Have you thought carefully about Active Directory and your virtual infrastructure? If not, get started. According to polls I’ve conducted on VMware Communities, 80 percent of the people using VMware Virtual Infrastructure trust the security model VMware has used. Yet more than 70 percent are integrating VMware ESX into Active Directory; and only a few are augmenting their security with access controls. However, anyone with a legitimate AD account has the potential to log in to the VMware ESX service console and gain access to restricted data. Some of this data valuable in itself; much of the rest is critical to the system and could be further used by hackers to craft attacks on other data stores. Even with group policies and other measures in place, there is a lot of room for individual access rights to go unmodified and leave unintentional access permissions in place.Incorrectly protected configuration and script files could reveal such things as the system password, server configurations, configuration change histories and the names of VM, network and other resources. In addition, it is possible to see how virtual machines are configured, and the logs associated with the running of VMs. Thankfully the raw Virtual Machine Disk Format (VMDK) is not available to a generic user, but information about the VM is. That in itself creates an issue. Interestingly enough Network File System (NFS)-based datastores are not accessible at all by a regular user from the VMware ESX host. The host will give information about how the VM is configured, about the networks to which it’s connected, and how the disks are setup as well. Lastly it is possible for the firewall, Virtual Infrastructure Client authorizations, and other information about the VMware ESX Server to be discovered. This is useful information for a hacker. I have listed only a few but there is quite a bit of information leakage that could be used to possibly subvert the host.While the AD authentication is secure when using Secure LDAP or Winbind, it is still possible for non-administrators to gain access to systems and gain vital information about the host, VMs, and the entire virtual environment. To combat this, servers and networks need to be hardened further. More importantly, VM installations need more authentication controls. There are at least three methods that can be used to limit access to the VMware ESX host built in to the management appliance. They are: tcpwrappers (tool to limit access via IP to various daemons), pam_access (tool to limit logins to the system by user, group, and IP in addition to limiting logins to only certain times), and the packet filtering firewall (limit access via IP). It is important to apply at least two of the three listed to get full coverage, just in case one fails. Use these additional tools to further limit access to the Service Console, setting up AD integration or any other form of Single Sign On is an important tool to combat the spread of passwords. It’s not enough, however. If your security policies dictate who can log in to various physical servers, you need to do the same for VMware ESX. Then you will no longer suffer from possible information leakage and faulty authentication security.Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions. Related content brandpost Zero-trust: Why You Shouldn’t Ignore Your Print Environment By Canon Business Solutions Jun 07, 2023 5 mins Zero Trust news Salesforce CEO Benioff shakes up executive team with new hires Six months after the company lost its co-CEO and announced it was laying off 10% of its global workforce, Salesforce’s top team is undergoing a major personnel change. By Charlotte Trueman Jun 07, 2023 3 mins Technology Industry Enterprise Applications opinion Cisco debuts bold portfolio of network, security, and observability solutions and previews generative AI capabilities for Webex and Security Cloud Cisco’s innovative technologies help connect the dots of its network- and cloud-based ecosystem. By Pete Bartolik Jun 07, 2023 4 mins Cloud Security brandpost Help wanted: IT tools and talent for building a multicloud estate Like all trade workers, IT leaders need the right tools and skills to succeed in a multicloud world characterized by application and data sprawl. By Chad Dunn, Vice President, Product Management, Dell APEX Jun 07, 2023 6 mins Multi Cloud Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe