Solved

Why can all Domain Users seemingly launch the VMM 2012 R2 console and modify my VMs?

Posted on 2014-12-14
8
312 Views
Last Modified: 2014-12-26
Greetings -

Folks, I've run into something that is very concerning to me in my new VMM 2012 R2 environment.  I've found that seemingly any domain user in my domain can launch the VMM 2012 R2 console (if installed on their machine of course), and they can not only connect to the VMM server but also modify properties of my VMs, start/stop them, etc.  They can't connect to the console session but at any rate, this is highly concerning from an RBAC perspective.

The only built-in RBAC group in VMM that I can see is "Administrators".  The membership of this group contains all the defaults (i.e. the VMM server computer account, service account, default action account, Domain Admins, etc.)  It does *not* however contain any groups that would include Domain Users or any broad global/universal groups.

So why anyone can launch the console and play with my VMs, I have no idea.  Where else should I be looking for access rights?  Aside from my server administrators, I don't want anyone to be able to launch the console and connect, let alone make any setting changes or even see any VMs for that matter.

Ideas?  What am I missing about VMM 2012 R2 versus the old VMM 2008 R2 world where this was seemingly simpler or at least more secure/functional?

Thanks in advance.

Edit - Additional Information:

My VMM environment is extremely simple at this point as it is in the early stages of configuration.  Only a few hosts, about 20 VMs, a single private cloud, single domain, nothing extravagant.  It is VMM 2012 R2 (Update Rollup 4) running on a fully patched Server 2012 R2 box.
0
Comment
Question by:amendala
  • 4
  • 3
8 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40499478
In SCVMM what group of users are administrators (as far as SCVMM is concerned)
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40500320
In VMM, click on Settings in the bottom left corner > expand Security > click User Roles > under User Roles in the right pane > click the Administrator user role > verify the members in this role in the bottom pane and remove members if necessary. If you have other custom roles then check the members for these roles also.
0
 

Author Comment

by:amendala
ID: 40500953
Good morning -

I actually answer the questions in both comments above in my original post but I'll answer again here.

There are *NO* additional individual members or groups in my Administrator role in SCVMM above and beyond the defaults.  The only members are as follows (with specific naming redacted for security):

DOMAIN\Domain Admins
NT AUTHORITY\SYSTEM
DOMAIN\SCVMMSERVICES
DOMAIN\SCVMMACTION
DOMAIN\VMMSERVER$

And no, Domain Admins does not contain Domain Users, it contains only a small list of individual user accounts and no other groups.

This is what is so confusing to me.  VMM seems to be granting all Domain Users privileges when none above and beyond the action and service accounts, and domain admins, are explicitly configured.

Thank you.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40501407
I decided to create a role with "Read-Only" permissions that has access to no clouds or host groups and I added "Domain Users" as a member.

I've found that this restricts any users who are not explicitly part of a higher-permission RBAC group from making any changes or viewing anything.

This partially satisfies my goal but is so backwards that I feel as if something is wrong.

Firstly - it completely obliterates the concept of Least Possible Privilege by assuming everyone has all access until restricted.

Second - It violates the long-standing tenet in the Windows world that "Deny" permissions supersede "Allow" permissions.

Functionally, this solution does work.  If as a Domain Admin I open the console, because I'm part of a higher RBAC group, even though Domain Users (of which every Domain Admin is obviously a member) is in a read-only group, I am granted the permissions of the higher RBAC group.

The only thing this doesn't satisfy is why users are allowed to even connect to the VMM server AT ALL without being granted permissions.  As far as I'm concerned, unless explicitly granted permissions to an RBAC group in VMM, the console shouldn't even accept your connection or get past the splash screen.

Perhaps more on this later if I learn more but at this point, I think I've found my own solution.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 24

Expert Comment

by:VB ITS
ID: 40501798
Sorry amendala, completely missed that bit in your original post. If what you said above is true then that is deeply concerning. I'm going to try and install SCVMM 2012 R2 on my machine and run it under my user account (as I use a separate account for admin tasks) and see if what you say is true.
0
 

Author Comment

by:amendala
ID: 40501870
By all means, I'd love to hear your results, let me know... I'll keep the question open.  If it restricts you, then I'm going to open a case with Premier Support to see if Microsoft has any good answers as to the behavior I'm seeing.

Thanks!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512424
Sorry amendala, haven't had time to install SCVMM 2012 R2 on my machine as of yet. I'll let you know how I go once I get a chance regardless.
0
 

Author Closing Comment

by:amendala
ID: 40518238
I have found no alternatives either here or anywhere else, including Microsoft, regarding this behavior.  The solution I devised is apparently the manner in which to configure SCVMM if you want the console locked down - at least in 2012 R2.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now