Wednesday, August 29, 2012

vSphere 5.1 - The ROOT access is no longer COMMON

Just wanted to give you a bite into the new and enhanced ESXi 5.1 feature which improves the way Administrators access the Shell of ESXi. The traditional way of accessing the highest privileges on an ESXi shell was to use the "root" account. Even if you are a LDAP user or a locally added user on the ESXi, you would have to switch to the root account by using the shell command "su" which will grant you root level access to initiate commands on the ESXi shell.

But with the latest version of vSphere 5.1 the administrative privileges can be removed from the default root account and individually assigned to Local Users which will provide them full access to the ESXi shell.

This is a cool enhancement, as this not only makes the platform more secure, but it also improves the auditing  of the ESXi shell activity as the logging will now display the name of the user who is accessing the shell and performing administrative tasks. In previous versions it was literally impossible to track that who logged in with root access as the logs will just show that the tasks are performed by "root" user.

Lets see what kind of use cases this will help:-

a) Organizations would not have to worry about resetting root password as there policy of password management as root can now be disabled, hence they will have one less account to manage.

b) Having to share a password (root user password) among admin team members is no longer required, ensuring no unauthorized access, end to blame games and a sense of accountability among VMware Administrators of an organization.

c) Monitoring and Auditing becomes easier as the log will reflect the name of the "username" who performed any activity instead of "root", hence making it easier to audit activities.

Another smart add on to this feature is the ability to auto terminate sessions which are left idle due to human error. For Example - An admin with full shell access logged into a ssh session while troubleshooting an issue from the system of his storage admin and he forgot to logout before taking that important call from his boss. Now the storage admin has full access to the Shell which could possibly be an issue"

In order to avoid such situations a new advance variable UserVars.ESXiShellInteractiveTimeOut is available to set a timeout value for any ESXi shell access. As soon as the timeout limit is reached, the session would be terminated, making the shell inaccessible for the unauthorized user.

Do remember to use this excellent feature in your environments to make it more secure, reliable &  manageable.