From VMware vCenter Server Version 5 Security Technical Implementation Guide
Part of ESXi5-419
Associated with: CCI-000366
By default, vCenter Server "Administrator" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.
Check that a role is used to manage the vCenter Server without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify that a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges>> Virtual Machines" the "Guest Operations" checkbox is unchecked. Verify users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role. Ask the SA for a list of users that require administrator privileges without Guest access privileges and verify their role assignments. If users requiring administrator privileges without Guest access privileges are assigned to the default Administrator role, this is a finding.
Create a role to manage vCenter without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges>> Virtual Machines" the "Guest Operations" checkbox is unchecked. Create account(s) requiring administrator privileges without Guest access privileges.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer