Avatar of amendala
amendala

asked on 

Why can all Domain Users seemingly launch the VMM 2012 R2 console and modify my VMs?

Greetings -

Folks, I've run into something that is very concerning to me in my new VMM 2012 R2 environment.  I've found that seemingly any domain user in my domain can launch the VMM 2012 R2 console (if installed on their machine of course), and they can not only connect to the VMM server but also modify properties of my VMs, start/stop them, etc.  They can't connect to the console session but at any rate, this is highly concerning from an RBAC perspective.

The only built-in RBAC group in VMM that I can see is "Administrators".  The membership of this group contains all the defaults (i.e. the VMM server computer account, service account, default action account, Domain Admins, etc.)  It does *not* however contain any groups that would include Domain Users or any broad global/universal groups.

So why anyone can launch the console and play with my VMs, I have no idea.  Where else should I be looking for access rights?  Aside from my server administrators, I don't want anyone to be able to launch the console and connect, let alone make any setting changes or even see any VMs for that matter.

Ideas?  What am I missing about VMM 2012 R2 versus the old VMM 2008 R2 world where this was seemingly simpler or at least more secure/functional?

Thanks in advance.

Edit - Additional Information:

My VMM environment is extremely simple at this point as it is in the early stages of configuration.  Only a few hosts, about 20 VMs, a single private cloud, single domain, nothing extravagant.  It is VMM 2012 R2 (Update Rollup 4) running on a fully patched Server 2012 R2 box.
Hyper-VVirtualizationWindows Server 2012

Avatar of undefined
Last Comment
amendala
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

In SCVMM what group of users are administrators (as far as SCVMM is concerned)
Avatar of VB ITS
VB ITS
Flag of Australia image

In VMM, click on Settings in the bottom left corner > expand Security > click User Roles > under User Roles in the right pane > click the Administrator user role > verify the members in this role in the bottom pane and remove members if necessary. If you have other custom roles then check the members for these roles also.
Avatar of amendala
amendala

ASKER

Good morning -

I actually answer the questions in both comments above in my original post but I'll answer again here.

There are *NO* additional individual members or groups in my Administrator role in SCVMM above and beyond the defaults.  The only members are as follows (with specific naming redacted for security):

DOMAIN\Domain Admins
NT AUTHORITY\SYSTEM
DOMAIN\SCVMMSERVICES
DOMAIN\SCVMMACTION
DOMAIN\VMMSERVER$

And no, Domain Admins does not contain Domain Users, it contains only a small list of individual user accounts and no other groups.

This is what is so confusing to me.  VMM seems to be granting all Domain Users privileges when none above and beyond the action and service accounts, and domain admins, are explicitly configured.

Thank you.
ASKER CERTIFIED SOLUTION
Avatar of amendala
amendala

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of VB ITS
VB ITS
Flag of Australia image

Sorry amendala, completely missed that bit in your original post. If what you said above is true then that is deeply concerning. I'm going to try and install SCVMM 2012 R2 on my machine and run it under my user account (as I use a separate account for admin tasks) and see if what you say is true.
Avatar of amendala
amendala

ASKER

By all means, I'd love to hear your results, let me know... I'll keep the question open.  If it restricts you, then I'm going to open a case with Premier Support to see if Microsoft has any good answers as to the behavior I'm seeing.

Thanks!
Avatar of VB ITS
VB ITS
Flag of Australia image

Sorry amendala, haven't had time to install SCVMM 2012 R2 on my machine as of yet. I'll let you know how I go once I get a chance regardless.
Avatar of amendala
amendala

ASKER

I have found no alternatives either here or anywhere else, including Microsoft, regarding this behavior.  The solution I devised is apparently the manner in which to configure SCVMM if you want the console locked down - at least in 2012 R2.
Virtualization
Virtualization

Virtualization is the act of creating a virtual (rather than actual) version of something, including (but not limited to) a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. Virtualization is usually the creation of a system that executes separate from the underlying hardware resources, or the creation of an entire desktop for systems located elsewhere, similar to thin clients.

22K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo