NSX Manager is a restricted system and has features designed to ensure the integrity of the system and to keep the system secure.

Details of the NSX Manager security features:
  • NSX Manager supports session time-out and user logoff. NSX Manager does not support session lock. Initiating a session lock can be a function of the workstation operating system being used to access NSX Manager.
  • In NSX-T Data Center 3.1, NSX Manager has two local accounts: admin and audit. The local accounts cannot be deactivated. No additional local accounts can be created.
  • Starting in NSX-T Data Center 3.1.1, there are two additional guest user accounts. In the Enterprise environment, guestuser1 and guestuser2 user accounts are available. In the NSX Cloud environment, cloud_admin and cloud_audit user accounts are available. For 3.1.1 and later, the local accounts for audit and guest users are inactive by default, but can be activated or deactivated. The admin account still cannot be deactivated. No additional local accounts can be created.
  • NSX Manager enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
  • NSX Manager initiates session auditing upon startup.
  • NSX Manager uses its internal system clock to generate time stamps for audit records.
  • The NSX Manager user interface includes a user account, which has access rights to all resources, but does not have rights to the operating system to install software and hardware. NSX-T Data Center upgrade files are the only files allowed for installation. You cannot edit the rights of or delete this user.
  • All passwords in the system (databases, configuration files, log files, and so on.) are encrypted using a strong one-way hashing algorithm with a salt. During authentication, the password entered by the user is always obfuscated.
  • FIPS compliance
    • NSX Manager uses FIPS 140-2 approved algorithms for authentication to a cryptographic module.
    • NSX Manager generates unique session identifiers using a FIPS 140-2 approved random number generator.
    • NSX Manager uses a FIPS 140-2 approved cryptographic algorithm to protect the confidentiality of remote maintenance and diagnostic sessions.
    • NSX Manager authenticates SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
  • NSX Manager recognizes only system-generated session identifiers and invalidates session identifiers upon administrator logout or other session termination.
  • An audit log is generated for events such as logon, logoff, and access to resources. Each audit log contains the timestamp, source, result, and a description of the event. For more information, see Log Messages and Error Codes.