Information Security and Access for vCenter Server for Identity and Access Management for VMware Cloud Foundation

You can log in to a vCenter Server instance based on the configuration of vCenter Single Sign-On. vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism.

vCenter Single Sign-On uses the following services.

Authentication of users through the vCenter Server built-in identity provider or external identity provider federation.
Authentication of solution users through certificates.
Security Token Service (STS).
SSL for secure traffic.

vCenter Server includes a built-in identity provider. By default, the vCenter Server built-in identity provider uses an embedded vsphere.local domain and supports local accounts. You can configure the vCenter Server built-in identity provider to use Microsoft Active Directory as its identity source using LDAP(S) or use OpenLDAP. These configurations allow you to log in to vCenter Server using Active Directory user accounts assigned to vCenter Server roles.

You can also configure vCenter Server to use an external identity provider. Using federated authentication, you replace vCenter Server as the identity provider with an external identity provider.

The configuration of an external identity provider is not in scope of this solution.

Active Directory Integration for vCenter Server

This solution provides design and implementation guidance on configuring the vCenter Server built-in identity provider to use Microsoft Active Directory over LDAP.

Table 1. Design Decisions on the Identity Provider for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-001	Configure the vCenter Server instances to use Active Directory over LDAP with SSL (LDAPS) as the identity source.	Provides the ability for vCenter Server to connect to an Active Directory using LDAP. Ensures that LDAP traffic between a vCenter Server instance and the Active Directory is encrypted. Microsoft recommends a hardened configuration for LDAP channel binding and LDAP signing on Active Directory domain controllers. For more information, see Microsoft Security Advisory ADV190023.	In a multi-domain forest, where the vCenter Server instance connects to a child domain, Active Directory security groups must have global scope. Therefore members added to the Active Directory global security group and user accounts for solution integration must reside within the same Active Directory domain. If multiple VMware Cloud Foundation instances are deployed to separate Active Directory domains (for example, child domains in a multi-domain forest), the instances can not be in enhanced linked-mode. A certificate is required to establish trust for the Active Directory LDAPS endpoints. You must obtain a CA-signed certificate that can be used for server authentication. You must remove and reconfigure the integration between the identity provider and vCenter Server when replacing the certificates used by Active Directory over LDAP with SSL.
IAM-VCS-SEC-002	Use an Active Directory user account with minimum read-only access as Base DN for users and groups to server as the service account for the Active Directory bind.	Provides the following access control features: Each vCenter Server instance connects to the Active Directory domain with the minimum permissions to bind and query the directory. Improves the visibility in tracking request-response interactions between the vCenter Server instances and Active Directory.	You must manage the password life cycle of this Active Directory use account.

vCenter Server provides precise control over authorization by using permissions and roles. Each object in the vCenter Server object hierarchy has associated permissions. When you assign permissions to an object in the vCenter Server object hierarchy, you specify the privileges and access for each user or group on that object.

You can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. Users and groups must be defined in the identity source that vCenter Single Sign-On uses. Define users and groups using the tools in your identity source, for example, Active Directory.

To specify the privileges for users or groups, you use roles, which are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined in vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. vCenter Server offers predefined roles, which combine frequently used privilege sets. You can create custom roles either from scratch or by cloning and modifying sample roles.

vSphere supports several models with control for determining whether a user is allowed to perform a task. A user's role on an object or the user's global permission determines whether that user is allowed to perform other tasks in vSphere.

For more information, see the vSphere Permissions and User Management Tasks documentation for VMware vSphere.

Table 2. Design Decisions on Identity and Access Management for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-003	Assign the default Administrator role in vCenter Server to an Active Directory security group.	By assigning the Administrator role to an Active Directory security group, you can simplify and manage user access with administrative rights in vCenter Server based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-VCS-SEC-004	Assign vCenter Server global permissions for the Active Directory security groups assigned the Administrator role.	By assigning the global permissions to an Active Directory security group with the Administrator role , you can manage user access with administrative rights across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.	None.
IAM-VCS-SEC-005	Assign the default Read-Only role in vCenter Server to an Active Directory security group.	By assigning the Read-only role to an Active Directory security group, you can simplify and manage user access with read-only rights in vCenter Server based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-VCS-SEC-006	Assign vCenter Server global permissions for the Active Directory security groups assigned the Read-Only role.	By assigning global permissions to an Active Directory security group with the Read-only role, you can manage user access with read-only privileges across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.	None.
IAM-VCS-SEC-007	Add an Active Directory security group as a member of the vCenter Single Sign-On Administrators group.	By adding an Active Directory security group as a member of the Administrators group, you can manage user access with administrative rights to the vCenter Single Sign-On built-in identity provider based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.

Password Policies for vCenter Server

For a vCenter Server instance, you can enforce password policies for access to the virtual appliance by using the DCUI, SSH, or the vCenter Server Management Interface. The password policies apply only to local user accounts.

Password Expiration Policy for vCenter Server

You manage the password expiration policies on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configurations are shown in the following table.

Table 3. Default Global Password Expiration Policy for vCenter Server
Setting	Default	Description
Maximum (days)	`90`	Maximum number of days between password change
Minimum (days)	`0`	Minimum number of days between password change
Warning	`7`	Number of days of warning before a password expires

Table 4. Default Local User Password Expiration Policy for vCenter Server
Setting	Default	Description
Password Expires	Yes	The virtual appliance root password is set to expire
Password validity	`90`	Maximum number of days before password expiration
Email for expiration warning	-	Email for password expiration warnings
Warning (days)	`7`	Number of days of warning before a password expires

Password Complexity Policy for vCenter Server for Local Users

You manage the local user password complexity policy by using the /etc/pam.d/system-password file on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 5. Default Local User Password Complexity Policy for vCenter Server
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`6`	Minimum password length (number of characters)
`difok`	`4`	Minimum number of characters that must be different from the old password
`remember`	`5`	Maximum number of passwords that the system remembers

Account Lockout Policy for vCenter Server for Local Users

You manage the local user account lockout policy by using the /etc/pam.d/system-auth file on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 6. Default Account Lockout Policy for vCenter Server
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before account is locked
`unlock_time`	`900`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`300`	Amount of time in seconds that the root account remains locked

Password Expiration Policy for vCenter Single Sign-On

You manage the vCenter Single Sign-On password expiration policy per built-in identity provider domain. The password expiration policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider domain (for example, vsphere.local). The policy does not apply to local system accounts or the domain’s default Administrator account (for example, [email protected]). You can modify the configuration settings for the vCenter Single Sign-On identity provider domain to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 7. Default Password Expiration Policy for vCenter Single Sign-On
Setting	Default	Description
Maximum lifetime	`90`	Maximum number of days before expiration

Password Complexity Policy for vCenter Single Sign-On

You manage the vCenter Single Sign-On password expiration policy per built-in identity provider domain. The password complexity policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider domain (for example, vsphere.local). The policy does not apply to local system accounts or the built-in identity provider’s default Administrator account (for example, [email protected]). You can modify the configuration to refine the settings and adhere to the policies and regulatory standards of your organization.

The vCenter Single Sign-On password complexity policy determines the password format requirements for the vCenter Single Sign-On built-in identity provider. The default configuration is shown in the following table.

Table 8. Default Password Complexity Policy for vCenter Single Sign-On
Setting	Default	Description
Restrict reuse	`5`	Number of previous passwords that cannot be reused
Maximum length	`20`	Maximum password length (number of characters)
Minimum length	`8`	Minimum password length (number of characters)
Special characters	`1`	Minimum number of special characters
Alphabetic characters	`2`	Minimum number of alphabetic characters
Uppercase characters	`1`	Minimum number of uppercase characters
Lowercase characters	`1`	Minimum number of lowercase characters
Numeric characters	`1`	Minimum number of numeric characters
Identical adjacent characters	`1`	Maximum number of identical adjacent characters

Account Lockout Policy for vCenter Single Sign-On

You manage the vCenter Single Sign-On account lockout policy per built-in identity provider domain. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 9. Default Account Lockout Policy for vCenter Single Sign-On
Setting	Default	Description
Maximum number of failed login attempts	`5`	Maximum number of authentication failures before the account is locked
Time interval between failures	`180`	Amount of time in seconds within which failed login attempts must occur to trigger a lockout
Unlock time	`900`	Amount of time in seconds that the account remains locked. If you set it to 0, the administrator must unlock the account explicitly.

For more information, see the vCenter Password Requirements and Lockout Behavior documentation for VMware vSphere.

Design Decisions on Password Policies for vCenter Server

Table 10. Design Decisions on Password Policies for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-008	Configure the global password expiration policy for each vCenter Server instance.	You configure the global password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the password expiration policy on each vCenter Server instance by using the vCenter Server Management Interface.
IAM-VCS-SEC-009	Configure the local user password expiration policy for each vCenter Server instance.	You configure the local user password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the vCenter Server virtual appliance.	You must manage the local user password expiration settings on each vCenter Server instance by using both the vCenter Server Management Interface and the virtual appliance console.
IAM-VCS-SEC-010	Configure the local user password complexity policy for each vCenter Server instance.	You configure the local user password complexity policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local vCenter Server virtual appliance users.	You must manage the local user password complexity settings on each vCenter Server instance by using the virtual appliance console. If the password complexity policy sets the minimum password length to a value greater than `20`, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.
IAM-VCS-SEC-011	Configure the local user account lockout policy for each vCenter Server instance.	You configure the local user account lockout policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local vCenter Server virtual appliance users.	You must manage the local user account lockout settings on each vCenter Server instance by using the virtual appliance console.
IAM-VCS-SEC-012	Configure the password expiration policy for the vCenter Single Sign-On built-in identity provider.	You configure the password expiration policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance. The password for the Administrator account of the vCenter Single Sign-On built-in identity provider does not expire based on the default vCenter Server Single-Sign-On password expiration policy configuration.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.
IAM-VCS-SEC-013	Configure the password complexity policy for the vCenter Single Sign-On built-in identity provider.	You configure the password complexity policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards. The password complexity policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider using the vSphere Client. If the password complexity policy sets the minimum password length to a value greater than 20, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.
IAM-VCS-SEC-014	Configure the account lockout policy for the vCenter Single Sign-On built-in identity provider.	You configure the account lockout policy for the vCenter Single Sign-On domain to align with the requirements of your organization which might be based on industry compliance standards. The account lockout policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance. The password for the vCenter Single Sign-On built-in identity provider Administrator account does not lock out based on the vCenter Server Single-Sign-On account lockout policy configuration.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.

vCenter Server Password Management

In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts in the system. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture of the system. SDDC Manager provides the ability to rotate, update, and remediate component passwords. Unlike password rotation, which generates a randomized password, password updates allow you to provide the desired password for the selected account. You can rotate passwords manually or set up an automated rotation schedule. By default, the scheduled rotation for vCenter Server managed accounts is 90 days.

When an error occurs, for example, after a password expires, you must reset the password. After you reset the password, you must remediate the password. Password remediation synchronizes the password of the component account stored in SDDC Manager with the updated password. To resolve any errors that might occur during password rotation or updates, you must use password remediation.

For USER and SYSTEM account types, you must provide the password set in the component. SDDC Manager updates the stored password with the new password.

For the SERVICE account type, you must provide the password set in the component. SDDC Manager updates the service account password with the new password. After password remediation, the password is rotated to a new password.

SERVICE type accounts have a defined set of privileges and are created for communication between system components. SERVICE account passwords are randomly generated by SDDC Manager with a 20 character length and cannot be manually set. You can update the password of a SERVICE account type by rotating the password.

For more information, see the Password Management documentation for VMware Cloud Foundation.

Table 11. Design Decisions on Password Management for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-015	For each vCenter Server instance, change the vCenter Server virtual appliance root account password on a recurring or event-initiated schedule by using SDDC Manager.	The password for the vCenter Server root user account expires based on the default password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the root account every 90 days. SDDC Manager manages each vCenter Server instance in the system. The vCenter Server virtual appliance root account password must be known and managed by SDDC Manager.	You must manage the password update or an automated password rotation schedule (default) for the root account by using SDDC Manager.
IAM-VCS-SEC-016	Change the vCenter Single Sign-On domain administrator SYSTEM account (for example, [email protected]) password in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.	The password for the vCenter Single Sign-On domain administrator SYSTEM account does not expire based on the default vCenter Server Single Sign-On password expiration settings. SDDC Manager manages each vCenter Server instance in the system. The vCenter Single Sign-On domain administrator SYSTEM account password must be known and managed by SDDC Manager.	You must manage the password update or an automated password rotation schedule for the SYSTEM account by using SDDC Manager.
IAM-VCS-SEC-017	Rotate the passwords for SDDC Manager SERVICE account types in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.	The password for each vCenter Single Sign-On SERVICE account expires based on the vCenter Server Single Sign-On password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the account every 90 days. A vCenter Server instance is registered as a compute manager with its NSX Local Manager cluster during workload domain creation. This SERVICE account password must be known and managed by SDDC Manager.The passwords for the SERVICE accounts are randomly generated by SDDC Manager and cannot be manually set.	You must manage the password rotation or an automated password rotation schedule for the SERVICE account by using SDDC Manager.