I just read about the new "feature" which involves an host constantly checking for a specific AD group and assigning it automatically the Administrators permission :
By default, the ESX host assigns the Administrator role to the "ESX Admins" group.
If the group does not exist when the host joins the domain, the host will
not assign the role. In this case, you must create the "ESX Admins"
group in the Active Directory. The host will periodically check the domain controller
for the group and will assign the role when the group exists.
I really hope I'm wrong, but according to me this means it is very easy for unauthorized personnel to get full admin rights on the hosts.
All ones needs is AD rights to create a group (and VMware admins unaware of this "feature"). They would just create the "ESX Admins" group, set them as a member of it and voila. Just need to wait for the ESX 4.1 hosts to detect it and grant them the full permissions.
Needless to say, a lot of IT (and even non-IT staff) can create groups in big AD environment, most of them not being domains admins nor VMware Admins (hotline operators comes to mind).
2 questions then :
1- am I missing something ?
2- if not, can we expect a fix to this security flaw ?
The ESX Admins group would be created on Active Directory. If you are not
using AD then just create your own group (without spaces on ESXi.
From: Communities emailer <email@example.com>
Reply-To: Communities emailer <firstname.lastname@example.org>
Date: Fri, 21 Jan 2011 10:02:39 -0800
To: rrandell <email@example.com>
Subject: New message: "vSphere 4.1 and AD
integration : how to easily hand out the keys to your VMware architecture
VMware Communities <http://communities.vmware.com/index.jspa>
vSphere 4.1 and AD integration : how to easily hand out the keys to your
VMware architecture ?
reply from Vmotioner <http://communities.vmware.com/people/Vmotioner> in
Security and Compliance - View the full discussion
Hi, I just tried creating a local group callled ESX Admins on the host under
Local Users & Groups and It won't lest me create a group with spaces in
it.....Am I doing this at the right location? Cheers,Luc
Reply to this message by replying to this email -or- go to the message on
VMware Communities <http://communities.vmware.com/message/1684349#1684349>
Start a new discussion in Security and Compliance at VMware Communities
I am using AD but just wanted to prevent the usage of that group. I tried creating a local group that matched the AD group ESX Admins with the "no access" right but the host doesn't allow spaces in the group name. (this would have been an easy fix) I won't have a choice but to create the group in AD and then restrict it at the host level.
Is the concern that you'll then have a bogus group in AD that may cause confusion? After its created and the hosts are set to deny it, I believe it can be deleted from AD... The hosts just look for the group name, not a GUID.
However, if you delete it, and another host comes along... you'll need to go through the same process above. That seems less than ideal, but may satisfy enterprise security standards if its existance causes an exception.