VCAP6-DCV Deployment – Objective 8.1 – Manage Authentication and End-User Security 1


Main Study Page

Objectives for 8.1 are broke down as the following

  • Add/Edit Remove users on an ESXi host
  • Configure vCenter Roles and Permissions according to a deployment plan
  • Configure and manage Active Directory integration
  • Analyze logs for security-related messages
  • Enable and configure an ESXI Pass Phrase
  • Disable the Managed Object Browser (MOB) to reduce attack surface

Add/Edit Remove users on an ESXi host

To add a user to a ESXi host I can use the C# client and connect directly to the host.  From here I go to Users – Add.  In the exam the client can still be the quickest way to do certain tasks make sure you make use of the time the best you can.

vcap8-1-1

Add the username and password.

vcap8-1-2

To remove a user, tight click the user account and select Remove

vcap8-1-3


Configure vCenter Roles and Permissions according to a deployment plan

The primary way of authorizing a user or group in vSphere is the vCenter Server permissions.  Permissions can be assigned in the following ways.

  • vCenter Server Permissions – The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges, that is, a role for a selected object.
  • Global Permissions – Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vCenter Orchestrator are installed, you can give permissions to all objects in both object hierarchies using global permissions.  Global permissions are replicated across the SSO domain.
  • Group Membership in SSO Domain Groups – The user administrator@vsphere.local can perform tasks that are associated with services included with the Platform Services Controller. In addition, members of a vsphere.local group can perform the corresponding task.

When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.  The following diagram is taken from VMware’s documentation that can be found here.

vcap8-1-12

Permissions can be added to objects, first example I will show is adding vCenter permissions.  I go to Web Client – vCenter – Manage – Permissions – Add Permission.

vcap8-1-13

Select Add under Users ad Groups.  Select an identity source, I will pick the AD the domain and then pick the user within that identity source.

vcap8-1-14

Once the user or group has been assigned I need to add assign a role.

vcap8-1-15

Choose to propagate to children object or not, if your unsure what children it will be applied to select View Children.

vcap8-1-16

Expand the permissions to be sure what permissions will be applied for that role, I have selected Administrator build in role.

vcap8-1-17

Click OK to apply.

To add a Global Permission I go to Web Client – Administration – Access Control – Global Permissions – Add Permission.  The same options appear to add the user but this time I am adding a global permission.

vcap8-1-18

If the built in roles do not provide the correct level of security you require it is possible to configure custom roles, these can be new or clones from existing roles.  Web Client – Administration – Access Control – Roles – Create Role Action.

vcap8-1-19

In this very quick example this role has full access to Alarms, Datastores and Datastore Cluster but has more granular permissions for vDS.  No other permissions are included.


Configure and manage Active Directory integration

It is possible to add a ESXi host to Active Directory to manage users and groups.  When added to Active Directory a domain group called ESXi Admins is assigned full admin access, this group needs to be created up front.  Note – if the host is provisioned with Auto Deploy then AD credentials cannot be stored on the host but you can join it to the domain.  Time is essential when authenticating with AD so make sure NTP is working and make sure DNS servers are correct.

To add a host to AD I go to Web Client – Host – Manage – Settings – Authentication Services – Join Domain. Add the domain name with credentials.

vcap8-1-4

vcap8-1-5

The will add the host to the default computer container.

vcap8-1-6

To add the computer account to a particular OU add the OU after the domain name as below.

>vjenner.com/ESXi Hosts

vcap8-1-7

This will add it to the ESXi Hosts OU I have created.

vcap8-1-8


Analyze logs for security-related messages

To analyse the logs for security related events will come down to the question asked in the exam.  Below is the log files that relate to a ESXi host.

vcap8-1-9


Enable and configure an ESXI Pass Phrase

Pass Phrase is disabled by default and can be enabled via the Web Client, this can be used instead of a password.  I go to Web Client – Host – Manage – Settings – Advanced System Settings.  I need to edit the following.

>Security.PasswordQualityControl = retry=3 min=disabled,disabled,disabled,16,7,7

vcap8-1-10


Disable the Managed Object Browser (MOB) to reduce attack surface

The Managed Object Browser provides a way to explore the VMkernel object model.  The provides a potential attack surface for a ESXi host.  Use the Managed Object Browser only for debugging,  that should be disabled for production systems.  To disable this I can use the Web Client.  I go to Web Client – Host – Manage – Settings – Advanced System Settings.  I need to change the below.

>Config.HostAgent.plugins.solo.enableMOB

Open this and choose to disable or enable

vcap8-1-11

 


Leave a comment

Your email address will not be published. Required fields are marked *

One thought on “VCAP6-DCV Deployment – Objective 8.1 – Manage Authentication and End-User Security

  • vGrips

    Just a note; The HostAgent config on vSphere 6 U2 is “ESX Admins”, either change this to “ESXi Admins” and reboot host or add AD group ESX Admins prior.