Securing vSphere Datastores/Vmdks from Remote access

Hi there Experts,

I have recently joined vmware’s platform but my main concern now is the security of the VMs from a Remote Users Group.

From permissions perspective I have blocked the browse datastore, Low level file operations and I have also confirmed that take snapshot option and export to ovf file are disabled for the group of remote users.

Q1) Do I miss any other permission that I should block?

Q2) If a remote user uses his credentials to access the datastores via 3rd party software such
as WinSCP, will be able to eventually browse and copy the datastores??

Q3) Is there any auditing/logging while performing operations to the datastores/vmdks?
(such as for example download operations or export operations)

Q4) Assuming that someone has eventually downloaded the vmdks and
since a windows admin password does not actually protect the access to the files,
is there any native/built-in encryption to the vmdk files?

Thanks,
mamelasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robin CMSenior Security and Infrastructure EngineerCommented:
1) The principle of "least privilege" dictates that you only grant what these people need. Not just block stuff that you think they don't need.

2) SCP uses SSH, so you need to have permission to log on via SSH and that user needs to have access to the datastores. You also need to have SSH enabled on the host(s), which is not recommended for extended periods.

3) ESXi logs various thing to several files. You'll need to check different logs depending on what type of activity you're looking for. vCenter has its own logs. ESXi logs: https://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-832A2618-6B11-4A28-9672-93296DA931D0.html
vCenter logs can be exported via "Administration" - "Export System Logs" and ensureing the box "Include information from vCenter Server and vSphere Client" is ticked.

4) No, use bitlocker or something within the guest OS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mamelasAuthor Commented:
Thank you so much for your accurate and in detail answers!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.