vSphere Web Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use a vSphere Web Client installation that includes only authorized extensions from trusted sources.
Before you begin
You must have privileges to access the vCenter Single Sign-On service. These privileges differ from vCenter Server privileges.
About this task
A vCenter installation includes the vSphere Web Client extensibility framework, which provides the ability to extend the vSphere Web Client with menu selections or toolbar icons that provide access to vCenter add-on components or external, Web-based functionality. This flexibility results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Web Client, the plug-in can then execute arbitrary commands with the privilege level of that administrator.
To protect against potential compromise of your vSphere Web Client you can periodically examine all installed plug-ins and make sure that all plug-ins come from a trusted source.
- Log in to the vSphere Web Client as email@example.com or a user with vCenter Single Sign-On privileges.
- From the Home page, select Administration, and then select Client Plug-Ins under Solutions
- Examine the list of client plug-ins.