ESXi 5.1 Security Features
On 27th August, 2012 vSphere 5.1 was released. It is now (after almost 3 months) I started going through the What’s new features. Its long time I have not blogged either. Not sure if I will continue further on vSphere 5.1. Historically I’ve blogged to cover my VCP certification and that generally happens during major release. So with 5.1 release there is as such no need. However there are other things learnt over a period of time. I’m trying to find ways I can share with you all.
Today I learnt some ESXi security features I think it is worth sharing and reminding me when the need arises. ESXi shell had session timeout in previous releases and in this release there is idle timeout session. What this means? When session become idle after specified mintues, it will be become in active or exit automatically.
Where to find this setting?
1. Go to ESXi DCUI, login and select troubleshooting options
2. Select Modify ESXi Shell and SSH timeouts.
NB: TSM term is gone. Timeout session word is changed to Availability Timeout (Previously ESXiShell Timeout)
3. In section below specific Idle timeout value. I think 5 minutes is quite sensible. Also availability timeout 10 minutes also looks sensible.
NB: Both these values are Zero i.e. disabled by default
4. Press OK and you’re done.
Same setting can be done using C# client.
NB: Sorry I cannot show you how to do it on WebClient as I don’t 10GB RAM on to run that thing.
Account Auditing –No need to use Root Account
Now there is another great enhancement to security. There is no need to use root account. In ESXi5.1 security is so well addressed that you would never need to use root account to manage ESXi host.
One of the common usage of root account was when Lockdown mode is enable and you have to login to ESXi shell. Now you can do so without needing root privileges. Just add yourself in DCUI user privileges as shown below. This eliminates the need to use root account. So if there are multiple vSphere Administrator those all accounts can be added here and their logins can be easily tracked. So logging can be traceable as well.
I think there are still places you need root account e.g. to read the logs at least at shell.log.
Add account to DCUI Access
1. Go to the advance settings
2. Select DCUI and add the account which you want to be able to access DCUI. Remember this can be a local account/domain account on ESXi server. This account must be also permissioned as administrator on ESXi.
Control the group name & Behaviour which can be added as administrator to ESXi host
Now you can control which AD group can be added to ESXi and also if you want to add this AD group by default to administrator role
This will avoid the default group name “ESX Admins” being know to everyone. You can create your own group in AD and mention it over here.
You also have the option to add this group as administrators by default. I would strongly discourage selecting this option. As I can see the possibility of Windows Domain Administrators adding themselves this group and may elevate themselves to root level privileges. Wherever possible try to control account management within Virtual Infrastructure . Though by same logic DomainAdmins can also become vCenter Administrators
In this release account auditing has also been enhanced. In the below screen logs of who has logged in and at what time can be easily traced. You can re-direct these logs to centralized syslog servers.