Section 1 – Plan, Install and Upgrade VMware ESX/ESXi
- Objective 1.3 – Secure VMware ESX/ESXi
QUESTION 61
ESX Service Console patches should be applied (Choose Two):
A.in accordance with VMware Security Advisories
B.when advised by VMware authorized technical support personnel
C.when notified on the VMware Security Blog
D.in accordance with VMware and RedHat Security Advisories
Answer: AB
Explanation:
After you register your ESX Server license, you will get email notifications of new patches. If you haven’t been notified about patches, you can check the ESX Patch update site to get the latest patch info
Patches will be either for security reasons, critical bug fix issues, or general system bugs.
Of course, security and critical bug fix patches should be applies as soon as possible.
Many of the ESX Server patches are actually for the service console (based on Red Hat Enterprise Linux). Although, don’t try to apply Red Hat patches to the service console as you will find out that they don’t work.
QUESTION 62
ESX Service Console patches should be applied (Choose Two):
A.as VMware makes patches available
B.as instructed by VMware authorized technical support personnel
C.as Red Hat makes patches available
D.when an issue is identified
Answer: AB
Explanation:
After you register your ESX Server license, you will get email notifications of new patches. If you haven’t been notified about patches, you can check the ESX Patch update site to get the latest patch info
Patches will be either for security reasons, critical bug fix issues, or general system bugs.
Of course, security and critical bug fix patches should be applied as soon as possible.
Many of the ESX Server patches are actually for the service console (based on Red Hat Enterprise Linux). Although, don’t try to apply Red Hat patches to the service console as you will find out that they don’t work
QUESTION 63
Securing an ESX service console is important because:
A.VMs depend on the patch level of the service console
B.Service Console actions can affect all VMs on an ESX host
C.Service Console permissions are applied to users when logging in to a host via vCenter
D.VMs run in the service console
Answer: B
Explanation:
With VMware ESX being loaded on top of the server hardware, there are a few points of immediate concern:
1. the VMKernel & its virtualization layer
2. the VMware ESX Service console (based on Red Hat Linux Enterprise)
These two pieces are two very distinct parts of VMware ESX. VMware has periodically released patches for both of these different components although you probably just thought of them as “ESX patches”.
Concerning #1, the VMKernel and its virtualization layer is extremely secure. The Guest machines have hardware isolation in place and it seems impossible that a guest VM could somehow compromise the security of the host virtualization layer.
As for #2, with the services console being based on Linux, it will be affected by most of the Red Hat Linux vulnerabilities. Because the service console is a Linux OS with a direct link to the VMKernel, I will focus on securing the service console
QUESTION 64
By default ESX4 is installed with which security settings?
A.Low and you must configure higher parameters
B.No security
C.Medium with minimum ports opened
D.High with all outbound ports closed
Answer: D
Explanation:
Mastering VMware vSphere 4, page 565
The default mode of operation is High security.
QUESTION 65
ESX Service Console patches should be applied (Choose Two):
A.when advised by VMware authorized technical support personnel
B.when notified on the VMware security blog
C.in accordance with VMware security advisories
D.in accordance with VMware and RedHat Security Advisories
Answer: AC
Explanation:
Security Advisories are the official notification of security-related vulnerabilities and issues impacting VMware products. Security Advisories outline complete information on how to protect impacted systems. Each advisory contains a detailed description of the security vulnerability, affected systems, threat severity, risk mitigation techniques for fixing the vulnerability and securing the system
QUESTION 66
What are the three default roles provided on an ESX Host?
A.Network Consumer, Datastore Consumer and Resource Pool Administrator
B.Virtual Machine User, Virtual Machine User and Administrator
C.Read only, Operator Access and Administrator
D.No Access, Read Only and Administrator
Answer: D
Explanation:
Mastering VMware vSphere 4, page 387
An ESX/ESXi host has three default roles: No Access, Read-Only, and Administrator
QUESTION 67
The default warning for password expiration on ESX is how many days?
A.5
B.15
C.30
D.7
Answer: D
Explanation:
Warning time.
default is seven days. Warnings are only displayed when logging directly in to the service console or when using SSH.
QUESTION 68
ESX uses which Linux based firewall tool?
A.IPCop
B.IPTables
C.monowall
D.FireStarter
Answer: B
Explanation:
Mastering VMware vSphere 4, page 564
VMware ESX ships with a firewall that controls traffic into and out of the Service Console. This firewall is based on the Linux iptables firewall.
QUESTION 69
When cloning a role, which of the following applies (Choose Two)?
A.The cloned role contains all of the same privileges as the original role
B.The cloned role can be edited during the cloning process to adjust the privileges in the role
C.The cloned role is not applied to the same users or groups as the original role
D.The cloned role is applied to the same users and groups as the original role
Answer: AC
Explanation:
vSphere Basic System Administration vCenter Server 4.0 ESX 4.0 ESXi 4.0 , page216
Clone a Role
You can make a copy of an existing role, rename it, and later edit it. When you make a copy, the new role is not applied to the same users or groups and objects
QUESTION 70
Which of the following is a benefit of ESXi over ESX?
A.Dynamic Resource Allocation
B.Increased Security and Reliability
C.Memory Overcommitment
D.Improved Fault Isolation
Answer: B
Explanation:
The smaller code base of ESXi represents a smaller “attack surface” and less code to patch, improving reliability and security. The functionality of the service console is replaced by remote command line interfaces and adherence to system management standards
