Mar 27

vSphere 6.0 Lockdown Mode Exception Users

In vSphere 6.0 we now have a new concept called Exception Users. The intent of Exception Users is that they are not general admin users. I would consider them more of a “Service Account” type of access.

As a matter of fact, just the other day I got an email from someone internal at VMware that brought up a great use case for Exception Users. They were talking to a customer that wanted to access ESXi via a PowerCLI cmdlet (Get-VMHostAccount) to list out the local accounts on an ESXi server as part of their normal security reporting.

But they also wanted to enable Lockdown Mode and were finding it difficult to comply with both things. In vSphere 6.0 this is now much easier to address. Let’s get started.

Steps I took

Exception users can be local accounts on the ESXi server or Active Directory accounts if your ESXi server is joined to a domain and you want to centralize account management.

In the following example I’m going to show using Exception Users Active Directory accounts but first I’m going to take a quick segue and show you how to create local users using some of the new functionality of ESXCLI. I’ll also provide an example on how to create a local user account using PowerCLI.

Local Account Creation

I’m going to create the local account using the new ESXCLI commands for managing ESXi accounts. You’ll note a new feature where in order to connect to the ESXi server you need to provide the SSL certificate Thumbprint of the ESXi server. A blog about ESXCLI security features will come at a later date.

Creating local account using ESXCLI

Running commands without the thumbprint will look like this:

esxcli –server 192.168.8.30 –username root –password VMware1! system account list
Connect to 192.168.8.30 failed. Server SHA-1 thumbprint: 4C:72:DD:E2:66:8B:98:FA:D8:AE:CE:57:03:21:88:EE:4A:D7:5F:9F (not trusted).
Now lets run the command with the thumbprint and get the results. (This is on Windows. If on Unix/Linux use the export command)

set VI_THUMBPRINT=4C:72:DD:E2:66:8B:98:FA:D8:AE:CE:57:03:21:88:EE:4A:D7:5F:9F


esxcli –server 192.168.8.30 –username root –password VMware1! system account list

User ID         Description
————–  ——————————————-
root            Administrator
dcui            DCUI User
vpxuser      VMware VirtualCenter administration account
testuser      testuser

Now I’ll add an account. This is just an example as later in the Exception Users I’ll be using an Active Directory account

esxcli –server esxi-a.lab.local  -u root -p VMware1! system account add –id serviceaccount –description “Test Service Account” –password=”uZ>{czY69EcX” –password-confirmation=”uZ>{czY69EcX”


esxcli –server 192.168.8.30 –username root –password VMware1! system account list
User ID              Description
————–         ——————————————-
root                    Administrator
dcui                    DCUI User
vpxuser              VMware VirtualCenter administration account
testuser              testuser
serviceaccount  Test Service Account

 

Here’s how that looks

vSphere 6 Win2012R2 DC 2015-03-27 09-51-45

For those that like to cut and paste the code above please note that HTML converts two dashes to one. See the image above to see the use of single and double dashes.

Creating local account using PowerCLI

#Because I was already logged in as administrator@lab.local and the ESXi server was 
#joined to the domain I did not need to provide credentials 
Connect-VIServer esxi-a.lab.local 
New-VMHostAccount -password lkjs41!! -Description "Test account" -useraccount testuser2

Active Directory account

I created a new user in Active Directory. In my example it’s call CIMuser@lab.local. This should be considered a “Service Account” that the script used to poll the ESXi servers will run under. It should not be used for interactive logins.

image_thumb

Roles and Permissions

To follow the least privilege model I created a role called “Modify Permission Role” with the “Permission…Modify Permission” permission. This is done not on vCenter but on the ESXi host directly.

Why not in vCenter? Because when an ESXi server is in Lockdown Mode, it cannot be managed directly. The Exception User bypasses this restriction. Lockdown Mode has no effect on managing a host via vCenter provided the user has the right permissions at the vCenter level.

Why an Active Directory account? Because, while I can create a local user, AD gives me the ability to manage one account centrally. Like many security situations, it’s your preference how you want to do this. For some, this type of account HAS to be a local user. I’m not here to judge!

vSphere 6 Win2012R2 DC 2015-03-24 12-48-01

Modify Permissions?

Why not “Read Only”? Because the task of listing the local users according to the vSphere API requires this permission. Now, I’m sure many will say “OMG, granting a service account a “modify” role??”. Not to worry. When the host is in Lockdown Mode, the user cannot add any permissions.

operation breaks lockdown

When out of Lockdown Mode the account is only able to modify permissions of accounts that hold its role or less. It can never elevate permissions nor can it lower permissions of an account with greater privileges. It can elevate a user from “No access” to its current role and no further. Bottom line, I can’t make someone an admin unless I’m an admin too. Here’s the error I’ll get if I try:

set entity permission

Now that the permissions are clarified, I assigned the CIMuser@lab.local user the Modify Permissions Role in ESXi.

vSphere 6 Win2012R2 DC 2015-03-24 12-48-58

Enabling Lockdown Mode

Now from the Web Client we’ll enable Normal Lockdown Mode.

image_thumb21

image_thumb8

And add CIMUSER@lab.local to the Exception Users List

image_thumb4

And verify the user is on the list

image_thumb6

Verify Permissions

To show that CIMUSER@lab.local is unable to see anything other than read-only host information I logged in to the Web Client and tried to look at Virtual Machines and Templates. Because it has no permissions assigned at the vCenter level, it’s unable to view anything. Because of this they are unable to change any settings (like Lockdown Mode) on the ESXi host.

image_thumb10

Because CIMUSER@lab.local isn’t in the DCUI.Access list, they have no ability to log into ESXi’s Direct Console User Interface (DCUI) and exit Lockdown Mode. See in the image below that only the local “root” account has that capability. This is used purely as an example. You may not want to run with that in your environment. It’s always best practice to use named accounts that can be tied to an individual. VMware recommends using the Active Directory integration built-in to ESXi.

image_thumb12

Note that while “root” can access the DCUI console of the ESXi server it cannot SSH into the ESXi server because the host is in Lockdown mode and it is not on the Exception User list.

image_thumb15

Only users on the Exception List can log into the ESXi server. And only Exception Users that are administrators can log in via SSH! Here you’ll see that accessing the host via PowerCLI will provide the list of local users on the ESXi host.

image_thumb[7]

Note: When you run “Get-VMHostAccount” you only get the list of LOCAL users. You won’t get a list of AD users that have roles and permissions on the host. For that you can use the Get-VIPermission cmdlet.

To get the list of Exception Users via PowerCLI, run the following code snippet either against the ESXi host directly or against vCenter.

#Run this at the vCenter level or against an individual host 
$esxihosts = get-vmhost 
foreach ($esxihost in $esxihosts) 
{ 
$myhost = Get-VMHost $esxihost | Get-View 
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager 
Write-Host "--------------------------------" 
#Get a list of the Exception Users 
Write-Host "List of Exception Users on " $esxihost 
$lockdown.QueryLockdownExceptions() 
Write-Host "--------------------------------" 
}

You should get something like this:

image_thumb[5]

Note that I had added root to this list during the production of this blog. That’s not something you should do normally.

See my blog article on Granting Shell Access for more information on why a user needs the full Administrator role to enable SSH access. There’s no specific permission nor can you clone the role. It has to be the Administrators role. If you have a use case where you need SSH access to an ESXi server to run a task that you can’t get via the vSphere API, I’d really like to hear about it!

Video

Here’s a video of one of our awesome engineers, Kalyan, describing how the new Lockdown Modes and Exceptions users work. It’s a quick 2:48 overview of what you’ve just learned. Enjoy and great job Kalyan!

https://www.youtube.com/watch?v=vC5VyUGB2Zk&feature=youtu.be

Recap

  1. Went over the two types of Lockdown Mode, Normal and Strict
  2. Showed how to create Local Users using ESXCLI and PowerCLI
  3. Showed how to enable Lockdown Mode via the published interfaces
  4. Provided a code snippet to get the list of Exception Users via PowerCLI
  5. We’ve created a Service Account user, CIMUSER in AD
  6. Assigned the account a Read-Only role at the Cluster (ie: Host) level
  7. Enabled Normal Lockdown Mode
  8. Added CIMUSER to the Exception List
  9. Verified that CIMUSER can connect and can only see Read-Only information about hosts.
  10. Shown that CIMUSER can access the information needed via the vSphere API leveraging PowerCLI
  11. Shown that CIMUSER cannot SSH into the ESXi host
  12. Provided a code snippet to get the list of Exception Users via PowerCLI

mike

Husband, Dad, Geek & Senior Technical Marketing Architect for vSphere Security