M A R C H 2 0 0 9
and Access Management Suite
Securing and auditing administrative access to the Virtual Infrastructure leveraging Active Directory
A B S T R A C T
The VMware ESX Server system has become a popular solution for running multiple virtual operating systems on a single physical server platform. To set up and manage virtual systems on an ESX host machine, an administrator needs to log in to one of the VMware administrative interfaces, which include both traditional command-line and interactive GUI tools. Administrators require superuser privileges for command-line access, while VMware provides a way to define role-based privileges for administrators using the GUI tools. Many organizations use both methods, which means they lack a single, centralized view of all administrative access to their VMware environment and the activity of administrators on those systems. In cases where VMware is used to host business-critical systems, this could represent an increased security risk and the likelihood of failed regulatory compliance audits. Productivity goes down and support costs go up when there is no consolidated way to control system access and privileges.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2005-2009 Centrify Corporation. All rights reserved.
Centrify and DirectControl are registered trademarks and DirectAudit and DirectAuthorize are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
1 Introduction ... 1
1.1 Account Management Challenges in VMware... 1
1.2 Administrative Access to VMware Virtual Infrastructure Servers ... 3
1.3 Centralizing Identity and Access Management with Centrify Suite... 4
2 Controlling Administrator Access to the Virtual Infrastructure... 5
2.1 Centralized Account Administration via Active Directory ... 6
2.2 Centralized Access Control Management within Active Directory... 8
2.3 Installing and Setting Up DirectControl on ESX Server ... 10
2.4 Comparing Centrify for Active Directory Integration with VMware Native Active Directory Integration ... 11
2.5 Addressing the Authentication Challenges with Centrify DirectControl ... 13
3 Managing Privileges with DirectAuthorize’s Role-Based Authorization Rights... 16
3.1 Centrally Managing Sudo Using Group Policy ... 16
3.2 Centralized Management of User Privileges with DirectAuthorize ... 19
3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize ... 20
4 Auditing Interactive Administrative Access Using DirectAudit... 22
4.1 Integrating DirectAudit into the Virtual Infrastructure ... 23
5 Hardening the VMware Infrastructure with Centrify Suite... 23
5.1 Security Hardening of the Service Console and VIMA ... 24
6 Benefits of the Centrify Suite for Virtualized Environments... 26
7 Summary ... 26
1 Introduction
Computer operating system virtualization has become a popular way for customers to address their needs for server workload management. Virtualization allows a customer to use a single host computer to run multiple operating systems, each in its own protected virtual machine environment.
There are two major approaches to running operating system virtualization software. The first allows a user with an existing operating system platform (such as Windows, Linux or Mac) to install the virtualization software as a standard application that runs side by side with other applications on that system. For example, a Windows desktop user could run a virtualization product with a Linux virtual machine enabled and thereby give the user the ability to access both Windows and Linux applications from a single Windows-based computer. The second approach is to dedicate a single physical computer to host only virtual machines and no other applications. This approach could be used, for example, by an Internet Service Provider to allow a single large computer to run isolated web sites for multiple customers.
VMware is one of the leading providers of virtualization software. They offer solutions for both desktops and servers, and support a wide range of operating systems used as hosts and as virtual machines. One of their popular products is VMware ESX Server, which runs on Intel x86-based systems. ESX Server leverages the second approach referred to above. It has a Linux kernel as the host operating system and is tuned to run only other independently managed virtualized operating systems. This Linux kernel provides for service console access to the ESX host for machine-level software and hardware maintenance.
1.1 Account Management Challenges in VMware
To set up and manage each of the virtual systems on an ESX host machine, an
administrator needs to log in to one of the VMware administrative interfaces. Since the ESX Server runs on a version of Linux, the standard method for logging in to the host system via the Service Console is very similar to logging in to a Linux system: There is a root user, and additional users and groups can be configured and stored on the local host system using the same /etc/passwd and /etc/group method that standard Linux uses. Administrators with the appropriate set of privileges, called “roles” in VMware
credential that is recognized by the ESX host and authorized to perform the actions being requested.
Although ESX by default uses a local store of users and passwords for authentication, it is also possible to use other methods to validate user logins since its authentication framework is PAM (Pluggable Authentication Modules). PAM can be configured to support other authentication mechanisms and use a central directory service for authentication and user information storage.
Centralized directory services offer numerous benefits to the administrator, including: User accounts can be stored in a single, secure database available to many different
systems as opposed to being stored and managed on each system.
Managing permissions and policies can be centralized, resulting in better security for each system.
Password management can be centralized and consistent user names applied. Provisioning and de-provisioning user accounts can be done very quickly from a
single administrative system.
Since most enterprise organizations use Active Directory, have existing processes, and have trained staff for the administration of accounts and security policies, Centrify has developed an identity and access management solution, the Centrify Suite, to integrate non-Windows systems into Active Directory. Centrify Suite provides an agent which enables ESX systems to leverage Active Directory for centralized directory services, authentication, role-based privilege management, and policy controls.
1.2 Administrative Access to VMware Virtual Infrastructure Servers
There are many different ways for administrators to log in and manage the VMware Virtual Infrastructure, which increases the value of a solution that centralizes identity management and access controls for administrators.
Figure 1. VMware management interfaces
The interfaces provided by VMware include the following:
SSH to the Service Console. The most basic form of administrative access is via command line on the ESX server directly which can be accessed via SSH. VMware Infrastructure Management Assistant. An ESXi system does not
provide a service console for normal access except when directed by a VMware Support Engineer. For this reason, VMware provides a specially configured virtual machine, called the VMware Infrastructure Management Assistant (VIMA), which hosts remote management functions. This host allows administrators or developers who have logged into the system to run commands and scripts to remotely perform many of the administrative tasks that would have normally been done directly on the service console of individual ESX hosts. VIMA is capable of managing multiple ESX or ESXi hosts.
VMware vCenter Server. vCenter Server can centrally manage hundreds of ESX hosts with thousands of virtual machine guests. This server can be accessed either by VMware’s Virtual Infrastructure Client or Virtual Infrastructure Web Access interface.
multiple ESX or ESXi hosts either directly or via the VMware vCenter Server (previously known as VMware Virtual Center).
VMware Virtual Infrastructure Web Access. From any client system, administrators can use this web interface to access either the vCenter Server or a given ESX host directly.
All of these interfaces require the administrator to log in. The Virtual Infrastructure Client and web interfaces grant the user rights to perform tasks based on the user’s role as defined in either vCenter or locally on the ESX host; however, administrative access to the command line requires that the user be granted root permissions to carry out typical administrative tasks. To simplify the management of administrators’ access and their associated rights, Centrify leverages Active Directory to control access and permissions with the Centrify Suite.
1.3 Centralizing Identity and Access Management with Centrify Suite
The Centrify Suite is an integrated family of Active Directory-based auditing, access control and identity management solutions that provide the security requires to ensure that only authorized admins can access and manage your Virtual Infrastructure satisfying auditors working on regulatory compliance initiatives. DirectControl secures UNIX, Linux and Mac platforms using the same authentication and Group Policy services deployed on Windows environments. DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. DirectAudit audits user activity in near real-time, providing a centralized and correlated view of all activity on UNIX/Linux systems based on users or machines. These products are all built on a common architecture to help you centrally secure your Virtual Infrastructure.
The Centrify Suite provides many of the controls for both access and privilege management that are typically required by auditors. The solution enables you to: Centrally manage access controls to ensure that the appropriate administrators have
access only to the Virtual Infrastructure Servers needed to fulfill their job role. Centrify supports further segregation between administrative staff based on access controls managed within Active Directory.
Centrally control privileges of administrators when they access the service console. You can grant privileges where needed and lock down the root account, preventing login with this privileged account.
Provide administrators with single sign-on for access to the service console through an Active Directory-integrated terminal.
Audit administrative activity on the ESX hosts to ensure that security policies are being properly enforced.
Oversee administrative access and activity on all audited systems, enabling faster root cause analysis.
Once the ESX and VIMA servers are integrated into Active Directory, administrators can use their existing Active Directory user ID and password to log in to any of the
management interfaces for the Virtual Infrastructure. This provides the security officer and IT manager with the peace of mind that all access and privileges can be controlled from a single place, Active Directory, enabling an account to be disabled centrally for all systems if an administrator were to leave the organization.
Figure 2. Active Directory-integrated login with the Centrify Suite.
2 Controlling Administrator Access to the Virtual Infrastructure
Centrify DirectControl supports the most complex of environments and at the same time can be deployed quickly without requiring costly or intrusive changes to existing systems. It was designed to uniquely support multiple administrative and security boundaries once a system has been integrated into Active Directory as required in order to support delegated administration. By using DirectControl, administrators no longer need to manage accounts on each individual system, but instead can use Active Directory for identity, access and policy management.
the Active Directory Users and Computers (ADUC) MMC through property page extensions. There is also a web-based console that provides cross-platform access to essential administrative operations.
DirectControl integrates into the Linux OS of the ESX host through a daemon service that controls login authentication and directory lookup services, vectoring those calls back to the Active Directory system; thus effectively turning the host system into an Active Directory client. Additionally, command-line utilities are included to join the UNIX system to the Active Directory domain and perform various administrative and diagnostic tasks such as managing users and groups. The Centrify Suite is also supported on most of the popular UNIX, Linux and Mac platforms in use today in addition to VMware’s ESX Server, which can be valuable in managing other Virtual Machine guests.
Controlling administrator access involves both a) controlling which administrators can manage the account management system (in this case, Active Directory) and b) controlling which users or administrators are authorized to log in to specific ESX hosts. The first issue to deal with is how to effectively manage administration in a centralized directory while controlling which administrators – Active Directory admins or various groups of UNIX admins – can perform these account management functions. The second issue deals with actually enabling specific Active Directory users to log in to a given host or set of host systems. Let’s first take a look at the centralized account administration system that Active Directory provides and how it can be used to manage administrative access to ESX hosts.
2.1 Centralized Account Administration via Active Directory
DirectControl enables ESX servers to join to an Active Directory domain, thus becoming a managed computer object within the directory. These computer objects can be pre-created before the host is joined to the domain depending on the desired computer management process within the organization. By default, once a computer has joined Active Directory, any user with a valid Active Directory account can potentially log in to that host, which is not what is desired for access controls to ESX or UNIX hosts. For this reason, Centrify developed its unique Zone technology, which enables logically grouping hosts along geographic, departmental or functional boundaries. The hosts within a Zone share common UNIX/Linux identity attributes such as UNIX userid or group
Figure 3. Delegated administration through Centrify Zones
Figure 4. Zone-based user access controls
Zones can be a powerful way to separate both the account administrative duties between various departments as well as between administrators serving different roles. As shown in Figure 4 above, you see that a Zone can be defined for a department such as HR to manage all their own servers, including both ESX servers as well as any Linux guest VMs. However, the administrator for the VM Server Zone can only manage access to the ESX hosts while different administrators have the appropriate rights to manage access to the Dev and Finance Zones. Since a Zone is simply a logical collection of systems based on either administrative or access control boundaries, it provides a very flexible
mechanism to control user access or, in the case of ESX servers, admin access to the virtualized environment.
2.2 Centralized Access Control Management within Active Directory
Using DirectControl and Active Directory, account administrators can identify users (ESX admins) who need to have access to the virtual machine management consoles on ESX servers and then easily enable access for those users with their Active Directory-managed credentials.
management tools such as the MMC-based DirectControl Administrator Console. Once users have been added to the ESX Server Zone, they simply log in to the ESX server using their Active Directory username and password. If this is the first time that a user has logged in, DirectControl automatically provisions their default shell and home directory. Individual accounts no longer need to be created and managed on each ESX server. Not only are ESX Service Console logins enabled with DirectControl, the Active Directory identity is leveraged across other VMware management interface options, including the Virtual Infrastructure Client (VI Client) and Virtual Infrastructure Web Access (VI Web Access).
By centralizing user and computer access rights into Active Directory, administrators now have much tighter control over who uses their ESX Server systems. With Centrify DirectControl, numerous options exist for securing access, including:
Restricted user entry based on membership in an ESX Server Zone. The Zone thus defines the security boundary that controls access to systems contained in it. Ability to centrally manage group memberships based on users’ roles.
Ability to leverage Active Directory account controls for password strength and aging, computer access hours and disabling as well as terminating accounts. Ability to leverage Group Policy to further control system and application
configuration such as SSHD and sudoers.
Ability to map root user accounts on ESX servers to an Active Directory user account leveraging an Active Directory-managed password, instead of managing
root access on each individual server as shown in Figure 5 below.
DirectControl provides the infrastructure on the ESX server to control which user can log in to specific systems or Zones of systems. The rights a user has upon login can also be centrally controlled through Centrify DirectAuthorize, which is described further in the next section. But first let’s see how easy it is to install and set up DirectControl on ESX servers.
2.3 Installing and Setting Up DirectControl on ESX Server
Complete instructions on installing and configuring DirectControl can be found in the documentation that comes with DirectControl, but essentially the installation and configuration process consists of three high-level tasks.
First, the DirectControl Administrator Console needs to be installed on a Windows system that is joined to the domain you wish to use. This can be Windows XP, Vista, or Windows Server 2000, 2003 or 2008. Active Directory administrator permission is required in order to install DirectControl. Once the Administrator Console is installed on Windows, you need to set up a Centrify Zone that can be used while joining the ESX server to the domain. Zones are collections of systems, users and groups that share similar access profiles, functions, or common attributes. The ESX server can join the default Zone that gets set up when you install DirectControl, or you can set up a new Zone.
Next, install the DirectControl Agent on the ESX server you wish to use and join it to the Active Directory domain and the appropriate Zone using the adjoin command.
Once the ESX server has been joined to the Active Directory domain, use any one of the DirectControl management tools to grant access to the ESX server for the appropriate Active Directory users. The ESX root user ID can be mapped to an Active Directory user account if you chose. Keep in mind that it is necessary to enable only the users who actually need access to the ESX Service Console for the purpose of administering the ESX server. DirectControl has the ability to allow access for users in the defined Zone as opposed to granting access to all Active Directory users (which of course would not be desirable).
That’s it. The whole installation process takes a matter of minutes. Once this has been completed, the ESX server can be used in exactly the same way as before for all functions, but now user and authentication credentials are stored in Active Directory instead of local system files. It is important to note that authentication through Active Directory and DirectControl is supported for all VMware Infrastructure administrative modes, including:
Local Service Console logins
VI Client VI Web Access
DirectControl becomes even more useful as the number of ESX servers increase, since account control for all these platforms can be done from a single DirectControl console tied into Active Directory. Centralizing account administration enables rapid deployment and de-commissioning of users and administrators from your virtual infrastructure.
2.4 Comparing Centrify for Active Directory Integration with VMware Native Active Directory Integration
VMware published a technical note titled Enabling Active Directory Authentication with
ESX Server (http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf). This paper discusses using the esxcfg-auth tool to set up Kerberos authentication through Active Directory. The command syntax of this tool is as follows:
esxcfg-auth --enabled –addomain=<domain name> --addc=<domain controller name>
This tool configures PAM and modifies the ESX server configuration to do login
authentication from the specified Active Directory domain controller. After executing the preceding command, you then create a local account for each user who requires access to the ESX server, making sure that the user ID is exactly the same as his Active Directory user name.
This process would then need to be repeated for every ESX server in your environment. While these steps do enable authentication from an Active Directory system for an ESX Server, it does not leverage Active Directory for authorization, centralized directory
services or policy management. Specifically, the methods outlined in this paper have the
following serious shortcomings (most of which are discussed in the paper):
This is not a truly integrated solution as it does not offer a single source for defining, managing and authenticating user accounts. While the esxcfg-auth tool allows you to use Active Directory to authenticate users, you cannot use Active Directory to define and manage user accounts for ESX. User accounts are still created and maintained on each ESX server.
The process to enable Active Directory authentication for every user who requires access to the ESX server is clumsy. For each individual user, you must also create a corresponding user account on the ESX host server. Authorized users can log in under two scenarios: (a) if they have a valid Active Directory password associated with the user name they provided and if they have a local account in /etc/passwd
If the network goes down or the Active Directory system is unavailable, users who use Active Directory for authentication will not be able log in to the ESX server. Credentials are not cached, and there is no provision for the underlying Kerberos authentication session to fail over to a backup system.
Given the issues with the previous point, the paper recommends not using Active Directory authentication for the root account. This means that there are few controls over who has access to the superuser account on each ESX server and also means that the root user password needs to be set manually for every ESX server.
There is also more network traffic with each Kerberos transaction since this method does not support any type of caching.
The machine name for the Active Directory / Kerberos server is hard-coded in the system files for each ESX server. If the name of the closest domain controller changes, the administrator needs to manually update this information in each system file on each ESX server.
The ESX server is not joined to the domain, so Active Directory has no knowledge of the system or any control over the ESX server. This means that if the
administrator wanted to temporarily restrict access to an ESX server or a whole set of ESX servers, he or she would have no way to accomplish this from Active Directory.
The paper does not provide guidance on how to set up FTP or SSH for accessing the ESX server. Typically, having access to these services is essential for system administrators. Also, there is no guidance on setting up this new authentication method for all management session types (Remote Console, VMware Management Interface, etc.).
The paper acknowledges that this method for authentication will fail if the user is a member of more than 15 Active Directory groups, which in a large enterprise is quite common.
There is no guidance on how to track access to the ESX server using this implementation.
Given all of these challenges, the proposed solution in the VMware paper will be untenable for many organizations. VMware offers another product, VirtualCenter, which provides centralized administration and management for ESX servers connected on a network. It acts as a control node for configuring, provisioning and managing a
permissions (“roles”) within VirtualCenter. However, on the back end, VirtualCenter still uses the standard Linux authentication mechanism. Whenever an ESX server host is added to it, VirtualCenter creates a Linux user account (vpxuser) that has root
privileges. This account is used only to authenticate the connection between the host and VirtualCenter.
Although VirtualCenter resolves the issue of separate password management and account management in the esxcfg-auth tool, it has a number of shortcomings in its integration with Active Directory:
VirtualCenter serves as a central point to manage multiple virtual machines and resources that are distributed over many ESX server hosts. Therefore, it is not cost-effective for small deployments.
This is still not a seamlessly integrated solution. You cannot use VirtualCenter to manually create and remove ESX users or groups, or to view and modify their properties such as passwords. You will have to use the Microsoft tools for user account and password management.
There are still occasions when you need to access an ESX server host via other mechanisms; for example, when VirtualCenter is unavailable or has lost its connection to the domain controller. In addition, there are still a few administrative tasks that must be performed directly on the ESX host and not through
VirtualCenter.
Can Centrify DirectControl provide a better integration with Active Directory? Yes it can, as described in the next section.
2.5 Addressing the Authentication Challenges with Centrify DirectControl
Centrify DirectControl is engineered not only to be easy to use but also to be a completely integrated authentication, authorization, directory and policy solution. As a result, the issues highlighted in the previous section are fully resolved with DirectControl. Specifically:
Unlike the esxcfg-auth tool, DirectControl provides unified account and password management. There is no need to create a local user and map it to the Active
Directory account for every user that you want to grant access to the ESX Server host.
Administrator Console so you can view and modify all the attributes of Active Directory’s user, group and computer objects, including the DirectControl ones. With the Centrify solution, authorization is handled from one central place using the
DirectControl Administrator Console. The administrator has the ability to create an explicit access list of users for each ESX server. Through the use of Centrify Zones, ESX administrators can be members of their own Zone of ESX servers, further simplifying the access control for those systems. In addition, users can be further restricted based on policies such as authorized access times. Authorized users can also be placed in Active Directory groups that are visible from ESX as though they were local groups. This allows a high level of fine-grained access control for each ESX server. If changes need to be made, they can be done from a single point of administration, the DirectControl Administrator Console.
DirectControl fully supports the caching of login credentials. If a user has logged in to the ESX server at least once, then he or she can continue to log in to that system even if the network is down. Or, the administrator can configure users or groups for pre-validation so that they can access offline machines using their Active Directory credentials without having logged in previously. Also, when a user logs in for the first time, DirectControl automatically creates a home directory environment for the user if one does not already exist. DirectControl can also automatically find the closest available Active Directory domain controller, so that if one domain controller is taken offline, another can be automatically used without the need to reconfigure the ESX server.
Since login credentials are cached, network traffic is reduced. This is an important consideration where multiple virtual machines are sharing the same network interface with the host ESX server.
Login credentials can also be pre-cached for those administrators who must always be able to log in with their account regardless of the state of the network
connectivity, such as at a remote location with a down WAN link where the ESX system requires administrative access for maintenance.
DirectControl includes a feature for root user mapping. This means the root account for every machine can be mapped to an Active Directory user, and password control is maintained in a central place. With support for offline caching, the root user can still log in to ESX server even if the Active Directory system is unavailable. As mentioned in a previous point, DirectControl manages the interactions with the
Active Directory domain controller and automatically finds the closest controller for each controller request.
With DirectControl, the ESX server is joined to the Active Directory domain. As with other systems in the domain, the administrator has full control over access to the ESX server, including temporarily disabling logins – for example, during a
DirectControl automatically configures access to popular services such as FTP, Telnet and SSH to use secured authentication via Kerberos to Active Directory. For example, Centrify provides a compiled version of the latest OpenSSH distribution that is linked with the DirectControl Kerberos libraries to automatically support PAM and Kerberos for single sign-on access.
DirectControl ensures that a single authentication method is used across all
supported VMware management session types, including the local Service Console, VMware Management Interface (VI Client and VI Web Access) as well as Remote Console sessions such as via the SSH protocol.
DirectControl does not impose any limits on group membership.
DirectControl’s integration with Active Directory has proven to work in complex environments – for example, in a topology with multiple forests that requires one- or two-way trusts.
In addition, Centrify DirectControl has other advantages beyond providing identity management:
DirectControl fully supports Microsoft Group Policy and includes an extensive set of policies out-of-the-box for security and configuration management. You can use DirectControl’s built-in Group Policy engine to distribute computer and user policies to a set of ESX servers. Such policies can copy configuration files to target systems, manage various configuration parameters such as login settings, password prompts, password caching and Kerberos settings, as well as define sudo permissions. For added flexibility, you can even create your own custom policies specifically tailored for your virtualized IT infrastructure. Through the deployment of policies to your ESX servers, you ensure consistent machine configuration and further control the ESX session behavior. As a result you streamline your IT operations and reduce administrative costs.
In addition, since ESX administration can be performed through a remote connection via the SSH protocol, you can also use the Centrify SSH Group Policies to configure who can connect to the host using SSH, such as only users of a specific group or to prevent root login via SSH.
DirectControl is supported on most of the UNIX and Linux platforms available today, plus Mac OS X, so customers can have a consistent Active Directory integration solution across their non-Microsoft platforms.
This integration can also be extended to the Linux and UNIX virtual machines running inside ESX server. Each virtual machine, or groups of machines, can be managed within a dedicated Zone. This is particularly useful when ESX server is used for outsourcing environments where identity groups from different
The DirectControl identity management solution extends beyond validating login sessions. DirectControl can also support applications that take advantage of LDAP, Kerberos, GSSAPI or SPNEGO APIs for directory services and authentication. This means customers could design custom applications for ESX (such as a customer bill-back system for virtual machine usage) based on validated identities stored in Active Directory.
3 Managing Privileges with DirectAuthorize’s Role-Based Authorization Rights
VMware provides an authorization environment that relies on roles which are defined within VMware vCenter Server. These roles are also defined within the ESX server to manage users who access the server using the Virtual Infrastructure Client. The role that a user or administrator is assigned determines what operations that user is allowed to execute.
However, when administrators access the Service Console – either directly on the ESX server or via the Virtual Infrastructure Management Assistant (VIMA) – their rights can be assigned only by the underlying operating system. Managing rights is important in this case because several ESX command-line utilities require privilege within the Linux environment in order to operate properly. Many times administrators will either a) use the root account to log in to the service console of the ESX server or to the VIMA, or b) use their own account to log in and then switch to the root user with the su command in order to execute these commands. Unfortunately, both methods of running commands with privilege require the administrators to know the root account password, which is one of the first things that security best practices would prohibit.
The challenge is to grant administrators the right to execute the privileged commands required to perform their duties, but to do so without knowledge of the root account’s password. The following sections discuss two ways to centrally manage privileges: by leveraging a) Group Policy to centrally manage the Linux sudo command or b) Centrify’s centralized privilege management solution called DirectAuthorize.
3.1 Centrally Managing Sudo Using Group Policy
The first method of centrally managing privileges involves using the Linux operating system’s sudo command. After logging in with their own account, administrators can run privileged commands by using the command sudo in front of the privileged command. Sudo looks up the current user’s Linux identity or local group in the sudoers
Figure 6. Example of a local sudo policy configuration file
One of the primary challenges to deploying sudo broadly throughout an enterprise is managing and maintaining a consistent configuration file across a large population of systems, such as ESX servers, VIMA systems and UNIX/Linux guest VMs. The example in Figure 6 shows a typical ESX server’s default sudoers configuration file, which simply grants the root account the ability to run any command as root. To deploy sudo to manage privileges, IT security managers need to add, for each administrator or group of
administrators, an entry that grants them specific rights.
In the following example, the group esxadmin has been granted the rights to execute three commands – esxtop, vdf and esxcfg-info – as the root account without being challenged for their own password. With DirectControl, we can use Windows Group Policy tools to centrally and securely distribute this sudoers file to ESX servers.
%esxadmin ALL=(ALL) NOPASSWD: /usr/bin/esxtop, /usr/sbin/vdf, /usr/sbin/esxcfg-info
Figure 7. Example ESX admin rights grant in the /etc/sudoers file
There are several advantages to leveraging Group Policy to centrally enforce policies on UNIX and Linux systems, including ESX servers. First, we can use Active Directory group management to control UNIX/Linux group membership; in this example,
individual Active Directory accounts can be added or removed to esxadmin group from Active Directory without having to redistribute the sudoers file. The Group Policy Object Editor, which is a familiar interface for Windows admins, can be used to control the contents of the sudoers config file and to define distribution settings. A single, consistent sudoers file can be pushed to every DirectControl-managed ESX server over an
Group Policy for UNIX/Linux can also be used to manage many common configuration files in UNIX, including the sudoers file, crontab file, SSHD settings, IP tables, firewall settings and screen lock settings. Group Policies are also available to set DirectControl configuration options on the managed systems.
The following figure shows the interface in Group Policy Object Editor to enable setting the sudo file for the ESX servers.
Figure 8. The sudo rights property page within the Group Policy Object Editor
3.2 Centralized Management of User Privileges with DirectAuthorize
Centrify DirectAuthorize provides an alternative method of controlling user privileges by leveraging Active Directory to centrally manage and enforce role-based entitlements. DirectAuthorize provides fine-grained control over user access and privileges on UNIX and Linux systems, including ESX. By controlling which methods users access systems and what they can do once logged in, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. DirectAuthorize simplifies privilege management by enabling administrators to define privileged commands and then grant the right to use those commands to specific roles. Using a Windows MMC console, administrators define each command along with the available options. This eliminates the need for administrators to have detailed knowledge of sudoers file syntax. The data is stored centrally in Active Directory and retrieved upon login when needed by the dzdo policy enforcer, DirectAuthorize’s equivalent for sudo.
Figure 9. Privileged command definition in DirectAuthorize
administrators log in to a system, switch to the root or other superuser account, and then execute various commands as that privileged user. With DirectAuthorize, once they log in using their own account, they can simply precede commands with dzdo, and those commands are executed with the correct privileges.
To further control exactly which commands a user can run, DirectAuthorize provides a Restricted Environment. A Restricted Environment restricts a user in a role to a specific “whitelist” of commands. Users only need to learn the exact commands they need to execute.
A Restricted Environment can be defined for ESX administrators or help desk personnel so that they can easily log in to perform specific sets of tasks, such as vdf or esxtop, as if they were root. They can simply log in using their own account and run these
commands without having to know the root password. The benefit is that IT can now grant the appropriate permissions to enable lower-level administrators to perform their duties without exposing the password of privileged accounts.
Figure 10. Restricted Environment definition in DirectAuthorize
3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize
Centralized, role-based management designed for compliance
Consolidates UNIX and Linux entitlement management in Microsoft Active Directory, streamlining administration and closing security gaps caused through lax deprovisioning and change management practices
Links entitlements to Active Directory accounts and groups, enhancing
accountability and compliance reporting through a global view of users’ entitlements across the enterprise
Role-based entitlement model meets regulatory requirements for defining “least access” controls and administrative privileges delegated according to job duty, protecting enterprises against both accidental and malicious changes
Restricted Environment feature permits users to execute only specific “whitelisted” commands, resulting in unambiguous compliance reporting compared to other systems that require security managers to pile on “deny” specifications Built-in reports for users and computers give auditors a complete view of
authorizations
Simplified privilege management that goes beyond sudo and other existing products
Graphical user interface makes creating roles and rights far easier compared to scripting complex sudo policy files or learning other solutions’ proprietary scripting languages that cannot match the rich group-based modeling available in Active Directory
Centrally and securely apply and report on policies from Active Directory, as opposed to trying to manage config files on individual systems
Unique ability to control users’ access to secured systems via PAM-enabled applications and interfaces (SSH, FTP, etc.)
Unique Restricted Environment feature provides the option to restrict users to a “whitelist” of specific commands, compared to older, cumbersome and error-prone solutions that permit all actions except those that are put on a “deny” list
Simplifies users’ workflow, enabling them to execute commands with privilege without having to change accounts, remember additional passwords, or learn new commands
Single, cost-effective architecture for cross-platform authentication, access control and authorization
Comprehensive privilege management provided as part of an integrated
Part of a comprehensive suite designed from the ground up to seamlessly integrate a wide array of UNIX and Linux systems with existing Active Directory infrastructure, tools and processes
Rapid, non-intrusive deployment and management
Leverages existing Active Directory domain controller infrastructure; no additional servers or network infrastructure needed
No Active Directory schema changes required
Does not require proprietary changes to UNIX kernel; no reboot required after installation
Streamlines IT management by leveraging existing Active Directory tools and processes
Management data is stored in Active Directory, a modern LDAP database that has a rich ecosystem of available administration, provisioning and reporting tools
Highly available and fault-tolerant
Leveraging Active Directory domain controller infrastructure ensures high availability and fault-tolerant network connection
Local caching ensures entitlements are enforced even in cases when the computer is disconnected
4 Auditing Interactive Administrative Access Using DirectAudit
ESX servers are typically one of the most crucial components in a virtualized infrastructure, and hence should be protected from security intrusion in the IT
environment. Thus, all administrative access and activities on an ESX server should be logged and tracked. Centrify DirectAudit complements DirectControl by providing detailed and non-intrusive recording of UNIX and Linux user sessions, which gives auditors and security officers ad-hoc search and reporting capabilities. By using DirectAudit, the auditor now has an audit trail of which users accessed what systems, what commands they executed, and what changes they made to key files and data. To limit the amount of output, he can further restrict the session auditing to a specific user or a specific shell.
4.1 Integrating DirectAudit into the Virtual Infrastructure
Centrify DirectAudit is a next-generation, enterprise-scale solution that is designed to provide a highly scalable, secure and reliable audit infrastructure. It is made up of four primary components to provide detailed activity logging with centralized and correlated event reporting across all audited systems. The primary components are:
DirectAudit Agent – to be installed on a system to be audited, such as the ESX Service Console or Guest Linux Virtual Machine.
DirectAudit Collector Service – which runs on a Windows system on the network to receive audit logs and store the events in the Repository.
DirectAudit Repository – which is based on Microsoft SQL Server and stores all audit information.
DirectAudit Console – provides the auditor an interface to browse, search and replay any of the captured audit sessions.
Given the superuser privileges that are typically associated with administrator access to the VMware Service Console, VMware Infrastructure Management Assistant or VMware Studio, the DirectAudit agent should be installed on all of these VMware systems to ensure that the auditor has visibility into administrative access to all VMware
management interfaces. The combination of DirectAudit on these Service Consoles and the audit logging that VMware provides within vCenter should provide the auditor complete visibility for all administrative operations across the Virtual Infrastructure.
5 Hardening the VMware Infrastructure with Centrify Suite
VMware provides guidance on how to harden your Virtual Infrastructure leveraging security best practices. These recommendations are designed to reduce risk and to increase security for all VMware components: the Virtual Machines, Service Console, ESX Server and Virtual Center. For further reading, the VMware Best Practices document on Security Hardening can be found at:
http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf.
As you’ve already seen, Centrify provides solutions to secure an ESX server and its Service Console by centralizing identity and access management within Active Directory as well as auditing user activity. Centrify also provides additional controls via Group Policy to centrally manage a wide range of security settings for the operating system and many of the services that run on the hosts. Group Policy is a powerful security
periodically refreshed to ensure compliance with the policy. This automated policy enforcement greatly simplifies the provisioning of a new VMware server or Guest Virtual Machine, ensuring that the system has been properly configured for the desired security level.
5.1 Security Hardening of the Service Console and VIMA
While there are many recommendations throughout the Security Hardening document, we will highlight those settings that the Centrify Suite can centrally control to secure the VMware Service Console and Infrastructure Management Assistant.
Use VI Client and vCenter to administer the hosts instead of Service Console. DirectControl and DirectAuthorize provide controls to ensure that only the
appropriate administrators are granted the right to log in to the Service Console. The administrator must be enabled through DirectControl for access to the Zone that the ESX host or VIMA system have joined. DirectAuthorize is also used to grant the appropriate rights to login interfaces, such as SSH, and to grant the rights to execute privileged commands. If these requirements are not met, the administrator will not be allowed to use the Service Console; however, the VI Client and vCenter system will continue to allow administration if administrative rights are granted within vCenter. Use a directory service for authentication. DirectControl establishes Active
Directory as the authoritative directory service for all user accounts, granting login permissions for Active Directory users to the Service Console or VIMA system. Strictly control root privileges. The first challenge is to control the root account
password to ensure that only a few upper-level administrators know the password. DirectControl can be configured to ensure that the root account password is centrally controlled by linking the local root account to a special account in Active Directory; this account’s password will be required to su or log in to the root account.
Additionally, DirectAuthorize defines roles and rights to grant administrators the specific privileges that are required to perform their duties, thus eliminating the need for administrators to know or access the root account directly.
Limit access to su. DirectAuthorize controls all PAM calls to authenticate users, such as any user trying to su to any other account. Users who need to use the su command must be granted permissions to execute su. Additionally, Group Policy can be used to either update or push an appropriately configured /etc/pam.d/su file to control who can use this command.
DirectAuthorize over sudo are that privilege grants are linked to a single, centrally administered Active Directory user account, and dynamic policy distribution ensures current policies are applied to a Zone of computers or a single computer.
Additionally, privilege grants can also be time bounded to specific start and end dates or to specific days and times during the week.
Maintain proper logging. DirectControl can use Group Policy to push consistent configuration files, such as syslog.conf, to each system. DirectControl already provides many Group Policies to configure its own logging as well as the logging for DirectAuthorize. The VMware best practices call out a few specific requirements to ensure proper logging, which are described below.
Ensure accurate time-keeping. DirectControl is configured by default to establish time synchronization with the Active Directory domain controllers to ensure that Kerberos operates properly. This requirement ensures that all log files can be correlated based on an accurate representation of time. Control growth of log files. DirectControl has a Group Policy to control
log file growth for its own logs. Additionally, Group Policy can push a centrally defined syslog configuration file to the system which defines this setting.
Use remote syslog logging. Group Policy can be used to push the syslog.conf file where this setting would be defined.
Display different log-level messages on different screens. Group Policy can be used to push the syslog.conf file where this setting would be defined. Use local and remote sudo logging. Group Policy can be used to add the
entries to the sudoers file to properly setup sudo logging. Additionally, DirectAuthorize has its own set of logs, which can also be directed to remote syslog servers through an appropriately configured syslog.conf file. Secure SNMP configuration. Group Policy can be used to push an
6 Benefits of the Centrify Suite for Virtualized Environments
The Centrify Suite features outlined in this document directly translates into tangible benefits for administrators. Some of these benefits for administrators and IT managers include:
True centralized control for authentication, authorization and administration of ESX Server users and systems.
Cost savings through easy-to-use installation, configuration and management, and provisioning / de-provisioning of ESX user accounts.
Automated installation and setup, which means fewer mistakes, less downtime, reduced risk and faster time-to-market.
Better security through centralized control of ESX Server assets and multi-level controls for user access and permissions.
Enforcement of consistent security and configuration policies across banks of ESX servers through the DirectControl Group Policy engine.
Ability to leverage existing Active Directory investments in infrastructure, tools, processes and skills.
Centralized services and high availability of systems through off-line, cached login support.
Less time spent setting and resetting user passwords on ESX servers. Users simply use their Active Directory username and password.
Logging of system access and recording of user activities by DirectAudit, which reduces security exposure as companies strive to meet the requirements of new regulations and policies designed to protect systems, data, corporate information and customer information.
7 Summary
8 How to Contact Centrify
North America
(And All Locations Outside EMEA)
Europe, Middle East, Africa (EMEA)
Centrify Corporation
785 N. Mary Avenue, Suite 200 Sunnyvale, CA 94085 United States Centrify EMEA Asmec Centre Merlin House Brunel Road
Theale, Berkshire, RG7 4AB United Kingdom
Sales: +1 (408) 542-7500 Sales: +44 1189 026580
