VCAP6: 8.1 – Manage Authentication and End-User Configurations

Posted by on in | 1,307 Views | Leave a response

Objective 8.1 Topics:

  • Add/Edit/Remove Users on an ESXi Host
  • Configure vCenter Roles and Permissions
  • Configure and Manage Active Directory Integration
  • Analyze Logs for Security-Related Messages
  • Enable and Configure an ESXi Pass-Phrase
  • Disable the Managed Object Browser (MOB) to reduce attack surface

Add/Edit/Remove Users on an ESXi Host

First, there are several built-in accounts that we need to be aware of:

root user – each ESXi host has a single root user with an admin role. This account can be used for local administration and used to connect to vCenter.

vpxuser – vCenter Server uses this account when interacting with the hosts.

dcui user – this account is used to configure hosts for lockdown mode directly from the DCUI interface.

Second, there are several roles we can assign:

Read Only – Allows a user to view objects but not modify any objects.

Administrator – Administrator role.

No Access – No access.

Users:

users811

Permissions:

users812

Configure vCenter Roles and Permissions According to a Deployment Plan

What is a role?

A role is a predefined set of privileges. Privileges define rights to perform and read properties.

When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. This can be for 1 object or multiple objects within vCenter.

There are 2 types of pre-defined roles:

System roles – System roles are permanent. This roles privileges can’t be modified.

Sample roles – VMware provides sample roles for certain frequently performed tasks. These can be cloned, modified or removed.

Create a Custom Role

We can create a custom role tailored to the desired privileges and control within our environment.

Note –

Roles that are apart of the same vCenter SSO domain will propagate to all vCenter servers in the domain. However, roles assigned to specific users/objects are not shared across vCenter servers.

roles811

Clone a Role

clone811

Edit a Role

edit811

Configure and Manage Active Directory Integration

Please refer to the same topic from the VCP6 Objective 1.3

Analyze Logs for Security-Related Messages

What logs and where do they reside?

 

logs811

We can also retrieve them through the vSphere Web Client.

logs812

Enabled/Configure an ESXi Pass-Phrase

An additionally security setting we can take advantage of is the ability to set a pass-phrase instead of a password. Note that, pass-phrases are disabled by default. We can change this setting by changing the value under Advanced System Settings and option Security.PasswordQualityControl.

The default setting is: retry=3 min=disabled,disabled,disabled,7,7 but to enable a pass-phrase we will change it accordingly.

We want the pass-phrase to a minimum of 16 characters and a minimum of 3 words:

 Example: retry=3 min=disabled,disabled,16,7,7 passphrase=3

Explanation from VMware documentation

pass_doc

Disable the Managed Object Browser (MOB) to Reduce Attack Surface

The Managed Object Browser is a graphical interface that allows us to browser the objects on a server and invoke methods. The MOB is disabled by default to protect against malicious intent. However, we can enable and disable the MOB manually.

mob811

 

Questions / Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.