security

vpxuser description disappearing?

Duncan Epping · Apr 15, 2010 ·

One of my former colleagues(who wants to remain anonymous) notified me about this. Although many of you might not even be doing this, for just the few who are it is useful to know this caveat.

For security reasons some customers have the requirement to insert specific account information for every user. It appears that when you modify the details for “vpxuser” in /etc/passwd and the vpxuser password is refreshed these account details are overwritten. (Every 30 days the vpxuser password gets refreshed.) According to my former colleague this has been fixed in vCenter 4.0 but the “issue” does exist in vCenter 2.5 Update 6 today.

vShield Manager

Duncan Epping · Apr 6, 2010 ·

I was working on a vShield Zones setup a couple of days ago. I have been a couple of times already but somehow the following details seem to slip every time and I find myself digging it up in the manual, hence the reason for this article. A reminder to myself:

vShield Manager login(page 24): admin/default
Configure IP Address with following command (page 35): setup

ESXi lockdown mode

Duncan Epping · Mar 23, 2010 ·

During the VCDX Defense panels one of the candidates mentioned using lock down mode for ESXi to add an extra layer of security. It seems that there is a common misunderstanding about the lockdown mode. Here’s how our documentation describes it:

Enabling lockdown mode disables all direct root access to ESXi machines. Any subsequent local changes to the host must be made in a vSphere Client session or vSphere CLI command to vCenter Server using a fully editable Active Directory account. You can also use a local user account defined by the host. By default, no local user accounts exist on the ESXi system. Such accounts can only be created prior to enabling lockdown mode in a vSphere Client session directly on the ESXi system. The changes to the host are limited to the privileges granted to that user locally on that host.

I guess this table explains it a bit better, I ripped this from “it’s all virtual” so credits where credits are due:

Access method	Lockdown Disabled Access granted	Lockdown Enabled Access granted
vCenter	Yes	Yes
Physical Console access with root	Yes	Yes
Physical Console access with anyother user	No	No
vSphere Client directly to ESXi with root	Yes	No
vSphere Client directly to ESXi with anyother user	Yes	Yes
PowerCLI / RCLI to ESXi with root	Yes	No
PowerCLI / RCLI to ESXi with anyother user	Yes	Yes

Disable Tech Support on ESXi?

Duncan Epping · Mar 1, 2010 ·

We had an interesting discussion on one of the internal mailing lists this week. Someone asked what the general opinion was about disabling Tech Support. Of course some said disabling should not be a problem, but many also disagreed. The reason for this is simple: Support.

When Tech Support is disabled it removes the option to login to the console with “unsupported“. Please keep in mind that the console is the only way to get direct command line access to ESXi as SSH is disabled by default. This also means that in order to get access to the console you will need access to the physical host, or the IP KVM switch / DRAC / ILO for that matter. Hosts are usually located in a secured environment which removes the need for limiting console access in my opinion.

I can still imagine that people have a different opinion, but if you look at it from a support perspective you might change your mind. Troubleshooting an issue can get really complicated when there is no Tech Support access. I guess in a high secure environment you could treat ESXi as a stateless appliance and just install a new version when it fails. Personally I would prefer to find the root cause and try to prevent the same problem from occurring again.

Of course you can enable Tech Support again when needed but a reboot is required. This might cause the symptoms of the problem you were facing to disappear. It’s my recommendation to Keep Tech Support enabled.

[edit] Of course Alan “the king of powershell” Renouf jumped on this topic immediately and created a couple of lines of script which show you the current setting, disable it for all hosts or enable it for all hosts. Thanks Alan! [/edit]

Cisco and Granite Ventures invest in Hytrust

Duncan Epping · Feb 24, 2010 ·

I just received the following announcement and thought it would be interesting for you as well:

HyTrust, Inc., the leader in policy management and access control for virtual infrastructure, announced today that it has secured $10.5 million in Series B financing. New investors Granite Ventures and Cisco Systems participated in the round of financing, as did existing investors Trident Capital and Epic Ventures. Len Rand, partner at Granite Ventures, will take a seat on the HyTrust Board of Directors. HyTrust will use the capital to drive development, sales and marketing, and fuel the company’s next stage of growth.

“We are excited to welcome Cisco not only as a HyTrust partner but now also as a strategic investor,” added Chiu. “It’s great validation for HyTrust when the worldwide leader in networking places its confidence, via financial backing, in our approach to policy management and access control for virtual infrastructure. We look forward to deepening our relationship with the Server Access & Virtualization business unit at Cisco, tightening our existing integration with Cisco Nexus 1000v and Unified Computing System products, and working closely with Cisco’s Security business unit to address the needs of our joint customers. We feel strongly that policy management is key to enabling the ‘next generation data center’ and we couldn’t be more excited to have gained the backing of the company that coined the phrase.”

source