully aware VMware have published the final release of their vSphere Security Hardening guide here. Now having been actively involved in a project which involves the use of virtualisation in a PCI DSS controlled environment, I have had the pleasure of reading this guide back to front, and I must say VMware have produced a good document. I really like the format, the layout and I think it works well for a security hardening guide.
The problem I do have is with some of the content, I get the feeling the document has been rushed through somewhat, with little testing for some of the recommendations. So here is a heads up for anyone intending on using this document, hopefully I can stop you from falling into some of the pitfalls I did.
Note: When implementing some of these recommendations I did as much testing as possible and made sure I understood the full impact before making any changes to a production environment. Like any good virtualisation admin I would recommend as a bare minimum you do the same.
Disabling the Managed Object Browser
This recommendation involves editing the Proxy.xml file in the /etc/vmware/hostd directory. VMware state that to disable the Managed Object browser one should remove or comment out all lines relating to the mob element. Using vi to remove these lines proved unsuccessful for me, resulting in the ESX host being unable to communicate with the vCenter Server. Only on restoring the Proxy.xml file from backup was vCenter server connectivity restored.
It seems the only way to successfully disable MOB is to use XML comment tags and comment the lines out rather than deleting them. An example of the changes to the Proxy.xml file can be seen below:
Pre:
Post:
Happy XML editing 
