Securing vCenter Server

Consider the following when planning security for vCenter Server:

  • Remove full administrative rights to vCenter Server from the local Windows administrator account and grant them to a special-purpose local vCenter Server administrator account.

You can give full vSphere administrative rights only to specific administrators who really need them. You can restrict these rights to any group or members.

  • You can define rules for logging in directly to the vCenter Server system. Users with defined tasks log in to the system with audited events.
  • You must install vCenter Server using a service account rather than the local Windows system account. Using a service account enables Windows authentication for SQL Server with enhanced security. The service account must be an administrator on the local machine with all service rights.
  • You have to give minimal access to a vCenter Server database user. The database users needs only rights specific to database access, along with some privileges required for installation and upgrades, which can be removed after the product is installed or upgraded.
  • Connect vCenter and the ESXi hosts to a directory service. Create users and groups in the directory service to simplify user and group management, and to present a consistent user and group view to any interface managing the environment.
  • Apply the principle of least privilege to users who have access to vCenter Server:
    • Enhances security by reducing the attack surface
    • Simplifies vCenter Server administration
  • Do not add Windows special identity groups (such as everyone) to vCenter Server roles. Create specific Windows groups for specific vSphere management and assign the appropriate user permissions.
    • Membership is automatically calculated by Windows and is not static
    • Not using these groups reduces unplanned access issues
  • Confirm that generic groups, such as the Windows administrators group, do not have permissions in vCenter. Create a specific Windows group for vCenter Server system administration. This reduces the risk of Windows administrators not trained in vSphere from gaining privileged access to the vCenter Server system.
  • Configure additional administrators in vCenter Single Sign-On (SSO) users and groups, as appropriate, to allow multiple administrators access to the system in case an account is locked out.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.157.151