Objective 8.1 of VCAP6-Deploy exam covers following topics:
- Add/Edit/Remove Users on an ESXi Host
- Configure vCenter Roles and Permissions
- Configure and Manage Active Directory Integration
- Analyze Logs for Security-Related Messages
- Enable and Configure an ESXi Pass-Phrase
- Disable the Managed Object Browser (MOB) to reduce attack surface
We will have a look on these topics one by one
Add/Edit/Remove Users on an ESXi Host
The default built-in accounts that are baked with a new Esxi installation are:
- root user: Each Esxi host has a single root user with an admin role. This account can be used for local administration and used to connect to vCenter.
- vpxuser: vCenter Server uses this account when interacting with the hosts. vCenter Server has Administrator privileges on the host that it manages. The vCenter Server administrator can perform most of the same tasks on the host as the root user, however, he cannot directly create, delete, or edit local users and groups for hosts. These tasks can only be performed by a user with Administrator permissions directly on each host.
- dcui user: This account is used to configure basic configuration settings on hosts directly from the DCUI interface.
Roles available with Esxi host
ESXi hosts provide three default roles, and you cannot change the privileges associated with these roles. These roles are:
- Read Only: Allows a user to view objects but not modify any objects.
- Administrator: Administrator role.
- No Access: No access.
You can create custom roles by using the role-editing facilities in the vSphere Client to create privilege sets that match your user needs. If you connect to the vCenter server that manages a host, you have additional roles to choose from in vCenter Server.
Note: The roles which are created directly on a host are not accessible within vCenter Server. You can use these roles only when you connect directly to an Esxi host using vSphere Client.
In vSphere 6.0, you can use esxcli system account command for managing ESXi local user accounts. You can use esxcli system permission command for setting or removing permissions on both Active Directory accounts and on ESXi local accounts.
[root@esxi04:~] esxcli system account
add Create a new local user account.
list List local user accounts.
remove Remove an existing local user account.
set Modify an existing local user account.
[root@esxi04:~] esxcli system permission
list List permissions defined on the host.
set Set permission for a user or group.
unset Remove permission for a user or group.
[root@mgmt-esxi01:~] esxcli system permission list
Principal Is Group Role Role Description
--------- -------- ----- ------------------
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
This article has some examples for managing users/permissions via esxcli.
To know more about managing Esxi Roles, please refer VMware Documentation
Configure vCenter Roles and Permissions
A role is a predefined set of privileges. Privileges define rights to perform and read properties. There are 2 types of pre-defined roles:
System roles: This is a permanent role and privileges contained in this role can’t be modified. If you select system role, the pencil button to edit this role becomes grey and you can’t modify anything.
Sample roles: These are the sample roles provided by VMware and these roles can be cloned, modified or removed to create a custom role to perform specific day to day tasks.
Users and group are authorized in vSphere via vCenter Server permissions. When permissions is assigned to a user/group, we are basically pairing that user/group with a role and then associate that pairing with an object within vCenter. This can be for 1 object or multiple objects.
Following permissions exists with vCenter server
- vCenter Server Permissions – The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges, that is, a role for a selected object.
- Global Permissions – Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vCenter Orchestrator are installed, you can give permissions to all objects in both object hierarchies using global permissions. Global permissions are replicated across the SSO domain.
- Group Membership in SSO Domain Groups – The user firstname.lastname@example.org can perform tasks that are associated with services included with the Platform Services Controller. In addition, members of a vsphere.local group can perform the corresponding task.
When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. Permissions defined for a child object always override the permissions that are propagated from parent objects.
To learn more about vCenter Roles and permissions please see VMware Documentation
To add a Global Permission, Login to vSphere Web Client and navigate to Administration > Access Control > Global Permissions > Manage and clcik green + button sign to add a user and map it with permission.
Configure and manage Active Directory integration
We can add Esxi hosts and vCenter Server/PSC to Active directory domain for centralized management of users/groups and also for security/auditing purpose.
To add an Esxi host to domain, login to vSphere Web Client and select Esxi host and navigate to Manage > Settings > Authentication Services > Join Domain.
Provide the credentials via which Esxi will authenticate itself against domain join process.
Adding vCenter Server/PSC to Active Directory Domain
To add a platform services controller to Active Directory, login to vSphere Web Client and navigate to Administration > System Configuration > Nodes. Select PSC/vCenter from list and click on Manage > Active Directory > Join
Mine has been already added to domain so join button is greyed out. If yours in not yet added to domain then you’ll click ‘Join’ and enter valid AD credentials for your domain. Once the configuration completes, the node need to be rebooted.
To add the Esxi host/vCenter to a particular OU add the OU name after domain name in format: Domain Name/OU Name
For more information on this please see VMware Documentation
Analyze Logs for Security-Related Messages
Important log files related to Esxi host can be found in location as shown in below image.
Configure an Esxi Pass-Phrase
On enhance security of an Esxi host, we can choose to use a pass phrase instead of using a password. Use of pass-phrases are disabled by default. To change this we need to modify Security.PasswordQualityControl option from Esxi host advanced settings.
To enable use of passphrase we can modify the default password policy of Esxi host.
Example: To use a pass-phrase of minimum of 12 characters and a minimum of 3 words, we have to modify password policy as shown below:
retry=3 min=disabled,disabled,12,7,7 passphrase=3
In my last post I have explained Esxi password policy in a bit detail. Feel free to go through that post.
Disable the Managed Object Browser (MOB) to Reduce Attack Surface
The Managed Object Browser is a graphical interface that allows us to browser the objects on a server and invoke methods. The Managed Object Browser provides a way to explore the VMkernel object model.
With vSphere 6.0 the MOB is disabled by default to avoid malicious configuration changes or actions. However, you can enable and disable the Managed Object Browser manually.
To enable or disable the MOB login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Advanced System Settings and change the value of Config.HostAgent.plugins.solo.enableMOB
Setting this to yes will enable the MOB and setting it to No will disable MOB.
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂