This post is also available in: Italian
Reading Time: 5 minutesObjective 1.4 –Secure vCenter Server and ESXi
Most of the references are from the vSphere Security Guide, but also the old (from VI 3.x) Managing VMware VirtualCenter Roles and Permissions is still a good reference.
See also: Objective 1.4 – Secure vCenter Server and ESXi e Objective 1.4 –Secure vCenter Server and ESXi.
Identify common vCenter Server privileges and roles (similar as vSphere 4.x)
See: vSphere Security Guide (page 59). Some are available both in ESXi and vCenter Server:
- No Access: Cannot view or change the assigned object. vSphere Client tabs associated with an object appear without content. Can be used to revoke permissions that would otherwise be propagated to an object from a parent object.
- Read Only: View the state and details about the object. View all the tab panels in the vSphere Client except the Console tab. Cannot perform any actions through the menus and toolbars.
- Administrator: All privileges for all objects. Add, remove, and set access rights and privileges for all the vCenter Server users and all the virtual objects in the vSphere environment. NOTE Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.
Describe how permissions are applied and inherited in vCenter Server (same as vSphere 4.x)
See: vSphere Security Guide (page 48 and also page 51 for some examples).
When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.
Note that in previous releases of vCenter Server, datastores and networks inherited access permissions from the datacenter. In vCenter Server 5.0, they have their own set of privileges that control access to them. This might require you to manually assign privileges, depending on the access level you require. For more info see the vSphere Upgrade Guide (page 61).
Configure and administer the ESXi firewall (new in vSphere 5.x)
See: What’s new in vSphere 5: ESXi firewall.
Enable/Configure/Disable services in the ESXi firewall (new in vSphere 5.x)
See: What’s new in vSphere 5: ESXi firewall.
Enable Lockdown Mode (same as vSphere 4.1)
See: The New Lockdown Mode in ESXi 4.1 and the vSphere Security Guide (page 81).
Note that lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH when the host is in lockdown mode. Also the root user is still authorized to log in to the direct console user interface when lockdown mode is enabled.
Configure network security policies (same as vSphere 4.x)
See: VMware Virtual Networking Concepts and the vSphere Security Guide (page 25).
The virtual switch (but also a port group) has the ability to enforce L2 security policies to prevent virtual machines from impersonating other nodes on the network. There are three components to this feature:
- Promiscuous mode is disabled by default for all virtual machines. This prevents them from seeing unicast traffic to other nodes on the network.
- MAC address change lockdown prevents virtual machines from changing their own unicast addresses. This also prevents them from seeing unicast traffic to other nodes on the network, blocking a potential security vulnerability that is similar to but narrower than promiscuous mode.
- Forged transmit blocking, when you enable it, prevents virtual machines from sending traffic that appears to come from nodes on the network other than themselves
For VLAN security see vSphere Security Guide (page 20).
View/Sort/Export user and group lists (same as vSphere 4.x)
See: vSphere Security Guide (page 45). Note that there are local users/groups (both ESXi and vCenter Server local users) and centralized users/groups (from a directory service).
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects (same as vSphere 4.x)
See: vSphere Security Guide (page 53) and http://www.vmwarehub.com/Permissions.html.
Create/Clone/Edit vCenter Server Roles (same as vSphere 4.x)
See: vSphere Security Guide (page 61). When you remove a role that is assigned to a user or group, you can remove assignments or replace them with an assignment to another role.
Add an ESXi Host to a directory service (similar as vSphere 4.1)
There are two different way to use an Active Directory solution in ESXi 5:
- Add a Host to a Directory Service Domain (same as ESXi 4.1): see vSphere Security Guide (page 63).
- Use the new vSphere Authentication Proxy service (CAM service): see vSphere Security Guide (page 65).
Apply permissions to ESXi Hosts using Host Profiles (same as vSphere 4.x)
See Use Host Profiles to Apply Permissions to Hosts (for host added in the AD) and the vSphere Security Guide (at page 67 to use with the vSphere Authentication Proxy).
Determine the appropriate set of privileges for common tasks in vCenter Server (similar as vSphere 4.x)
See the vSphere Security Guide and also, for other guide, the privileges requirements are always specificated.
Andrea Mauro
Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.
