Information security and access design details the design decisions covering authentication and access controls for vCenter Server in VMware Cloud Foundation.
You can log in to a vCenter Server instance based on the configuration of vCenter Single Sign-On. vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism.
vCenter Single Sign-On uses the following services.
-
Authentication of users through the vCenter Server built-in identity provider or external identity provider federation.
-
Authentication of solution users through certificates.
-
Security Token Service (STS).
-
SSL for secure traffic.
vCenter Server includes a built-in identity provider. By default, the vCenter Server built-in identity provider uses an embedded vsphere.local domain and supports local accounts. You can configure the vCenter Server built-in identity provider to use Microsoft Active Directory as its identity source using LDAP(S) or use OpenLDAP. These configurations allow you to log in to vCenter Server using Active Directory user accounts assigned to vCenter Server roles.
You can also configure vCenter Server to use an external identity provider. Using federated authentication, you replace vCenter Server as the identity provider with an external identity provider.
The configuration of an external identity provider is not in scope of this solution.
Active Directory Integration for vCenter Server
This solution provides design and implementation guidance on configuring the vCenter Server built-in identity provider to use Microsoft Active Directory over LDAP.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-001 |
Configure the vCenter Server instances to use Active Directory over LDAP with SSL (LDAPS) as the identity source. |
|
|
IAM-VCS-SEC-002 |
Use an Active Directory user account with minimum read-only access as Base DN for users and groups to server as the service account for the Active Directory bind. |
Provides the following access control features:
|
You must manage the password life cycle of this Active Directory use account. |
vCenter Server provides precise control over authorization by using permissions and roles. Each object in the vCenter Server object hierarchy has associated permissions. When you assign permissions to an object in the vCenter Server object hierarchy, you specify the privileges and access for each user or group on that object.
You can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. Users and groups must be defined in the identity source that vCenter Single Sign-On uses. Define users and groups using the tools in your identity source, for example, Active Directory.
To specify the privileges for users or groups, you use roles, which are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined in vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. vCenter Server offers predefined roles, which combine frequently used privilege sets. You can create custom roles either from scratch or by cloning and modifying sample roles.
vSphere supports several models with control for determining whether a user is allowed to perform a task. A user's role on an object or the user's global permission determines whether that user is allowed to perform other tasks in vSphere.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-003 |
Assign the default Administrator role in vCenter Server to an Active Directory security group. |
By assigning the Administrator role to an Active Directory security group, you can simplify and manage user access with administrative rights in vCenter Server based on your organization's personas. |
|
IAM-VCS-SEC-004 |
Assign vCenter Server global permissions for the Active Directory security groups assigned the Administrator role. |
By assigning the global permissions to an Active Directory security group with the Administrator role , you can manage user access with administrative rights across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider. |
None. |
IAM-VCS-SEC-005 |
Assign the default Read-Only role in vCenter Server to an Active Directory security group. |
By assigning the Read-only role to an Active Directory security group, you can simplify and manage user access with read-only rights in vCenter Server based on your organization's personas. |
|
IAM-VCS-SEC-006 |
Assign vCenter Server global permissions for the Active Directory security groups assigned the Read-Only role. |
By assigning global permissions to an Active Directory security group with the Read-only role, you can manage user access with read-only privileges across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider. |
None. |
IAM-VCS-SEC-007 |
Add an Active Directory security group as a member of the vCenter Single Sign-On Administrators group. |
By adding an Active Directory security group as a member of the Administrators group, you can manage user access with administrative rights to the vCenter Single Sign-On built-in identity provider based on your organization's personas. |
|
Password Policies for vCenter Server
For a vCenter Server instance, you can enforce password policies for access to the virtual appliance by using the DCUI, SSH, or the vCenter Server Management Interface. The password policies apply only to local user accounts.
Password Expiration Policy for vCenter Server
You manage the password expiration policies on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configurations are shown in the following table.
Setting |
Default |
Description |
---|---|---|
Maximum (days) |
90 | Maximum number of days between password change |
Minimum (days) |
0 | Minimum number of days between password change |
Warning |
7 | Number of days of warning before a password expires |
Setting |
Default |
Description |
---|---|---|
Password Expires |
Yes |
The virtual appliance root password is set to expire |
Password validity |
90 | Maximum number of days before password expiration |
Email for expiration warning |
- | Email for password expiration warnings |
Warning (days) |
7 | Number of days of warning before a password expires |
Password Complexity Policy for vCenter Server for Local Users
You manage the local user password complexity policy by using the /etc/pam.d/system-password file on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
-1 |
Maximum number of digits that generate a credit |
|
-1 |
Maximum number of uppercase characters that generate a credit |
|
-1 |
Maximum number of lowercase characters that generate a credit |
|
-1 |
Maximum number of other characters that generate a credit |
|
6 |
Minimum password length (number of characters) |
|
4 |
Minimum number of characters that must be different from the old password |
|
5 |
Maximum number of passwords that the system remembers |
Account Lockout Policy for vCenter Server for Local Users
You manage the local user account lockout policy by using the /etc/pam.d/system-auth file on a per-instance basis. You can modify the configuration settings on each vCenter Server instance to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
3 |
Maximum number of authentication failures before account is locked |
|
900 |
Amount of time in seconds that the account remains locked |
|
300 |
Amount of time in seconds that the root account remains locked |
Password Expiration Policy for vCenter Single Sign-On
You manage the vCenter Single Sign-On password expiration policy per built-in identity provider domain. The password expiration policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider domain (for example, vsphere.local). The policy does not apply to local system accounts or the domain’s default Administrator account (for example, [email protected]). You can modify the configuration settings for the vCenter Single Sign-On identity provider domain to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
Maximum lifetime |
90 | Maximum number of days before expiration |
Password Complexity Policy for vCenter Single Sign-On
You manage the vCenter Single Sign-On password expiration policy per built-in identity provider domain. The password complexity policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider domain (for example, vsphere.local). The policy does not apply to local system accounts or the built-in identity provider’s default Administrator account (for example, [email protected]). You can modify the configuration to refine the settings and adhere to the policies and regulatory standards of your organization.
The vCenter Single Sign-On password complexity policy determines the password format requirements for the vCenter Single Sign-On built-in identity provider. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
Restrict reuse |
5 | Number of previous passwords that cannot be reused |
Maximum length |
20 | Maximum password length (number of characters) |
Minimum length |
8 | Minimum password length (number of characters) |
Special characters |
1 | Minimum number of special characters |
Alphabetic characters |
2 | Minimum number of alphabetic characters |
Uppercase characters |
1 | Minimum number of uppercase characters |
Lowercase characters |
1 | Minimum number of lowercase characters |
Numeric characters |
1 | Minimum number of numeric characters |
Identical adjacent characters |
1 | Maximum number of identical adjacent characters |
Account Lockout Policy for vCenter Single Sign-On
You manage the vCenter Single Sign-On account lockout policy per built-in identity provider domain. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
Maximum number of failed login attempts |
5 | Maximum number of authentication failures before the account is locked |
Time interval between failures |
180 | Amount of time in seconds within which failed login attempts must occur to trigger a lockout |
Unlock time |
900 | Amount of time in seconds that the account remains locked. If you set it to 0, the administrator must unlock the account explicitly. |
For more information, see the vCenter Password Requirements and Lockout Behavior documentation for VMware vSphere.
Design Decisions on Password Policies for vCenter Server
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-008 |
Configure the global password expiration policy for each vCenter Server instance. |
You configure the global password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the password expiration policy on each vCenter Server instance by using the vCenter Server Management Interface. |
IAM-VCS-SEC-009 |
Configure the local user password expiration policy for each vCenter Server instance. |
|
You must manage the local user password expiration settings on each vCenter Server instance by using both the vCenter Server Management Interface and the virtual appliance console. |
IAM-VCS-SEC-010 |
Configure the local user password complexity policy for each vCenter Server instance. |
|
|
IAM-VCS-SEC-011 |
Configure the local user account lockout policy for each vCenter Server instance. |
|
You must manage the local user account lockout settings on each vCenter Server instance by using the virtual appliance console. |
IAM-VCS-SEC-012 |
Configure the password expiration policy for the vCenter Single Sign-On built-in identity provider. |
|
You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client. |
IAM-VCS-SEC-013 |
Configure the password complexity policy for the vCenter Single Sign-On built-in identity provider. |
|
|
IAM-VCS-SEC-014 |
Configure the account lockout policy for the vCenter Single Sign-On built-in identity provider. |
|
You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client. |
vCenter Server Password Management
In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts in the system. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture of the system. SDDC Manager provides the ability to rotate, update, and remediate component passwords. Unlike password rotation, which generates a randomized password, password updates allow you to provide the desired password for the selected account. You can rotate passwords manually or set up an automated rotation schedule. By default, the scheduled rotation for vCenter Server managed accounts is 90 days.
When an error occurs, for example, after a password expires, you must reset the password. After you reset the password, you must remediate the password. Password remediation synchronizes the password of the component account stored in SDDC Manager with the updated password. To resolve any errors that might occur during password rotation or updates, you must use password remediation.
-
For USER and SYSTEM account types, you must provide the password set in the component. SDDC Manager updates the stored password with the new password.
-
For the SERVICE account type, you must provide the password set in the component. SDDC Manager updates the service account password with the new password. After password remediation, the password is rotated to a new password.
SERVICE type accounts have a defined set of privileges and are created for communication between system components. SERVICE account passwords are randomly generated by SDDC Manager with a 20 character length and cannot be manually set. You can update the password of a SERVICE account type by rotating the password.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-015 |
For each vCenter Server instance, change the vCenter Server virtual appliance root account password on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password update or an automated password rotation schedule (default) for the root account by using SDDC Manager. |
IAM-VCS-SEC-016 |
Change the vCenter Single Sign-On domain administrator SYSTEM account (for example, [email protected]) password in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password update or an automated password rotation schedule for the SYSTEM account by using SDDC Manager. |
IAM-VCS-SEC-017 |
Rotate the passwords for SDDC Manager SERVICE account types in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password rotation or an automated password rotation schedule for the SERVICE account by using SDDC Manager. |