[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Vcenter login process

Posted on 2012-04-12
8
Medium Priority
?
709 Views
Last Modified: 2012-04-12
When you access/login to Vcenter, do you enter login credentials? Or is it just based on your AD account.

Our management are concerned about unauthorised access to vcenter, and I guess theres always a potential someone could guess the password for an account that has permission in vcenter, but what would they "need" on their machine to access the system, i.e. if they dont have client software, they cant access the system? Or are there ways to access vcenter even without the software on your PC, i.e. if you guess an admina ccount that has access to vcenter, without the neccesary software, could you still access vcenter?
0
Comment
Question by:pma111
8 Comments
 

Accepted Solution

by:
2G33K4U earned 668 total points
ID: 37836485
If you have it pulling from AD to get accounts and they are lucky enough to guess the administrative credential info then...them accessing your VMserver is least of your concerns they can wipe everything out.  I use a separate logon for getting complete access to my VMServers that is not tied to AD. You make the accounts and dictate what the passwords are.   You have to log into it to get access to anything. Some one can't just walk into the actual server box and hop in. and if it makes them worry that much consider setting in CMOS to require a password from screen saver as well 2 layers of protection.

So to sum it all no matter what you do or choose they will still have to log and then the permission you have setup will dictate what they will/can do.

You decide what groups have access to what just because a domain admin logs in to it doesn't mean he/she can change anything unless they have been added to Local User Groups in VM

Image of VMware Local Users and Groups
The VM Settings are the deciding factor.  Hope this helps.
0
 
LVL 124

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 668 total points
ID: 37836818
The login credentials for vCenter Server depend on how vCenter Server has been integrated and setup.

Local Accounts on the Windows Server could be used or Active Directory accounts if integrated into Windows Active Directory.
0
 
LVL 3

Author Comment

by:pma111
ID: 37836889
Back to the threat scenario though. Would it be seen as a compensating control that (specific to gaining unauthorised access to vcenter) if someones compromised an admin account and want to get at vcenter, if they dont have whatever client neccesary to access vcenter, then wheres the risk, how (if at all) could they get access to vcenter. I guess I am after "paths" which could be used to get on vcenter to get my head around the risk.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Expert Comment

by:2G33K4U
ID: 37836911
Technically if they know the vmserver's IP address soon as they hit it. it will offer that person the chance to download the client. That is built in. The scenario you speak of is unavoidable any place anywhere with any server if a admin password is compromised they will get in Period. Shy of finger print keys.

try it yourself go to a machine without the VM client software and browse to your vmservers IP.

Soon as you think a admin password has been compromised even a slight possibility change passwords. better safe than sorry.
0
 
LVL 5

Assisted Solution

by:ianmellor
ianmellor earned 664 total points
ID: 37836931
Hi,

Your domain administrator account might not be a vCenter administrator, it all depends on how you have setup your infrastructure. You can always download a Thinapp version of the vSphere client and connect with it, if you are able to guess a username and password. Also remember that vCenter is a windows machine and you have to do security hardening on it as well.
If you are that worried about security then you have to look at two factor authentication or separate networks.

Hope this helps,
0
 

Expert Comment

by:2G33K4U
ID: 37836935
Also they could SSH into it with proper credentials. Anyway you can get in they can get into it if they have the credentials.
0
 
LVL 5

Expert Comment

by:ianmellor
ID: 37836940
Hi,

SSH should be disabled by default. You should not be using it for day to day administration.


Cheers,
0
 

Expert Comment

by:2G33K4U
ID: 37837470
Glad to have been of assistance and thank you for the points.
Have a great Day!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question