M_B_-_NS
Contributor
Contributor

vSphere 4.1 and AD integration : how to easily hand out the keys to your VMware architecture ?

Jump to solution

Hello,

I just read about the new "feature" which involves an host constantly checking for a specific AD group and assigning it automatically the Administrators permission :

-


http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.host.AuthenticationManag...

By default, the ESX host assigns the Administrator role to the "ESX Admins" group.

If the group does not exist when the host joins the domain, the host will

not assign the role. In this case, you must create the "ESX Admins"

group in the Active Directory. The host will periodically check the domain controller

for the group and will assign the role when the group exists.

-


I really hope I'm wrong, but according to me this means it is very easy for unauthorized personnel to get full admin rights on the hosts.

All ones needs is AD rights to create a group (and VMware admins unaware of this "feature"). They would just create the "ESX Admins" group, set them as a member of it and voila. Just need to wait for the ESX 4.1 hosts to detect it and grant them the full permissions.

Needless to say, a lot of IT (and even non-IT staff) can create groups in big AD environment, most of them not being domains admins nor VMware Admins (hotline operators comes to mind).

2 questions then :

1- am I missing something ?

2- if not, can we expect a fix to this security flaw ?

Regards

0 Kudos
1 Solution

Accepted Solutions
dburgess
VMware Employee
VMware Employee

Ok - so say a warning in the dialogue and maybe an alarm if we don't see the Admin group after a certain period?

dB

View solution in original post

0 Kudos
42 Replies
dburgess
VMware Employee
VMware Employee

The default behaviour is not to use this method - so the VI Admin team has to be involved in enabling this functionality. Not sure for the GA but this was covered in the RC release in chapter 13 of the admin guide.

Cheers,

dB

0 Kudos
M_B_-_NS
Contributor
Contributor

Hello, when you say "The default behaviour is not to use this method", are you talking about AD integration or the automatic assignment being disabled by default ?

According to page 176 of the ESX configuration guide, automatic assignment is enabled by defaul. Quote :

"Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role."

I understand that an ESX admin has to be involved in order to activate this. But I am more than sure that some people won't know about the ESX Admins group and expose their company to risks.

Some SMB (most) can't afford a full-time or adequatly trained VMware admin. It can be a Windows admin, or even an helpdesk operator.

I'm talking about companies in the 100-1500 people range, which is a market VMware is growing into.

Now disabling this feature is not the only option : it can be that an explicit warning dialog box is displayed when AD integration is set up. But one line in the documentation isn't enough IMHO.

Thanks for your help.

0 Kudos
dburgess
VMware Employee
VMware Employee

The AD integration

dB

0 Kudos
schepp
Leadership
Leadership

Needless to say, a lot of IT (and even non-IT staff) can create groups in big AD environment, most of them not being domains admins nor VMware Admins (hotline operators comes to mind.

An AD where normal users can edit the Group and User Settings? A horror scenario. I don't think it's needless to say. Can't Image a single company where the Administrators would share this rights Smiley Happy

Regards

0 Kudos
dburgess
VMware Employee
VMware Employee

I'm not an AD expert but when you have the group created couldn’t you just revoke the rights for everyone except those in the trusted group?

0 Kudos
M_B_-_NS
Contributor
Contributor

An AD where normal users can edit the Group and User Settings? A horror scenario. I don't think it's needless to say. Can't Image a single company where the Administrators would share this rights Smiley Happy

Regards

Well, I could reply : an AD where all AD operators are domain admins ? an horror scenario Smiley Happy

Hotline operators often do basic AD operations : create accounts, reset password, and ... create groups (usually on very specific OUs). It doesn't mean they are AD administrators (forget VMware Administrators). Remember : where the group"ESX Admin" is created doesn't matter here. Only the name must match.

They are very often outsourced staff, which increases the risks involved because they are not directly employed by the company.

Of course, if the VMware admin is aware of this behavior, it will ask the AD admins to create the group beforehand and to lock it properly against unauthorized modification (not difficult).

My main point is that, with the information currently available on this feature, a lot of VMware admins won't be aware of this when they will integrate their hosts in AD.

0 Kudos
M_B_-_NS
Contributor
Contributor

I'm not an AD expert but when you have the group created couldn’t you just revoke the rights for everyone except those in the trusted group?

I'm not sure what you mean, but just to be clear, there is no issue if the VMware admin is aware of this behavior : taking steps to ensure the group is not "exploited" is easy with AD standard features.

The issue is more the fact that it is default AND not pushed in front for everyone to know.

A lot of people will want to integrate their hosts in AD because it is well advertised by VMware, but it is far more difficult to learn about this default behavior.

0 Kudos
dburgess
VMware Employee
VMware Employee

Not really sure what you mean here...

We have put it in the documentation under a fairly appropriate section (I think) - it is not going to do anything without the VI Admin actually enabling it. Just trying to understand how we could make this better for you? Should we update the docs about the retry for the group name existence for example?

Surely the other point about what privileges you assign to that group is up to individual organisations?

dB

0 Kudos
M_B_-_NS
Contributor
Contributor

Thanks for the follow-up, it is appreciated.

What I fear is that a lot of IT staff do not read documentation, and even if they do, they will not read it thoroughly.

So if ESX 4.1 hosts are installed and AD integration is set up by someone unaware of this feature, an attacker could easily exploit that to gain unauthorized full access and damage (or steal valuable information from) the environment.

How to make it better ? certainly emphasizing it in the documentation is good, ideally the VI Client should warn the user when AD integration is set up, and advises him that the "ESX Admins" AD group should be secured beforehand.

0 Kudos
dburgess
VMware Employee
VMware Employee

Ok - so say a warning in the dialogue and maybe an alarm if we don't see the Admin group after a certain period?

dB

0 Kudos
M_B_-_NS
Contributor
Contributor

That would be perfect indeed, the alarm is a good idea. Thanks !

0 Kudos
maishsk
Expert
Expert

I think the proper approach in this case would be to apply the appropriate security measures in Active Directory.

The same way that you protect your Domain Administrators Group - either by limiting the security settings on the group

Or by using Restricted Groups.

There will always be critical groups that need to be monitored - ESX Admins just become another one fo these groups.

Maish

VMware Communities User Moderator

Virtualization Architect & Systems Administrator

- @maishsk

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
0 Kudos
mclark
Expert
Expert

I must agree with the OP. Setting something like this up without giving the VI admin a choice is bad security practice. Assuming that no one other than the VI admin can change AD is a bad assumption. There should be an option when setting up AD integration that allows a VI admin to turn off the checking for or using of the "ESX Admins" group. If the checkbox is checked (which could be the default), then ESX will check for the group. If the checkbox is unchecked, then the "ESX Admins" group would not be used. Or, another option would be for the user to be able to specify what AD group they want to use rather than "ESX Admins" (if any). I use my own set of AD groups to assign permissions for vCenter. The fact that some other AD administrator in my organization can go in and set up this group and get permissions to my box without my knowledge will prevent me from integrating ESXi with AD. Furthermore, they also use ESXi. So, if they set up this group for their VI, it would be used by my VI, which I would not want.

dburgess
VMware Employee
VMware Employee

That is not the case - an AD admin cannot set the group up and get control of your estate without the VI Admin being part of the process. This is why the check box preference you state is indeed the case - The VI Admin and the AD team will have to co-operate to enable this. Hope that puts your mind at rest.

0 Kudos
mclark
Expert
Expert

I went into vCenter, then configuration for my ESXi host, and chose Authentication Services. I then went to Properties and selected Active Directory. I see no place where I can specify whether ESX Admins is used or not. If the OP found the section in the documentation that says that ESX Admins is automatically used, I see no place in vCenter where I, as VI admin, can tell it not to use that, or to explicitly turn it on or off. Can you tell me where in vCenter to control whether or not the ESX Admins AD group is used or not?

Thanks.

0 Kudos
M_B_-_NS
Contributor
Contributor

I must agree with the OP. Setting something like this up without giving the VI admin a choice is bad security practice. Assuming that no one other than the VI admin can change AD is a bad assumption. There should be an option when setting up AD integration that allows a VI admin to turn off the checking for or using of the "ESX Admins" group. If the checkbox is checked (which could be the default), then ESX will check for the group. If the checkbox is unchecked, then the "ESX Admins" group would not be used. Or, another option would be for the user to be able to specify what AD group they want to use rather than "ESX Admins" (if any). I use my own set of AD groups to assign permissions for vCenter. The fact that some other AD administrator in my organization can go in and set up this group and get permissions to my box without my knowledge will prevent me from integrating ESXi with AD. Furthermore, they also use ESXi. So, if they set up this group for their VI, it would be used by my VI, which I would not want.

That's a good point, but I think you can resolve this by creating and locking the "ESX Admins" group empty, somewhere in the AD where only full domain admins can modify it.

This way, even if permissions are assigned to the group, there won't be any user to take advantage of it.

But surely, being able to disable this easily and at will like you propose could avoid these (at the moment) necessary steps.

@maishsk : my main point is that the VI Admins won't necessarily know about this group, as things are now (entirely background process, and only one line in documentation). I very much agree that once VI & AD admins are aware of it, solutions exist to secure it.

0 Kudos
dburgess
VMware Employee
VMware Employee

You can't change the group name (sorry didn’t realise that was the question).., but you are in control of if it gets used or not so hopefully simple (one off) process to check its existence before enabling, get it created to your liking and then set the policy in VC?

0 Kudos
mclark
Expert
Expert

It just seems counterintuitive to open up "holes" like this. Why not give the VI admin full control and full visibility as to what is happening, and not just set something like this up as default? Plus, you could make it infinitely more flexible if you allow the VI admin to tell you what group they want to act as a "ESX Admins" group (if they want it at all) rather than just hard-coding it. For places with mutlple VI's but one domain, then this just makes sense.

0 Kudos
mclark
Expert
Expert

I'm sorry, I don't see where I am in control of whether it gets used or not. Can you tell me where, in vCenter, to specify that ESX Admins is NOT used? I don't want to use it. I also don't want to (can't) create the group and lock it down. I just want a checkbox to shut it off in vCenter, or for the ability to tell vCenter "use this AD group for your ESX Admin group". If I can't shut it off or specify a group name, I can't integrate with AD.

0 Kudos