1 2 3 Previous Next 42 Replies Latest reply on Jan 21, 2011 11:04 AM by hicksj

    vSphere 4.1 and AD integration : how to easily hand out the keys to your VMware architecture ?

    M.B - NS Novice

       

      Hello,

       

       

      I just read about the new "feature" which involves an host constantly checking for a specific AD group and assigning it automatically the Administrators permission :

       

      -


       

      http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.host.AuthenticationManager.html

       

       

       

       

       

      By default, the ESX host assigns the Administrator role to the "ESX Admins" group.

      If the group does not exist when the host joins the domain, the host will

      not assign the role. In this case, you must create the "ESX Admins"

      group in the Active Directory. The host will periodically check the domain controller

      for the group and will assign the role when the group exists.

       

       

      -


      I really hope I'm wrong, but according to me this means it is very easy for unauthorized personnel to get full admin rights on the hosts.

       

       

      All ones needs is AD rights to create a group (and VMware admins unaware of this "feature"). They would just create the "ESX Admins" group, set them as a member of it and voila. Just need to wait for the ESX 4.1 hosts to detect it and grant them the full permissions.

       

       

      Needless to say, a lot of IT (and even non-IT staff)  can create groups in big AD environment, most of them not being domains admins nor VMware Admins (hotline operators comes to mind).

       

       

      2 questions then :

       

       

      1- am I missing something ?

       

       

      2- if not, can we expect a fix to this security flaw ?

       

       

       

       

       

      Regards

       

       

       

       

       

        1 2 3 Previous Next