VMware ESXi 6.0 Advance Security

Among numerous enhancements in VMware 6.0, security and password setting for ESXi host make sense now. Few changes where, permission management, account lockout, Flexible lockdown mode and Password complexity.

ESXI Local account

ESXi local account can be created three ways, either by ESXCLI or Powershell or Logging into ESXI via vsphere client.

ESXCLI

Login to Putty and run the below command

esxcli system account list

it will list the current user in ESXi host.

Screen Shot 2015-07-21 at 9.35.05 pm

Run the below command for creating new user

esxcli system account add –id testuser –description “Test Service Account” –password=”Server2003″ –password-confirmation=”Server2003″

Screen Shot 2015-07-21 at 9.42.34 pm

we got error as our password is weak. We have modified the password and script was successful.

Screen Shot 2015-07-21 at 9.46.56 pm

Powershell

Connect-VIServer 10.0.0.11 // connect ESXi
New-VMHostAccount -password GenX@2003 -Description “Test account” -useraccount TestUser1 // create user with User Name “TestUser1” and password “GenX@2003”

Screen Shot 2015-07-21 at 9.50.47 pm

after execution of the script we can see account TestUser1 created.

Screen Shot 2015-07-21 at 9.53.45 pm

vSphere Client

Login to ESXi host from the vsphere client and in Users tab we create new user

Screen Shot 2015-07-21 at 10.02.13 pm

Account Security

  • Account Lock Failures: this feature allow to configure maximum failed login attempt before account locking out. Default value is 10.

Screen Shot 2015-07-21 at 10.15.30 pm

  • Account unlock time: Duration of time for account to lockout after wrong password attempt. Screen Shot 2015-07-21 at 10.18.36 pm
  • Password complexity: Esxi use ESXi uses the Linux PAM module pam_passwdqc for password management and control.vSphere 6.0, your user password must meet the following requirements,
    Passwords must contain characters from at least three character classes.
    Passwords containing characters from three character classes must be at least seven characters long.
    Passwords containing characters from all four character classes must be at least seven characters long.

 Screen Shot 2015-07-21 at 10.28.44 pmScreen Shot 2015-07-21 at 10.28.07 pm

Lockdown Mode

Lockdown mode is improved with two new feature, Normal and strict.

When using Normal mode, ESXi is only accessible through Local console or through vCenter. Only user through Exception list or DCUI.Access advanced option for the host can access the ESXi.

In strict mode DCUI service is no longer available. In case if vCenter fail and SSH and exception lists are not defiled then we need to reinstall the host.

Screen Shot 2015-07-21 at 10.49.14 pm

Screen Shot 2015-07-21 at 10.50.42 pm

Screen Shot 2015-07-21 at 10.50.53 pm

Note: Since SSH service is independent of Lockdown mode, for security it’s recommended to disable the SSH during lockdown mode.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s