Solved: To join or not to join

Tibmeister · ‎05-17-2021

So my security guy wants ESXi AD joined because he wants to have login activity attached to a user name instead of just root. My first thought was "why do you think we should be logging into ESXi that much anyway?", but I digress.

I remember a few years back, probably 7 or so, that the Likewise client in ESXi had a nasty habit of locally storing password hashes of users that logged in via AD. Possibly so that if the DC down cached creds could be used. Nasty thought, but basically that put me in the camp of absolutely not AD join, ever, never. Rotate the root password every couple of hours via something like SecretServer or a custom Powershell script, or even better, enable lockdown mode where possible, put the logs on a shared datastore and use LogInsight, and stop logging into your damned ESXi box.

So, my question I pose is, does Likewise still have that "feature" of caching credentials or if the AD DC is down then no auth? Also, wouldn't it be nice to have RADIUS or SAML auth in ESXi? Sorry, bright shiny moment there. I also remember that when you join AD using the web client, that those creds are stored in the ESXi config file, is this true? If so, should we instead use the Authentication Proxy?

If only host profiles could be layered like AD GPO's..... Sorry, something bright and shiny just flew across my line of sight. Anyway, what's folks opinions on this subject?

pdirmann01 · ‎05-18-2021

Personally, I always join to AD for the exact reason - most InfoSec teams aim for a central point for authentication, which I don't dispute. Root is an "in case of emergency, break glass" account. Joining AD in conjunction with using these options:

Config.HostAgent.plugins.hostsvc.esxAdminsGroup

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd

Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval

...allows you to SSH and log in to ESXi hosts directly with Active Directory credentials., which should be limited to a "per need" basis if vCenter is available. That said, your lockdown approach is good, but the key phrase you used was "where possible". Using the AD Authentication Proxy is always a plus. If I remember correctly, it's actually in the Security Pest Practices documentation to do so. A few extra steps, but nothing too major. The root password rotation is always welcomed as well.

View solution in original post

pdirmann01 · ‎05-18-2021

Personally, I always join to AD for the exact reason - most InfoSec teams aim for a central point for authentication, which I don't dispute. Root is an "in case of emergency, break glass" account. Joining AD in conjunction with using these options:

Config.HostAgent.plugins.hostsvc.esxAdminsGroup

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd

Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval

...allows you to SSH and log in to ESXi hosts directly with Active Directory credentials., which should be limited to a "per need" basis if vCenter is available. That said, your lockdown approach is good, but the key phrase you used was "where possible". Using the AD Authentication Proxy is always a plus. If I remember correctly, it's actually in the Security Pest Practices documentation to do so. A few extra steps, but nothing too major. The root password rotation is always welcomed as well.

Tibmeister · ‎05-18-2021

I still am hesitant in regards to what, if any, creds are stored on the ESXi host itself. Plus really, I always advocate the host being a commodity item that can be thrown away or rebuilt at whim, so login should be little if none. The root password is managed in a software that rotates it every day and can be set for checkout so we have the audit trail of who does what.

Tibmeister · ‎09-07-2021

I did end up going with the Auth Proxy, as much of a pain as that is. It seems to work and keep the InfoSec folks happy.

All

To join or not to join