B-) Depending on the type of Microsoft Active Directory trusts used in an environment, some features,
such as Active Directory user querying and user authentication, may be limited from the vSphere Client and vSphere Web Client. For more info: https://kb.vmware.com/selfservice/microsites/search.do? language=en_USandcmd=displayKCandexternalId=2064250
Question 92:
Which three options are available for replacing vCenter Server Security Certificates? (Choose three.)
A. Replace with Certificates signed by the VMware Certificate Authority.
B. Make VMware Certificate Authority an Intermediate Certificate Authority.
C. Do not use VMware Certificate Authority, provision your own Certificates.
D. Use SSL Thumbprint mode.
E. Replace all VMware Certificate Authority issued Certificates with self-signed Certificates.
Correct Answer: ABD
ESXi Certificate Replacement
For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.
VMware Certificate Authority mode (default)
When you renew certificates from the vSphere Web Client, VMCA issues the certificates for the hosts. If
you changed the VMCA root certificate to include a certificate chain, the host certificates include the full
chain.
Custom Certificate Authority mode
Allows you to manually update and use certificates that are not signed or issued by VMCA.
Thumbprint mode
Can be used to retain 5.5 certificates during refresh. Use this mode only temporarily in debugging
Which two statements are correct regarding vSphere certificates? (Choose two.)
A. ESXi host upgrades do not preserve the SSL certificate and reissue one from the VMware Certificate Authority (VMCA).
B. ESXi host upgrades preserve the existing SSL certificate.
C. ESXi hosts have assigned SSL certificates from the VMware Certificate Authority (VMCA) during install.
D. ESXi hosts have self-signed SSL certificates by default.
Correct Answer: BC
B-) ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions. However, ESXi 5.x hosts that were running self-signed certificates and then upgraded to vSphere 6.0 will have their certificates regenerated using VMware-signed. For more info link: https://kb.vmware.com/selfservice/microsites/search.do? language=en_USandcmd=displayKCandexternalId=2113926
C-) In vSphere 6.0, VMware tried to address SSL certificates in a different manner. It introduced a new component called the "Platform Services Controller." The Platform Services Controller includes a fully-functional certificate authority, called the VMware Certification Authority (VMCA), that automatically manages the certificates used in vCenter and the ESXi hosts. There are two steps to complete. First, you need to retrieve the root certificate from vCenter and convert it into something usable. Once you've done that, you need to deploy it as a Trusted Root Certificate. The easiest way to do this with multiple computers is to use Group Policy. Here are the steps to retrieve the certificate: 1.Open your Web browser. 2.Navigate to https://
3. In the lower right-hand corner, click the Download Trusted Root CA link.------ for more: https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-C91AFFADA830-4BBE-BF7C-F779A3AD03F1.html?resultof=%2522%2573%2573%256c%2522%2520
Question 94:
An administrator has been instructed to secure existing virtual machines in vCenter Server. Which two actions should the administrator take to secure these virtual machines? (Choose two.)
A. Disable native remote management services
B. Restrict Remote Console access
C. Use Independent Non-Persistent virtual disks
D. Prevent use of Independent Non-Persistent virtual disks
An administrator has recently audited the environment and found numerous virtual machines with sensitive data written to the configuration files.
To prevent this in the future, which advanced parameter should be applied to the virtual machines?
A. isolation.tools.setinfo.disable = true
B. isolation.tools.setinfo.enable = true
C. isolation.tools.setinfo.disable = false D. isolation.tools.setinfo.enable = false
Correct Answer: A
Litmit SETINFO Messages Now if you read through the hardening guide, you'll come cross a section that covers informational messages, otherwise known as SETINFO messages. Now my understanding is that currently there is no limitation on the amount of data that can be sent from VMware tools to the host, so you can imagine it wouldn't be hard to write some code to continuously send huge amounts of data. So lets looks at how to limit this to something more acceptable as per the hardening guide.
tools.setInfo.sizeLimit = "1048576"
Now you can actually totally disable this using the following
isolation.tools.setInfo.disable = "true"
But this stops the Virtual Center client from displaying any information about the Virtual Machine, e.g. IP Address, DNS information. So for a production environment I would recommend setting a limit rather then totally disabling.
An administrator would like to use a passphrase for their ESXi 6.x hosts which has these characteristics:
1.
Minimum of 21 characters
2.
Minimum of 2 words
Which advanced options must be set to allow this passphrase configuration to be used?
A. retry=3 min=disabled, disabled, 7, 21, 7 passphrase=2
B. retry=3 min=disabled, disabled, 21, 7, 7 passphrase=2
C. retry=3 min=disabled, disabled, 2, 21, 7
D. retry=3 min=disabled, disabled, 21, 21, 2
Correct Answer: B
B-) ESXi Passwords and Account Lockout For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information. ESXi Passwords: ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.(link : https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUIDDC96FFDB-F5F2- 43EC-8C73-05ACDAE6BE43.html)
Question 98:
Which password meets ESXi 6.x host password requirements?
A. 8kMVnn2x!
B. zNgtnJBA2
C. Nvgt34kn44
D. !b74wr
Correct Answer: A
ESXi Passwords
By default, ESXi enforces requirements for user passwords.
Your user password must meet the following length requirements.
1.
Passwords containing characters from one or two character classes must be at least eight characters long.
2.
Passwords containing characters from three character classes must be at least seven characters long.
3.
Passwords containing characters from all four character classes must be at least six characters long.
When you create a password, include a mix of characters from four character classes: lowercase letters,
uppercase letters, numbers, and special characters such as an underscore or dash.
The password cannot contain the words root, admin, or administrator in any form.
Which two groups of settings should be reviewed when attempting to increase the security of virtual machines (VMs)? (Choose two.)
A. Disable hardware devices
B. Disable unexposed features
C. Disable VMtools devices
D. Disable VM Template features
Correct Answer: AB
Securing Virtual Machines The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines. Subtopics General Virtual Machine Protection Configuring Logging Levels for the Guest Operating System Limiting Exposure of Sensitive Data Copied to the Clipboard Disable Unexposed Features Limiting Guest Operating System Writes to Host Memory Removing Unnecessary Hardware Devices Prevent a Virtual Machine User or Process from Disconnecting Devices Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Web Client Reference: https://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-CF45F448-20364BE3-8829-4A9335072349.html
Question 100:
To reduce the attack vectors for a virtual machine, which two settings should an administrator set to false? (Choose two.)
A. ideX:Y.present
B. serial.present
C. ideX:Y.enabled
D. serial.enabled
Correct Answer: AB
Removing Unnecessary Hardware Devices Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks. Use the following guidelines to increase virtual machine security.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only VMware exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 2V0-621 exam preparations and VMware certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
