Objective 8.1 Topics:
- Add/Edit/Remove Users on an ESXi Host
- Configure vCenter Roles and Permissions
- Configure and Manage Active Directory Integration
- Analyze Logs for Security-Related Messages
- Enable and Configure an ESXi Pass-Phrase
- Disable the Managed Object Browser (MOB) to reduce attack surface
Add/Edit/Remove Users on an ESXi Host
First, there are several built-in accounts that we need to be aware of:
root user – each ESXi host has a single root user with an admin role. This account can be used for local administration and used to connect to vCenter.
vpxuser – vCenter Server uses this account when interacting with the hosts.
dcui user – this account is used to configure hosts for lockdown mode directly from the DCUI interface.
Second, there are several roles we can assign:
Read Only – Allows a user to view objects but not modify any objects.
Administrator – Administrator role.
No Access – No access.
Configure vCenter Roles and Permissions According to a Deployment Plan
What is a role?
A role is a predefined set of privileges. Privileges define rights to perform and read properties.
When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. This can be for 1 object or multiple objects within vCenter.
There are 2 types of pre-defined roles:
System roles – System roles are permanent. This roles privileges can’t be modified.
Sample roles – VMware provides sample roles for certain frequently performed tasks. These can be cloned, modified or removed.
Create a Custom Role
We can create a custom role tailored to the desired privileges and control within our environment.
Roles that are apart of the same vCenter SSO domain will propagate to all vCenter servers in the domain. However, roles assigned to specific users/objects are not shared across vCenter servers.
Clone a Role
Edit a Role
Configure and Manage Active Directory Integration
Please refer to the same topic from the VCP6 Objective 1.3
Analyze Logs for Security-Related Messages
What logs and where do they reside?
We can also retrieve them through the vSphere Web Client.
Enabled/Configure an ESXi Pass-Phrase
An additionally security setting we can take advantage of is the ability to set a pass-phrase instead of a password. Note that, pass-phrases are disabled by default. We can change this setting by changing the value under Advanced System Settings and option Security.PasswordQualityControl.
The default setting is: retry=3 min=disabled,disabled,disabled,7,7 but to enable a pass-phrase we will change it accordingly.
We want the pass-phrase to a minimum of 16 characters and a minimum of 3 words:
Example: retry=3 min=disabled,disabled,16,7,7 passphrase=3
Explanation from VMware documentation
Disable the Managed Object Browser (MOB) to Reduce Attack Surface
The Managed Object Browser is a graphical interface that allows us to browser the objects on a server and invoke methods. The MOB is disabled by default to protect against malicious intent. However, we can enable and disable the MOB manually.