Information security and access details the design decisions covering authentication and access controls for ESXi in VMware Cloud Foundation.
By default, you can log in to an ESXi host using only the root account. Direct access to an ESXi host is available and most commonly used for troubleshooting purposes. You can access an ESXi host using one of the following methods.
Access Method |
Description |
---|---|
Direct Console User Interface (DCUI) |
A text-based interface on the ESXi host console. Provides basic administrative controls and troubleshooting options. |
ESXi Shell |
A local Linux-style shell accessed by using Alt+F1 on the ESXi host console. |
Secure Shell (SSH) |
A remote command-line access to the ESXi Shell using SSH. |
Host Client |
An HTML5-based client for managing ESXi hosts individually. You use the Host Client for emergency management when vCenter Server is temporarily unavailable. |
vSphere Client |
An HTML5-based client included with vCenter Server. You use the vSphere Client is the primary interface for connecting to and managing vCenter Server instances. |
Active Directory Integration for ESXi Hosts
Generally, it is not required to join ESXi hosts in a VMware Cloud Foundation system to Active Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi hosts. In the event that direct access to an ESXi host is required, the Cloud Administrator can obtain the root or SERVICE account credentials to troubleshoot any issues with the ESXi host. However, there are circumstances when you must add Active Directory as the identity provider by joining each ESXi host to an Active Directory domain.
VMware Cloud Foundation supports the use of NFS version 4.1 as supplemental storage. With NFS version 4.1, ESXi supports the RPCSEC_GSS Kerberos authentication service. It allows the built-in NFS 4.1 client for ESXi to prove its identity to an NFS server before mounting an NFS share. The Kerberos security uses cryptography to work across an insecure network connection. To use Kerberos authentication, each ESXi host, that mounts an NFS 4.1 datastore, must join the required Active Directory domain and the NFS Kerberos credentials must be set on each host.
The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security.
-
Kerberos for authentication only (krb5) supports identity verification.
-
Kerberos for authentication and data integrity (krb5i), in addition to identity verification, provides data integrity services.
When you use Kerberos authentication, the following considerations apply:
-
You must add Active Directory as the authentication system by joining each ESXi host to an Active Directory domain.
-
You must specify the Active Directory credentials to provide access to NFS version 4.1 Kerberos datastores. A single set of credentials is used to access all Kerberos datastores mounted on an ESXi host.
-
You must use the same Active Directory credentials for all ESXi hosts that access the shared datastore.
-
You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS version 4.1 datastore shared by multiple hosts.
When an ESXi host is added to an Active Directory domain to support NFS version 4.1 with Kerberos authentication, you must configure the administrative access by defining a non-default Active Directory security group for privileged access to the ESXi host. Thus, you ensure that only the designated Active Directory security group membership has administrative access to the ESXi host.
Design Consideration |
Justification |
Implications |
---|---|---|
If NFS version 4.1 with Kerberos authentication is used for supplemental storage, add Active Directory as the authentication service by joining each ESXi host to the Active Directory domain. |
Ensures greater visibility for auditing by enforcing that users log in with user accounts in the Active Directory domain. |
|
If NFS version 4.1 with Kerberos authentication is used for supplemental storage, change the default esxAdminsGroup configuration on each ESXi host to use a custom Active Directory security group in the Active Directory domain. |
|
|
If NFS version 4.1 with Kerberos authentication is used for supplemental storage, use an Active Directory user account with the minimum privileges to join a ESXi host to the Active Directory domain. |
ESXi hosts are joined to the Active Directory domain using an account with the minimum set of required directory permissions.
|
|
Password Policies for ESXi Hosts
For an ESXi host, you can enforce password policies for access to the DCUI, the ESXi Shell, SSH, or the Host Client. You can configure these password policies by using the advanced system settings for each ESXi host. The password policies apply only to local user accounts.
Password Expiration Policy for ESXi Hosts
You manage the password expiration policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can modify the configuration settings on each ESXi host to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
99999 (never) |
Maximum number of days before password expiration |
Password Complexity Policy for ESXi Hosts
You manage the password complexity policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
retry=3 min=disabled,disabled,disabled,7,7 |
|
|
0 |
Maximum number of passwords that the system remembers |
For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.
Account Lockout Policy for ESXi Hosts
ESXi account lockout is supported for SSH and API. If a user attempts to log in with incorrect local account credentials using SSH or API, the account is locked. The DCUI and the ESXi Shell do not support account lockout.
You manage the account lockout policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
5 |
Maximum number of authentication failures before the account is locked |
|
900 |
Amount of time in seconds that the account remains locked |
For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.
Design Decisions on Password Policies for ESXi Hosts
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-ESXI-SEC-001 |
Configure the password expiration policy for each ESXi host. |
|
You must manage the local user password expiration policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
IAM-ESXI-SEC-002 |
Configure the password complexity policy for each ESXi host. |
|
You must manage the local user password complexity policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
IAM-ESXI-SEC-003 |
Configure the account lockout policy for each ESXi host. |
|
You must manage the local user account lockout policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
ESXi Host Password Management
SDDC Manager provides the ability to perform life cycle management for the local accounts used by each ESXi host. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. SDDC Manager provides the ability to rotate, update, and remediate most of these component passwords. Unlike password rotation, which generates a randomized password, updates allow you provide the desired password for the selected account.
For more information, see the Password Management documentation for VMware Cloud Foundation.
You can activate or deactivate normal lock down mode on an ESXi host to increase the security of the hosts. To activate or deactivate normal lock down mode, you must perform the operation through the vSphere Client. SDDC Manager creates service accounts that can be used to access the ESXi hosts over SSH. The service accounts are added to the Exception Users list during the bring-up process or host commissioning workflow. You can rotate the passwords for the service accounts using the password management functionality in SDDC Manager.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-ESXI-SEC-004 |
Change the root user password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager. |
|
|
IAM-ESXI-SEC-005 |
Rotate the SERVICE account password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager. |
|
|