Information security and access details the design decisions covering authentication and access controls for ESXi in VMware Cloud Foundation.

By default, you can log in to an ESXi host using only the root account. Direct access to an ESXi host is available and most commonly used for troubleshooting purposes. You can access an ESXi host using one of the following methods.

Access Method

Description

Direct Console User Interface (DCUI)

A text-based interface on the ESXi host console. Provides basic administrative controls and troubleshooting options.

ESXi Shell

A local Linux-style shell accessed by using Alt+F1 on the ESXi host console.

Secure Shell (SSH)

A remote command-line access to the ESXi Shell using SSH.

Host Client

An HTML5-based client for managing ESXi hosts individually. You use the Host Client for emergency management when vCenter Server is temporarily unavailable.

vSphere Client

An HTML5-based client included with vCenter Server. You use the vSphere Client is the primary interface for connecting to and managing vCenter Server instances.

Active Directory Integration for ESXi Hosts

Generally, it is not required to join ESXi hosts in a VMware Cloud Foundation system to Active Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi hosts. In the event that direct access to an ESXi host is required, the Cloud Administrator can obtain the root or SERVICE account credentials to troubleshoot any issues with the ESXi host. However, there are circumstances when you must add Active Directory as the identity provider by joining each ESXi host to an Active Directory domain.

VMware Cloud Foundation supports the use of NFS version 4.1 as supplemental storage. With NFS version 4.1, ESXi supports the RPCSEC_GSS Kerberos authentication service. It allows the built-in NFS 4.1 client for ESXi to prove its identity to an NFS server before mounting an NFS share. The Kerberos security uses cryptography to work across an insecure network connection. To use Kerberos authentication, each ESXi host, that mounts an NFS 4.1 datastore, must join the required Active Directory domain and the NFS Kerberos credentials must be set on each host.

The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security.

  • Kerberos for authentication only (krb5) supports identity verification.

  • Kerberos for authentication and data integrity (krb5i), in addition to identity verification, provides data integrity services.

When you use Kerberos authentication, the following considerations apply:

  • You must add Active Directory as the authentication system by joining each ESXi host to an Active Directory domain.

  • You must specify the Active Directory credentials to provide access to NFS version 4.1 Kerberos datastores. A single set of credentials is used to access all Kerberos datastores mounted on an ESXi host.

  • You must use the same Active Directory credentials for all ESXi hosts that access the shared datastore.

  • You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS version 4.1 datastore shared by multiple hosts.

When an ESXi host is added to an Active Directory domain to support NFS version 4.1 with Kerberos authentication, you must configure the administrative access by defining a non-default Active Directory security group for privileged access to the ESXi host. Thus, you ensure that only the designated Active Directory security group membership has administrative access to the ESXi host.

Table 1. Design Considerations on the Integration of ESXi Hosts with Active Directory

Design Consideration

Justification

Implications

If NFS version 4.1 with Kerberos authentication is used for supplemental storage, add Active Directory as the authentication service by joining each ESXi host to the Active Directory domain.

Ensures greater visibility for auditing by enforcing that users log in with user accounts in the Active Directory domain.

  • Adding ESXi hosts to the domain adds administrative overhead, which can be automated.

  • You must manage the placement of the computer object for each ESXi host in the Active Directory domain.

  • You must maintain the access, life cycle, and availability for the associated Active Directory objects outside of the SDDC stack.

If NFS version 4.1 with Kerberos authentication is used for supplemental storage, change the default esxAdminsGroup configuration on each ESXi host to use a custom Active Directory security group in the Active Directory domain.

  • Changing the Active Directory security group removes the use of a default security group membership.

  • Using an Active Directory security group name allows you to use a designated security group across management and workload domains, if required.

  • An Active Directory security group must be created in advance of changing the assignment.

  • You must maintain the life cycle and availability of an Active Directory security group outside of the SDDC stack.

  • You must make changes to the ESXi hosts' advanced settings.

If NFS version 4.1 with Kerberos authentication is used for supplemental storage, use an Active Directory user account with the minimum privileges to join a ESXi host to the Active Directory domain.

ESXi hosts are joined to the Active Directory domain using an account with the minimum set of required directory permissions.

  • Account Operators group

  • Join Computers to Domain delegation.

  • You must maintain the life cycle and availability of the service account in your directory services.

  • If the computer objects in Active Directory are not created in advance, you must ensure that the user account has permissions to create objects in the default or the target organizational unit.

Password Policies for ESXi Hosts

For an ESXi host, you can enforce password policies for access to the DCUI, the ESXi Shell, SSH, or the Host Client. You can configure these password policies by using the advanced system settings for each ESXi host. The password policies apply only to local user accounts.

Password Expiration Policy for ESXi Hosts

You manage the password expiration policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can modify the configuration settings on each ESXi host to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 2. Default Password Expiration Policy for ESXi Hosts

Setting

Default

Description

Security.PasswordMaxDays

99999 (never)

Maximum number of days before password expiration

Password Complexity Policy for ESXi Hosts

You manage the password complexity policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 3. Default Password Complexity Policy for ESXi Hosts

Setting

Default

Description

Security.PasswordQualityControl

retry=3 min=disabled,disabled,disabled,7,7

  • Maximum number of retries

  • Required character classes

  • Minimum password length (characters)

Security.PasswordHistory

0

Maximum number of passwords that the system remembers

For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.

Account Lockout Policy for ESXi Hosts

ESXi account lockout is supported for SSH and API. If a user attempts to log in with incorrect local account credentials using SSH or API, the account is locked. The DCUI and the ESXi Shell do not support account lockout.

You manage the account lockout policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 4. Default Account Lockout Policy for ESXi Hosts

Setting

Default

Description

Security.AccountLockFailures

5

Maximum number of authentication failures before the account is locked

Security.AccountUnlockTime

900

Amount of time in seconds that the account remains locked

For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.

Design Decisions on Password Policies for ESXi Hosts

Table 5. Design Decisions on Password Policies for ESXi Hosts

Decision ID

Design Decision

Design Justification

Design Implication

IAM-ESXI-SEC-001

Configure the password expiration policy for each ESXi host.

  • You configure the password expiration for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default accounts for a commissioned ESXi host:

    • root account

    • SERVICE account

  • The policy is applicable only to the local ESXi host users.

You must manage the local user password expiration policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

IAM-ESXI-SEC-002

Configure the password complexity policy for each ESXi host.

  • You configure the password complexity policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The password complexity policy is applicable only to the local ESXi host users.

You must manage the local user password complexity policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

IAM-ESXI-SEC-003

Configure the account lockout policy for each ESXi host.

  • You configure the account lockout policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local ESXi host users.

You must manage the local user account lockout policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

ESXi Host Password Management

SDDC Manager provides the ability to perform life cycle management for the local accounts used by each ESXi host. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. SDDC Manager provides the ability to rotate, update, and remediate most of these component passwords. Unlike password rotation, which generates a randomized password, updates allow you provide the desired password for the selected account.

For more information, see the Password Management documentation for VMware Cloud Foundation.

You can activate or deactivate normal lock down mode on an ESXi host to increase the security of the hosts. To activate or deactivate normal lock down mode, you must perform the operation through the vSphere Client. SDDC Manager creates service accounts that can be used to access the ESXi hosts over SSH. The service accounts are added to the Exception Users list during the bring-up process or host commissioning workflow. You can rotate the passwords for the service accounts using the password management functionality in SDDC Manager.

For more information, see the Host Management documentation for VMware Cloud Foundation.
Table 6. Design Decisions on Password Management for ESXi Hosts

Decision ID

Design Decision

Design Justification

Design Implication

IAM-ESXI-SEC-004

Change the root user password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.

  • The password for the ESXi host's root user does not expire based on the default password expiration policy.

  • SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.

  • You must manage the password update or password rotation for the root account by using SDCC Manager.

  • An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.

IAM-ESXI-SEC-005

Rotate the SERVICE account password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.

  • SDDC Manager creates a SERVICE account on each ESXi host to provide the access to the ESXi host over SSH in the context of an exception user in normal lock down mode.

  • The password for the ESXi host's SERVICE account does not expire based on the default password expiration policy.

  • SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.

  • You must manage the password rotation for the SERVICE account by using SDDC Manager.

  • An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.