Jump to content
Network communication blocked after upgrade to macOS 15 (Sequoia) ×
Customer satisfaction survey 2024 ×

How ESET Protect can protect agains ransomware on ESXI host server

ormkun

By ormkun
in Malware Finding and Cleaning

 Share

Recommended Posts

  • Marcos changed the title to How ESET Protect can protect agains ransomware on ESXI host server
  • Administrators
Marcos

Marcos 5,322

Posted
  • Administrators
Posted

While I'm not an expert, the VMware ESXI server is a bare metal hypervisor that, unlike hosted hypervisors, is installed directly on the hardware. ESET can run on guest virtual machines with supported operating systems installed.

https://www.vmware.com/products/cloud-infrastructure/esxi-and-esx

https://www.vmware.com/topics/bare-metal-hypervisor

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 58

Posted
  • ESET Staff
Posted

Since the underlying OSes for ESXi and vSphere do not support the install of endpoint security, you need to ensure both ESXi and vSphere are properly configured to be as secure as possible.  You will see me mention 2fa/MFA for ESXi and vSphere, but I do not believe there is a simple supported solution provided by VMWare for 2fa/MFA configuration on ESXi/vSphere.

Best ways to protect ESXi or vSphere from ransomware would be to:

  • Ensure SSH is disabled on both ESXi and vSphere
  • Ensure your ESXi and vSphere logon portals do not allow logon from any public IPs
  • Ensure root user accounts have highly complex and long passwords
    • I would recommend to setup 2fa on this root user, but I am not seeing any info on if this is possible.
  • Review and Restrict which users can log into ESXi and vSphere with admin rights
  • Lastly, and most importantly, ask VMWare how to configure 2fa/MFA on ESXi and vSphere (for web portal and SSH) for all users (including root user).  I do not see any simple or clear information from VMWare on how to configure 2fa/MFA on both ESXi and vSphere, and for SSH.
    • If an adversary can log into ESXi or vSphere with admin rights, they can enable SSH and use this to deploy ransomware payloads to the underlying OS of the hypervisor.
    • Also, if an adversary can log into the web portal for ESXi or vSphere, they can open any VM and interact with its screen, so it will be important to ensure no one is logging into any OS as an Admin, and that no admins are staying logged into server operating systems as doing so, could allow an adversary to instantly gain access to a domain admin account.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...