Hello, I am looking for software which can stop Powershell script that can be executed against VMware environment.
As of now, if a person has Read only rights, they can access vSphere environment and run scripts. We can to stop this and allow ONLY specific people to run scripts
Any suggestions ?
Users with read only access will be able to run PowerCLI scripts but only in read-only mode, so they will not be able to make any changes via the scripts.
If you were able to permit the user(s) read only access but no script access (Which I don't think you can do) Then the user could still run the actions in the script but just manually.
If you don't want users running scripts in read-only mode then you will need to remove their read-only VC access.
I hope this clarifies things
Perhaps you could change your execution policy to Restricted so that no scripts can be run;
Changing the Windows PowerShell Script Execution Policy
The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:
If you have control of all the users workstations, ie Windows domain joined then yes you could roll out a GPO to prevent users from running scripts entirely.
You would also need to lock this down on servers too.
Thanks all for reply but still this won't help.
1. There are lot of people in my environment that have rights and I cannot control them.
2. There can be a case, wherein users can download script from internet and run without proper knowledge, which can have adverse impact
3. Users can connect via Mac which is not part of domain and run those scripts.
I think there should be some third party software that can site in front of vcenter server and can stop this. I am sure, I am not the first person to think about this.
Access to vCenter Server is based around Role Based Access Control. Something you don't have control of is what method the user can use to connect to vCenter and work within their defined role. They could connect using APIs, Powershell, web client, c# client, SDKs etc.
I'm not sure why allowing these users to connect to vCenter and run a script (with their read only permissions) is such as bad thing. They aren't retrieving any more information than they have access to via the web client or c# clients, and they don't have privileges to make any changes. Maybe if you could elaborate on what the issue with allowing these users to connect and run scripts, then we can assist further.
Read-Only was just one if the examples.
Let's say a vsphere admin has malacious intentions and runs some kind of power she'll cmd that has potential to destroy the entire environment in few mins...
How can we stop that to happen? I know he can do the same with web client too. But in large environment, that will take some time and effort but in with power she'll it can be fairly easy.
So from security perspective, I think there should be some way to stop this from happening.
I think your issue is turning into more of a 'people' problem rather than a technical problem.
Do you have Actuve Directory? Do you have users that have high privs within AD and can delete a lot of information?
Do you have file server(s) that people can access with read / write privs That can delete a lot of information?
Same with backups, etc.
I do wish you the best on your search for a tool or configuration that can help with your situation.
The problem really here is trust and where do you stop?
If you want to stop admins running scripts, what about if they decide to manually delete all datastores on the SAN, or login directly to ESXi, or use another API to automate what they want to do.
An admin could also create a new account and run everything under that account with full admin rights so just stopping automatic scripts for an admin really doesn't help here.
There is nothing that I know of that stops just powershell running and even if there was, you have all the other examples above to deal with.
The solution is to not give admin access to those who are not trusted / trained.
I now this doesnt give you the answer you are looking for but it does sounds like more a trust issue than something that vSphere software can help with.
I was finally able to find a software that can do what I wanted, to give admin access to vsphere but stop them from running scripts against the environment.
I am also able to allow selective users/admins run script from only selected workstation.
The name of the software is cloud control from HyTrust.
I will teach our to them and start with a POC.
Thanks for all your help !!!