Hello,

Standard VMware style Domain configuration does not alleviate the ability to login as 'root' when connected using vSphere Client directly to an ESX host. You can set up AD integration with ESX to not allow root access, but then when AD fails or there is a network issue, you cannot login to the host, which could be a MAJOR issue as you cannot restart vCenter VM or perhaps your AD VM without access via Root. AD integration helps but there are times when you just need local access.

You could use some other local user however... But then you have to maintain the other users, which also has its issues. Root has its uses and should be maintained properly.

The solution is to use a password vaulting technology such as from the HyTrust Appliance so that if you do need 'root' access for those emergencies it is granted to you for a short period of time. There are other technologies that do this as well but require agents within the SC which is not something anyone desires. You can also enable pam_access.so which if you use AD you absolutely should. Pam_access can be used to deny access based on IP, time of day, etc. For example you could allow Root access only from one specific IP thereby gaining some level of auditing.

THis is the biggest problem with securing ESX/ESXi these days as you sometimes still need root/low-level access to fix issues.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

I agree.

As administrators, we all need to access ESX at some point.

Except, ESXi is more difficult to manipulate since there is no service console access.

Thanks for the response..