VMware Cloud Community
tomtom1
Enthusiast
Enthusiast

Security Related - Stop Powersheel Script from execution

Hello, I am looking for software which can stop Powershell script that can be executed against VMware environment.

As of now, if a person has Read only rights, they can access vSphere environment and run scripts. We can to stop this and allow ONLY specific people to run scripts

Any suggestions ?

Thanks

Tom

Tags (2)
Reply
0 Kudos
10 Replies
virtualg_uk
Leadership
Leadership

Users with read only access will be able to run PowerCLI scripts but only in read-only mode, so they will not be able to make any changes via the scripts.

If you were able to permit the user(s) read only access but no script access (Which I don't think you can do) Then the user could still run the actions in the script but just manually.

If you don't want users running scripts in read-only mode then you will need to remove their read-only VC access.

I hope this clarifies things


Graham | User Moderator | https://virtualg.uk
Reply
0 Kudos
tomtom1
Enthusiast
Enthusiast

I think there should be some way, may be a third party software that can stop users from running script against the environment, even though they have admin access to the environment.

Reply
0 Kudos
jrmunday
Commander
Commander

Perhaps you could change your execution policy to Restricted so that no scripts can be run;

Using the Set-ExecutionPolicy Cmdlet

Changing the Windows PowerShell Script Execution Policy

The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

  • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned - Only scripts signed by a trusted publisher can be run.
  • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

Cheers,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77
Reply
0 Kudos
virtualg_uk
Leadership
Leadership

If you have control of all the users workstations, ie Windows domain joined then yes you could roll out a GPO to prevent users from running scripts entirely.

You would also need to lock this down on servers too.


Graham | User Moderator | https://virtualg.uk
Reply
0 Kudos
tomtom1
Enthusiast
Enthusiast

Thanks all for reply but still this won't help.

1. There are lot of people in my environment that have rights and I cannot control them.

2. There can be a case, wherein users can download script from internet and run without proper knowledge, which can have adverse impact

3. Users can connect via Mac which is not part of domain and run those scripts.

I think there should be some third party software that can site in front of vcenter server and can stop this. I am sure, I am not the first person to think about this.

Thanks

Reply
0 Kudos
Mattallford
Hot Shot
Hot Shot

Access to vCenter Server is based around Role Based Access Control. Something you don't have control of is what method the user can use to connect to vCenter and work within their defined role. They could connect using APIs, Powershell, web client, c# client, SDKs etc.

I'm not sure why allowing these users to connect to vCenter and run a script (with their read only permissions) is such as bad thing. They aren't retrieving any more information than they have access to via the web client or c# clients, and they don't have privileges to make any changes. Maybe if you could elaborate on what the issue with allowing these users to connect and run scripts, then we can assist further.

Cheers, Matt.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!
Reply
0 Kudos
tomtom1
Enthusiast
Enthusiast

Read-Only was just one if the examples.

Let's say a vsphere admin has malacious intentions and runs some kind of power she'll cmd that has potential to destroy the entire environment in few mins...

How can we stop that to happen? I know he can do the same with web client too. But in  large environment, that will take some time and effort but in with power she'll it can be fairly easy.

So from security perspective, I think there should be some way to stop this from happening.

Reply
0 Kudos
Mattallford
Hot Shot
Hot Shot

‌I think your issue is turning into more of a 'people' problem rather than a technical problem.

Do you have Actuve Directory? Do you have users that have high privs within AD and can delete a lot of information?

Do you have file server(s) that people can access with read / write privs That can delete a lot of information?

Same with backups, etc.

I do wish you the best on your search for a tool or configuration that can help with your situation.

Cheers, Matt.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!
Reply
0 Kudos
virtualg_uk
Leadership
Leadership

The problem really here is trust and where do you stop?

If you want to stop admins running scripts, what about if they decide to manually delete all datastores on the SAN, or login directly to ESXi, or use another API to automate what they want to do.

An admin could also create a new account and run everything under that account with full admin rights so just stopping automatic scripts for an admin really doesn't help here.

There is nothing that I know of that stops just powershell running and even if there was, you have all the other examples above to deal with.

The solution is to not give admin access to those who are not trusted / trained.

I now this doesnt give you the answer you are looking for but it does sounds like more a trust issue than something that vSphere software can help with.


Graham | User Moderator | https://virtualg.uk
Reply
0 Kudos
tomtom1
Enthusiast
Enthusiast

I was finally able to find a software that can do what I wanted, to give admin access to vsphere  but stop them from running scripts against the environment.

I am also able to allow selective users/admins run script from only selected workstation.

The name of the software is cloud control from HyTrust.

I will teach our to them and start with a POC.

Thanks for all your help !!!

Reply
0 Kudos