VCAP-DCV Deploy Objective 8.1

Home / Permissions / VCAP-DCV Deploy Objective 8.1

We are now in the eighth and last section of the blueprint ,In this section we are going to cover “Manage authentication and end-user security”

Here are the objective from the blueprint :

  • Add/Edit Remove users on an ESXi host
  • Configure vCenter Roles and Permissions according to a deployment plan
  • Configure and manage Active Directory integration
  • Enable and configure an ESXI Pass Phrase
  • Disable the Managed Object Browser (MOB) to reduce attack surface
  • Analyze logs for security-related messages

Lab Setup:

Using VMware workstation:

  • Microsoft Servers 2012R2 for Services (DNS , DHCP, etc…)
  • Installed esx0
  • Installed VCSA

 Documents used:

  • vCenter Server and Host Management Guide v6.0
  • vSphere Security Guide v6.0
  • VMware vSphere vSphere 6.0 Hardening Guide


Add/Edit Remove users on an ESXi host:

For this task we will need to connect to the vSphere fat client (for the first time :-))

  • Click on the users tab
  • Right click in that window and click on add
  • Provide the username and password information
  • To edit or remove just right click and select the option.


Configure vCenter Roles and Permissions according to a deployment:

Please see my previous post

VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.1 – Part 1


Configure and manage Active Directory integration:

To configure active directory, from the home screen click on System configuration >> choose the vCenter server>> manage>> active directory >>Join . add the domain information including username and password and after the task is complete restart vCenter



Once reboot is complete, navigate to Administration >> configuration>>identity sources and  click on the + sign to add new identity source, Choose Active directory(integrated windows Authentication) and click OK.(verify that your domain name is shown in the domain name field)



Enable and configure an ESXI Pass Phrase:

Pass phrases are disabled by default. To enable it set the Security.PasswordQualityControl advanced option for your ESXi host from the vSphere Web Client.

For example, you can change the option to the following: retry=3 min=disabled,disabled,16,7,7 This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces.

Another example from vSphere5 security doc.

retry=3 min=12,9,8,7,6 With this setting in effect, the password requirements are:

retry=3: A user is allowed 3 attempts to enter a sufficient password

N0=12: Passwords containing characters from one character class must be at least 12 characters long.

N1=9: Passwords containing characters from two character classes must be at least nine characters long.

N2=8: Passphrases must contain words that are each at least eight characters long.

N3=7: Passwords containing characters from three character classes must be at least seven characters long.

N4=6: Passwords containing characters from all four character classes must be at least six characters long.


Disable the Managed Object Browser (MOB) to reduce attack surface:

Starting with vSphere 6.0 the Managed Object Browser is disabled by default to avoid malicious configuration changes or actions. You can enable and disable the Managed Object Browser manually. To enable or disable the Managed Object Browser.

 vCenter >> Hosts and clusters >>highlight the host >> manage >> setting >> Advanced System Settings >> Config.HostAgent.plugins.solo.enableMob >> edit 

Analyze logs for security-related messages:

Log files to look at for security related messages:

  • /var/log/vmkernel.log
  • /var/log/vmkwarning.log
  • /var/log/vmksummary.log
  • /var/log/hostd.log
  • /var/log/vpxa.log
  • /var/log/auth.log
  • /var/log/syslog.log

Thanks for reading



Leave a Reply

Your email address will not be published. Required fields are marked *