M_B_-_NS
Contributor
Contributor

vSphere 4.1 and AD integration : how to easily hand out the keys to your VMware architecture ?

Jump to solution

Hello,

I just read about the new "feature" which involves an host constantly checking for a specific AD group and assigning it automatically the Administrators permission :

-


http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.host.AuthenticationManag...

By default, the ESX host assigns the Administrator role to the "ESX Admins" group.

If the group does not exist when the host joins the domain, the host will

not assign the role. In this case, you must create the "ESX Admins"

group in the Active Directory. The host will periodically check the domain controller

for the group and will assign the role when the group exists.

-


I really hope I'm wrong, but according to me this means it is very easy for unauthorized personnel to get full admin rights on the hosts.

All ones needs is AD rights to create a group (and VMware admins unaware of this "feature"). They would just create the "ESX Admins" group, set them as a member of it and voila. Just need to wait for the ESX 4.1 hosts to detect it and grant them the full permissions.

Needless to say, a lot of IT (and even non-IT staff) can create groups in big AD environment, most of them not being domains admins nor VMware Admins (hotline operators comes to mind).

2 questions then :

1- am I missing something ?

2- if not, can we expect a fix to this security flaw ?

Regards

0 Kudos
42 Replies
admin
Immortal
Immortal

The ESX Admins group would be created on Active Directory. If you are not

using AD then just create your own group (without spaces Smiley Wink on ESXi.

From: Communities emailer <communities-emailer@vmware.com>

Reply-To: Communities emailer <communities-emailer@vmware.com>

Date: Fri, 21 Jan 2011 10:02:39 -0800

To: rrandell <rrandell@vmware.com>

Subject: New message: "vSphere 4.1 and AD

integration : how to easily hand out the keys to your VMware architecture

?"[pwwv77-6rmz-103nh]

VMware Communities <http://communities.vmware.com/index.jspa>

vSphere 4.1 and AD integration : how to easily hand out the keys to your

VMware architecture ?

reply from Vmotioner <http://communities.vmware.com/people/Vmotioner> in

Security and Compliance - View the full discussion

<http://communities.vmware.com/message/1684349#1684349>

Hi, I just tried creating a local group callled ESX Admins on the host under

Local Users & Groups and It won't lest me create a group with spaces in

it.....Am I doing this at the right location? Cheers,Luc

Reply to this message by replying to this email -or- go to the message on

VMware Communities <http://communities.vmware.com/message/1684349#1684349>

Start a new discussion in Security and Compliance at VMware Communities

<http://communities.vmware.com/choose-container!input.jspa?contentType=1&conta

inerType=14&container=2004>

0 Kudos
Vmotioner
Contributor
Contributor

I am using AD but just wanted to prevent the usage of that group. I tried creating a local group that matched the AD group ESX Admins with the "no access" right but the host doesn't allow spaces in the group name. (this would have been an easy fix) I won't have a choice but to create the group in AD and then restrict it at the host level.

0 Kudos
hicksj
Virtuoso
Virtuoso

Is the concern that you'll then have a bogus group in AD that may cause confusion?  After its created and the hosts are set to deny it, I believe it can be deleted from AD...  The hosts just look for the group name, not a GUID.

However, if you delete it, and another host comes along...  you'll need to go through the same process above.  That seems less than ideal, but may satisfy enterprise security standards if its existance causes an exception.

0 Kudos