Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Securing VMware Virtual
WHITE PAPER
CENTRIFY CORP.
Infrastructure with Centrify's Identity
MARCH 2009 and Access Management Suite
Securing and auditing administrative access to the Virtual Infrastructure leveraging
Active Directory
ABSTRACT
The VMware ESX Server system has become a popular solution for running
multiple virtual operating systems on a single physical server platform. To set
up and manage virtual systems on an ESX host machine, an administrator
needs to log in to one of the VMware administrative interfaces, which include
both traditional command-line and interactive GUI tools. Administrators require
superuser privileges for command-line access, while VMware provides a way to
define role-based privileges for administrators using the GUI tools. Many
organizations use both methods, which means they lack a single, centralized
view of all administrative access to their VMware environment and the activity
of administrators on those systems. In cases where VMware is used to host
business-critical systems, this could represent an increased security risk and
the likelihood of failed regulatory compliance audits. Productivity goes down
and support costs go up when there is no consolidated way to control system
access and privileges.
This white paper provides an overview of the features and benefits of using the
Centrify Suite to centralize and automate the management of ESX Server
systems in order to strengthen security and streamline IT operations and
management. It provides an overview of VMware administration and then
addresses Centrify’s approach to securing administrative access to these
systems, controlling the privileges of administrators, and auditing their activity.
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
© 2005-2009 Centrify Corporation. All rights reserved.
Centrify and DirectControl are registered trademarks and DirectAudit and DirectAuthorize are trademarks of
Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows,
Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
WP-003-2009-03-12
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. PAGE II
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Contents
1 Introduction ................................................................................................ 1
1.1 Account Management Challenges in VMware ................................................ 1
1.2 Administrative Access to VMware Virtual Infrastructure Servers ..................... 3
1.3 Centralizing Identity and Access Management with Centrify Suite................... 4
2 Controlling Administrator Access to the Virtual Infrastructure.................... 5
2.1 Centralized Account Administration via Active Directory ................................ 6
2.2 Centralized Access Control Management within Active Directory ..................... 8
2.3 Installing and Setting Up DirectControl on ESX Server ................................ 10
2.4 Comparing Centrify for Active Directory Integration with VMware Native Active
Directory Integration .............................................................................. 11
2.5 Addressing the Authentication Challenges with Centrify DirectControl ........... 13
3 Managing Privileges with DirectAuthorize’s Role-Based Authorization
Rights ........................................................................................................ 16
3.1 Centrally Managing Sudo Using Group Policy ............................................. 16
3.2 Centralized Management of User Privileges with DirectAuthorize .................. 19
3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize ..... 20
4 Auditing Interactive Administrative Access Using DirectAudit................... 22
4.1 Integrating DirectAudit into the Virtual Infrastructure ................................. 23
5 Hardening the VMware Infrastructure with Centrify Suite......................... 23
5.1 Security Hardening of the Service Console and VIMA .................................. 24
6 Benefits of the Centrify Suite for Virtualized Environments....................... 26
7 Summary ................................................................................................... 26
8 How to Contact Centrify ............................................................................ 27
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. PAGE III
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
1 Introduction
Computer operating system virtualization has become a popular way for customers to
address their needs for server workload management. Virtualization allows a customer to
use a single host computer to run multiple operating systems, each in its own protected
virtual machine environment.
There are two major approaches to running operating system virtualization software. The
first allows a user with an existing operating system platform (such as Windows, Linux
or Mac) to install the virtualization software as a standard application that runs side by
side with other applications on that system. For example, a Windows desktop user could
run a virtualization product with a Linux virtual machine enabled and thereby give the
user the ability to access both Windows and Linux applications from a single Windows-
based computer. The second approach is to dedicate a single physical computer to host
only virtual machines and no other applications. This approach could be used, for
example, by an Internet Service Provider to allow a single large computer to run isolated
web sites for multiple customers.
VMware is one of the leading providers of virtualization software. They offer solutions
for both desktops and servers, and support a wide range of operating systems used as
hosts and as virtual machines. One of their popular products is VMware ESX Server,
which runs on Intel x86-based systems. ESX Server leverages the second approach
referred to above. It has a Linux kernel as the host operating system and is tuned to run
only other independently managed virtualized operating systems. This Linux kernel
provides for service console access to the ESX host for machine-level software and
hardware maintenance.
1.1 Account Management Challenges in VMware
To set up and manage each of the virtual systems on an ESX host machine, an
administrator needs to log in to one of the VMware administrative interfaces. Since the
ESX Server runs on a version of Linux, the standard method for logging in to the host
system via the Service Console is very similar to logging in to a Linux system: There is a
root user, and additional users and groups can be configured and stored on the local host
system using the same /etc/passwd and /etc/group method that standard Linux uses.
Administrators with the appropriate set of privileges, called “roles” in VMware
Infrastructure, can create or delete virtual machines, control various functions associated
with each machine, dynamically provision and manage the computing capacity available
to each machine, as well as monitor individual machine’s performance. Additionally, to
perform system-level operations, an administrator needs root-level privileges within the
Linux kernel operating environment in order to carry out several operational commands
via the Service Console. VMware provides other administrative interfaces, including the
Virtual Infrastructure Client, the Web Management User Interface, and the VMware
Infrastructure Management Agent; all these interfaces require the user to log in with a
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 1
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
credential that is recognized by the ESX host and authorized to perform the actions being
requested.
Although ESX by default uses a local store of users and passwords for authentication, it
is also possible to use other methods to validate user logins since its authentication
framework is PAM (Pluggable Authentication Modules). PAM can be configured to
support other authentication mechanisms and use a central directory service for
authentication and user information storage.
Centralized directory services offer numerous benefits to the administrator, including:
User accounts can be stored in a single, secure database available to many different
systems as opposed to being stored and managed on each system.
Managing permissions and policies can be centralized, resulting in better security for
each system.
Password management can be centralized and consistent user names applied.
Provisioning and de-provisioning user accounts can be done very quickly from a
single administrative system.
Since most enterprise organizations use Active Directory, have existing processes, and
have trained staff for the administration of accounts and security policies, Centrify has
developed an identity and access management solution, the Centrify Suite, to integrate
non-Windows systems into Active Directory. Centrify Suite provides an agent which
enables ESX systems to leverage Active Directory for centralized directory services,
authentication, role-based privilege management, and policy controls.
Given the benefits of virtualized computing as well as the distributed and ubiquitous
nature of Active Directory as a centralized directory service, the question emerges: can
these technologies be combined to secure and simplify the administration for a virtual
machine environment with central control for user access? The simple answer is yes.
This paper focuses on the easiest method of accomplishing this task – using the Centrify
Suite.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 2
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
1.2 Administrative Access to VMware Virtual Infrastructure Servers
There are many different ways for administrators to log in and manage the VMware
Virtual Infrastructure, which increases the value of a solution that centralizes identity
management and access controls for administrators.
Figure 1. VMware management interfaces
The interfaces provided by VMware include the following:
SSH to the Service Console. The most basic form of administrative access is via
command line on the ESX server directly which can be accessed via SSH.
VMware Infrastructure Management Assistant. An ESXi system does not
provide a service console for normal access except when directed by a VMware
Support Engineer. For this reason, VMware provides a specially configured virtual
machine, called the VMware Infrastructure Management Assistant (VIMA), which
hosts remote management functions. This host allows administrators or developers
who have logged into the system to run commands and scripts to remotely perform
many of the administrative tasks that would have normally been done directly on the
service console of individual ESX hosts. VIMA is capable of managing multiple
ESX or ESXi hosts.
VMware vCenter Server. vCenter Server can centrally manage hundreds of ESX
hosts with thousands of virtual machine guests. This server can be accessed either by
VMware’s Virtual Infrastructure Client or Virtual Infrastructure Web Access
interface.
VMware Virtual Infrastructure Client. The Virtual Infrastructure Client provides
administrators with a native Windows graphic administrative interface for managing
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 3
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
multiple ESX or ESXi hosts either directly or via the VMware vCenter Server
(previously known as VMware Virtual Center).
VMware Virtual Infrastructure Web Access. From any client system,
administrators can use this web interface to access either the vCenter Server or a
given ESX host directly.
All of these interfaces require the administrator to log in. The Virtual Infrastructure
Client and web interfaces grant the user rights to perform tasks based on the user’s role as
defined in either vCenter or locally on the ESX host; however, administrative access to
the command line requires that the user be granted root permissions to carry out typical
administrative tasks. To simplify the management of administrators’ access and their
associated rights, Centrify leverages Active Directory to control access and permissions
with the Centrify Suite.
1.3 Centralizing Identity and Access Management with Centrify Suite
The Centrify Suite is an integrated family of Active Directory-based auditing, access
control and identity management solutions that provide the security requires to ensure
that only authorized admins can access and manage your Virtual Infrastructure satisfying
auditors working on regulatory compliance initiatives. DirectControl secures UNIX,
Linux and Mac platforms using the same authentication and Group Policy services
deployed on Windows environments. DirectAuthorize centrally manages and enforces
role-based entitlements for fine-grained control of user access and privileges on UNIX
and Linux systems. DirectAudit audits user activity in near real-time, providing a
centralized and correlated view of all activity on UNIX/Linux systems based on users or
machines. These products are all built on a common architecture to help you centrally
secure your Virtual Infrastructure.
The Centrify Suite provides many of the controls for both access and privilege
management that are typically required by auditors. The solution enables you to:
Centrally manage access controls to ensure that the appropriate administrators have
access only to the Virtual Infrastructure Servers needed to fulfill their job role.
Centrify supports further segregation between administrative staff based on access
controls managed within Active Directory.
Centrally control privileges of administrators when they access the service console.
You can grant privileges where needed and lock down the root account, preventing
login with this privileged account.
Provide administrators with single sign-on for access to the service console through
an Active Directory-integrated terminal.
Enforce centrally defined security policies on ESX hosts, such as sudo permissions
and SSH settings.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 4
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Audit administrative activity on the ESX hosts to ensure that security policies are
being properly enforced.
Oversee administrative access and activity on all audited systems, enabling faster
root cause analysis.
Once the ESX and VIMA servers are integrated into Active Directory, administrators can
use their existing Active Directory user ID and password to log in to any of the
management interfaces for the Virtual Infrastructure. This provides the security officer
and IT manager with the peace of mind that all access and privileges can be controlled
from a single place, Active Directory, enabling an account to be disabled centrally for all
systems if an administrator were to leave the organization.
Figure 2. Active Directory-integrated login with the Centrify Suite.
2 Controlling Administrator Access to the Virtual Infrastructure
Centrify DirectControl supports the most complex of environments and at the same time
can be deployed quickly without requiring costly or intrusive changes to existing
systems. It was designed to uniquely support multiple administrative and security
boundaries once a system has been integrated into Active Directory as required in order
to support delegated administration. By using DirectControl, administrators no longer
need to manage accounts on each individual system, but instead can use Active Directory
for identity, access and policy management.
For administration, DirectControl provides a Microsoft Management Console (MMC)
application that allows administrators to manage UNIX-specific data for user, group and
computer objects in Active Directory as well as to perform tasks such as centralized
reporting and license management. These DirectControl attributes are also integrated into
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 5
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
the Active Directory Users and Computers (ADUC) MMC through property page
extensions. There is also a web-based console that provides cross-platform access to
essential administrative operations.
DirectControl integrates into the Linux OS of the ESX host through a daemon service
that controls login authentication and directory lookup services, vectoring those calls
back to the Active Directory system; thus effectively turning the host system into an
Active Directory client. Additionally, command-line utilities are included to join the
UNIX system to the Active Directory domain and perform various administrative and
diagnostic tasks such as managing users and groups. The Centrify Suite is also supported
on most of the popular UNIX, Linux and Mac platforms in use today in addition to
VMware’s ESX Server, which can be valuable in managing other Virtual Machine
guests.
Controlling administrator access involves both a) controlling which administrators can
manage the account management system (in this case, Active Directory) and b)
controlling which users or administrators are authorized to log in to specific ESX hosts.
The first issue to deal with is how to effectively manage administration in a centralized
directory while controlling which administrators – Active Directory admins or various
groups of UNIX admins – can perform these account management functions. The second
issue deals with actually enabling specific Active Directory users to log in to a given host
or set of host systems. Let’s first take a look at the centralized account administration
system that Active Directory provides and how it can be used to manage administrative
access to ESX hosts.
2.1 Centralized Account Administration via Active Directory
DirectControl enables ESX servers to join to an Active Directory domain, thus becoming
a managed computer object within the directory. These computer objects can be pre-
created before the host is joined to the domain depending on the desired computer
management process within the organization. By default, once a computer has joined
Active Directory, any user with a valid Active Directory account can potentially log in to
that host, which is not what is desired for access controls to ESX or UNIX hosts. For this
reason, Centrify developed its unique Zone technology, which enables logically grouping
hosts along geographic, departmental or functional boundaries. The hosts within a Zone
share common UNIX/Linux identity attributes such as UNIX userid or group
memberships.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 6
CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Figure 3. Delegated administration through Centrify Zones
Additionally, since users must be granted permissions to log in to hosts within a Zone,
account administrators must be granted permissions to manage UNIX user profiles within
these Zones in order to control which Active Directory user has permissions to log in to
an ESX host within a given Zone. Zones are created within Active Directory as a
container or organizational unit (OU) in order to support native Active Directory ACL-
based enforcement for administrative delegation. The result is an environment where
UNIX account administrators for a given Zone can be defined independently for each
Zone, thus segregating administrative duties on a Zone-by-Zone basis. Another benefit is
that the UNIX account administrator does not need to be granted Active Directory
administrator privileges since he only needs to manage these UNIX user profiles for an
Active Directory user and not the user object itself. This protects the segregation of duties
typically required in an Active Directory environment. This also means that a UNIX
profile admin for a given Zone can grant user access permissions to his Zone only and
will not require permissions that would enable him to define new user accounts within
Active Directory, a privilege that is typically highly protected. As shown in Figure 3
above, the VMware administrator has permissions to manage the access controls to the
ESX systems within the HR and VM Server Zones, but does not have rights to create or
manage Active Directory users.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 7CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Figure 4. Zone-based user access controls
Zones can be a powerful way to separate both the account administrative duties between
various departments as well as between administrators serving different roles. As shown
in Figure 4 above, you see that a Zone can be defined for a department such as HR to
manage all their own servers, including both ESX servers as well as any Linux guest
VMs. However, the administrator for the VM Server Zone can only manage access to the
ESX hosts while different administrators have the appropriate rights to manage access to
the Dev and Finance Zones. Since a Zone is simply a logical collection of systems based
on either administrative or access control boundaries, it provides a very flexible
mechanism to control user access or, in the case of ESX servers, admin access to the
virtualized environment.
2.2 Centralized Access Control Management within Active Directory
Using DirectControl and Active Directory, account administrators can identify users
(ESX admins) who need to have access to the virtual machine management consoles on
ESX servers and then easily enable access for those users with their Active Directory-
managed credentials.
The whole process of setting up a new user and establishing their credentials and access
rights for the ESX server is a very straightforward process with DirectControl. Active
Directory users who need access to the ESX server are simply added as members of a
Centrify Zone of ESX servers, each with his or her own profile of settings for login shell,
primary group and home directory. This is done from one of the DirectControl
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 8CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
management tools such as the MMC-based DirectControl Administrator Console. Once
users have been added to the ESX Server Zone, they simply log in to the ESX server
using their Active Directory username and password. If this is the first time that a user
has logged in, DirectControl automatically provisions their default shell and home
directory. Individual accounts no longer need to be created and managed on each ESX
server. Not only are ESX Service Console logins enabled with DirectControl, the Active
Directory identity is leveraged across other VMware management interface options,
including the Virtual Infrastructure Client (VI Client) and Virtual Infrastructure Web
Access (VI Web Access).
By centralizing user and computer access rights into Active Directory, administrators
now have much tighter control over who uses their ESX Server systems. With Centrify
DirectControl, numerous options exist for securing access, including:
Restricted user entry based on membership in an ESX Server Zone. The Zone thus
defines the security boundary that controls access to systems contained in it.
Ability to centrally manage group memberships based on users’ roles.
Ability to leverage Active Directory account controls for password strength and
aging, computer access hours and disabling as well as terminating accounts.
Ability to leverage Group Policy to further control system and application
configuration such as SSHD and sudoers.
Ability to map root user accounts on ESX servers to an Active Directory user
account leveraging an Active Directory-managed password, instead of managing
root access on each individual server as shown in Figure 5 below.
Figure 5. Mapping ESX root account on two hosts within a Zone to an Active Directory
account
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 9CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
DirectControl provides the infrastructure on the ESX server to control which user can log
in to specific systems or Zones of systems. The rights a user has upon login can also be
centrally controlled through Centrify DirectAuthorize, which is described further in the
next section. But first let’s see how easy it is to install and set up DirectControl on ESX
servers.
2.3 Installing and Setting Up DirectControl on ESX Server
Complete instructions on installing and configuring DirectControl can be found in the
documentation that comes with DirectControl, but essentially the installation and
configuration process consists of three high-level tasks.
First, the DirectControl Administrator Console needs to be installed on a Windows
system that is joined to the domain you wish to use. This can be Windows XP, Vista, or
Windows Server 2000, 2003 or 2008. Active Directory administrator permission is
required in order to install DirectControl. Once the Administrator Console is installed on
Windows, you need to set up a Centrify Zone that can be used while joining the ESX
server to the domain. Zones are collections of systems, users and groups that share
similar access profiles, functions, or common attributes. The ESX server can join the
default Zone that gets set up when you install DirectControl, or you can set up a new
Zone.
Next, install the DirectControl Agent on the ESX server you wish to use and join it to the
Active Directory domain and the appropriate Zone using the adjoin command.
Once the ESX server has been joined to the Active Directory domain, use any one of the
DirectControl management tools to grant access to the ESX server for the appropriate
Active Directory users. The ESX root user ID can be mapped to an Active Directory user
account if you chose. Keep in mind that it is necessary to enable only the users who
actually need access to the ESX Service Console for the purpose of administering the
ESX server. DirectControl has the ability to allow access for users in the defined Zone as
opposed to granting access to all Active Directory users (which of course would not be
desirable).
That’s it. The whole installation process takes a matter of minutes. Once this has been
completed, the ESX server can be used in exactly the same way as before for all
functions, but now user and authentication credentials are stored in Active Directory
instead of local system files. It is important to note that authentication through Active
Directory and DirectControl is supported for all VMware Infrastructure administrative
modes, including:
Local Service Console logins
Remote Console sessions such as via the SSH protocol
Remote command line on a VIMA system
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 10CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
VI Client
VI Web Access
DirectControl becomes even more useful as the number of ESX servers increase, since
account control for all these platforms can be done from a single DirectControl console
tied into Active Directory. Centralizing account administration enables rapid deployment
and de-commissioning of users and administrators from your virtual infrastructure.
2.4 Comparing Centrify for Active Directory Integration with VMware Native Active
Directory Integration
VMware published a technical note titled Enabling Active Directory Authentication with
ESX Server (http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf). This paper
discusses using the esxcfg-auth tool to set up Kerberos authentication through Active
Directory. The command syntax of this tool is as follows:
esxcfg-auth --enabled –addomain= --addc=
This tool configures PAM and modifies the ESX server configuration to do login
authentication from the specified Active Directory domain controller. After executing the
preceding command, you then create a local account for each user who requires access to
the ESX server, making sure that the user ID is exactly the same as his Active Directory
user name.
This process would then need to be repeated for every ESX server in your environment.
While these steps do enable authentication from an Active Directory system for an ESX
Server, it does not leverage Active Directory for authorization, centralized directory
services or policy management. Specifically, the methods outlined in this paper have the
following serious shortcomings (most of which are discussed in the paper):
This is not a truly integrated solution as it does not offer a single source for defining,
managing and authenticating user accounts. While the esxcfg-auth tool allows
you to use Active Directory to authenticate users, you cannot use Active Directory to
define and manage user accounts for ESX. User accounts are still created and
maintained on each ESX server.
The process to enable Active Directory authentication for every user who requires
access to the ESX server is clumsy. For each individual user, you must also create a
corresponding user account on the ESX host server. Authorized users can log in
under two scenarios: (a) if they have a valid Active Directory password associated
with the user name they provided and if they have a local account in /etc/passwd
that also matches this user name, or (b) if they have a local user name and password
on the system. This means that the administrator must manually synchronize the user
account information between authorized Active Directory users and each ESX
server, and carefully map intended user access to actual possibilities for user access.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 11CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
If the network goes down or the Active Directory system is unavailable, users who
use Active Directory for authentication will not be able log in to the ESX server.
Credentials are not cached, and there is no provision for the underlying Kerberos
authentication session to fail over to a backup system.
Given the issues with the previous point, the paper recommends not using Active
Directory authentication for the root account. This means that there are few controls
over who has access to the superuser account on each ESX server and also means
that the root user password needs to be set manually for every ESX server.
There is also more network traffic with each Kerberos transaction since this method
does not support any type of caching.
The machine name for the Active Directory / Kerberos server is hard-coded in the
system files for each ESX server. If the name of the closest domain controller
changes, the administrator needs to manually update this information in each system
file on each ESX server.
The ESX server is not joined to the domain, so Active Directory has no knowledge
of the system or any control over the ESX server. This means that if the
administrator wanted to temporarily restrict access to an ESX server or a whole set
of ESX servers, he or she would have no way to accomplish this from Active
Directory.
The paper does not provide guidance on how to set up FTP or SSH for accessing the
ESX server. Typically, having access to these services is essential for system
administrators. Also, there is no guidance on setting up this new authentication
method for all management session types (Remote Console, VMware Management
Interface, etc.).
The paper acknowledges that this method for authentication will fail if the user is a
member of more than 15 Active Directory groups, which in a large enterprise is quite
common.
There is no guidance on how to track access to the ESX server using this
implementation.
Given all of these challenges, the proposed solution in the VMware paper will be
untenable for many organizations. VMware offers another product, VirtualCenter, which
provides centralized administration and management for ESX servers connected on a
network. It acts as a control node for configuring, provisioning and managing a
virtualized IT environment consisting of ESX servers. For a VI Client that is connected to
a VirtualCenter server, authentication and authorization are performed via an Active
Directory service. Authorized VirtualCenter users are selected from the Windows domain
list referenced in VirtualCenter or are local Windows users on the VirtualCenter host.
Similarly, VirtualCenter groups are derived from Active Directory in the connected
Windows domain. Both Active Directory-based users and groups are then granted
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 12CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
permissions (“roles”) within VirtualCenter. However, on the back end, VirtualCenter still
uses the standard Linux authentication mechanism. Whenever an ESX server host is
added to it, VirtualCenter creates a Linux user account (vpxuser) that has root
privileges. This account is used only to authenticate the connection between the host and
VirtualCenter.
Although VirtualCenter resolves the issue of separate password management and account
management in the esxcfg-auth tool, it has a number of shortcomings in its integration
with Active Directory:
VirtualCenter serves as a central point to manage multiple virtual machines and
resources that are distributed over many ESX server hosts. Therefore, it is not cost-
effective for small deployments.
This is still not a seamlessly integrated solution. You cannot use VirtualCenter to
manually create and remove ESX users or groups, or to view and modify their
properties such as passwords. You will have to use the Microsoft tools for user
account and password management.
There are still occasions when you need to access an ESX server host via other
mechanisms; for example, when VirtualCenter is unavailable or has lost its
connection to the domain controller. In addition, there are still a few administrative
tasks that must be performed directly on the ESX host and not through
VirtualCenter.
Can Centrify DirectControl provide a better integration with Active Directory? Yes it
can, as described in the next section.
2.5 Addressing the Authentication Challenges with Centrify DirectControl
Centrify DirectControl is engineered not only to be easy to use but also to be a
completely integrated authentication, authorization, directory and policy solution. As a
result, the issues highlighted in the previous section are fully resolved with DirectControl.
Specifically:
Unlike the esxcfg-auth tool, DirectControl provides unified account and password
management. There is no need to create a local user and map it to the Active
Directory account for every user that you want to grant access to the ESX Server
host.
The DirectControl integration with Active Directory is seamless from a user
interface perspective. You cannot create or manage Active Directory users and
groups via VirtualCenter, but Centrify extends the native ADUC MMC with UNIX
properties for user, group and computer objects, which enables you to use the same
tool to manage not only ESX users and groups but also the Active Directory account
information associated with them. In addition, Centrify provides the DirectControl
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 13CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Administrator Console so you can view and modify all the attributes of Active
Directory’s user, group and computer objects, including the DirectControl ones.
With the Centrify solution, authorization is handled from one central place using the
DirectControl Administrator Console. The administrator has the ability to create an
explicit access list of users for each ESX server. Through the use of Centrify Zones,
ESX administrators can be members of their own Zone of ESX servers, further
simplifying the access control for those systems. In addition, users can be further
restricted based on policies such as authorized access times. Authorized users can
also be placed in Active Directory groups that are visible from ESX as though they
were local groups. This allows a high level of fine-grained access control for each
ESX server. If changes need to be made, they can be done from a single point of
administration, the DirectControl Administrator Console.
DirectControl fully supports the caching of login credentials. If a user has logged in
to the ESX server at least once, then he or she can continue to log in to that system
even if the network is down. Or, the administrator can configure users or groups for
pre-validation so that they can access offline machines using their Active Directory
credentials without having logged in previously. Also, when a user logs in for the
first time, DirectControl automatically creates a home directory environment for the
user if one does not already exist. DirectControl can also automatically find the
closest available Active Directory domain controller, so that if one domain controller
is taken offline, another can be automatically used without the need to reconfigure
the ESX server.
Since login credentials are cached, network traffic is reduced. This is an important
consideration where multiple virtual machines are sharing the same network
interface with the host ESX server.
Login credentials can also be pre-cached for those administrators who must always
be able to log in with their account regardless of the state of the network
connectivity, such as at a remote location with a down WAN link where the ESX
system requires administrative access for maintenance.
DirectControl includes a feature for root user mapping. This means the root account
for every machine can be mapped to an Active Directory user, and password control
is maintained in a central place. With support for offline caching, the root user can
still log in to ESX server even if the Active Directory system is unavailable.
As mentioned in a previous point, DirectControl manages the interactions with the
Active Directory domain controller and automatically finds the closest controller for
each controller request.
With DirectControl, the ESX server is joined to the Active Directory domain. As
with other systems in the domain, the administrator has full control over access to the
ESX server, including temporarily disabling logins – for example, during a
maintenance period.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 14CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
DirectControl automatically configures access to popular services such as FTP,
Telnet and SSH to use secured authentication via Kerberos to Active Directory. For
example, Centrify provides a compiled version of the latest OpenSSH distribution
that is linked with the DirectControl Kerberos libraries to automatically support
PAM and Kerberos for single sign-on access.
DirectControl ensures that a single authentication method is used across all
supported VMware management session types, including the local Service Console,
VMware Management Interface (VI Client and VI Web Access) as well as Remote
Console sessions such as via the SSH protocol.
DirectControl does not impose any limits on group membership.
DirectControl’s integration with Active Directory has proven to work in complex
environments – for example, in a topology with multiple forests that requires one- or
two-way trusts.
In addition, Centrify DirectControl has other advantages beyond providing identity
management:
DirectControl fully supports Microsoft Group Policy and includes an extensive set of
policies out-of-the-box for security and configuration management. You can use
DirectControl’s built-in Group Policy engine to distribute computer and user policies
to a set of ESX servers. Such policies can copy configuration files to target systems,
manage various configuration parameters such as login settings, password prompts,
password caching and Kerberos settings, as well as define sudo permissions. For
added flexibility, you can even create your own custom policies specifically tailored
for your virtualized IT infrastructure. Through the deployment of policies to your
ESX servers, you ensure consistent machine configuration and further control the
ESX session behavior. As a result you streamline your IT operations and reduce
administrative costs.
In addition, since ESX administration can be performed through a remote connection
via the SSH protocol, you can also use the Centrify SSH Group Policies to configure
who can connect to the host using SSH, such as only users of a specific group or to
prevent root login via SSH.
DirectControl is supported on most of the UNIX and Linux platforms available
today, plus Mac OS X, so customers can have a consistent Active Directory
integration solution across their non-Microsoft platforms.
This integration can also be extended to the Linux and UNIX virtual machines
running inside ESX server. Each virtual machine, or groups of machines, can be
managed within a dedicated Zone. This is particularly useful when ESX server is
used for outsourcing environments where identity groups from different
organizations need to be managed individually and isolated from each other.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 15CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
The DirectControl identity management solution extends beyond validating login
sessions. DirectControl can also support applications that take advantage of LDAP,
Kerberos, GSSAPI or SPNEGO APIs for directory services and authentication. This
means customers could design custom applications for ESX (such as a customer bill-
back system for virtual machine usage) based on validated identities stored in Active
Directory.
3 Managing Privileges with DirectAuthorize’s Role-Based Authorization Rights
VMware provides an authorization environment that relies on roles which are defined
within VMware vCenter Server. These roles are also defined within the ESX server to
manage users who access the server using the Virtual Infrastructure Client. The role that
a user or administrator is assigned determines what operations that user is allowed to
execute.
However, when administrators access the Service Console – either directly on the ESX
server or via the Virtual Infrastructure Management Assistant (VIMA) – their rights can
be assigned only by the underlying operating system. Managing rights is important in this
case because several ESX command-line utilities require privilege within the Linux
environment in order to operate properly. Many times administrators will either a) use the
root account to log in to the service console of the ESX server or to the VIMA, or b) use
their own account to log in and then switch to the root user with the su command in order
to execute these commands. Unfortunately, both methods of running commands with
privilege require the administrators to know the root account password, which is one of
the first things that security best practices would prohibit.
The challenge is to grant administrators the right to execute the privileged commands
required to perform their duties, but to do so without knowledge of the root account’s
password. The following sections discuss two ways to centrally manage privileges: by
leveraging a) Group Policy to centrally manage the Linux sudo command or b) Centrify’s
centralized privilege management solution called DirectAuthorize.
3.1 Centrally Managing Sudo Using Group Policy
The first method of centrally managing privileges involves using the Linux operating
system’s sudo command. After logging in with their own account, administrators can run
privileged commands by using the command sudo in front of the privileged command.
Sudo looks up the current user’s Linux identity or local group in the sudoers
configuration file to see if the user has been granted rights to execute the command and,
if so, executes the command as if root had requested its execution. This command is
supported in most UNIX and Linux operating systems as well as ESX systems, making it
a common way to address the need to lock down privileged accounts such as root.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 16CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Figure 6. Example of a local sudo policy configuration file
One of the primary challenges to deploying sudo broadly throughout an enterprise is
managing and maintaining a consistent configuration file across a large population of
systems, such as ESX servers, VIMA systems and UNIX/Linux guest VMs. The example
in Figure 6 shows a typical ESX server’s default sudoers configuration file, which simply
grants the root account the ability to run any command as root. To deploy sudo to manage
privileges, IT security managers need to add, for each administrator or group of
administrators, an entry that grants them specific rights.
In the following example, the group esxadmin has been granted the rights to execute
three commands – esxtop, vdf and esxcfg-info – as the root account without being
challenged for their own password. With DirectControl, we can use Windows Group
Policy tools to centrally and securely distribute this sudoers file to ESX servers.
%esxadmin ALL=(ALL) NOPASSWD: /usr/bin/esxtop, /usr/sbin/vdf,
/usr/sbin/esxcfg-info
Figure 7. Example ESX admin rights grant in the /etc/sudoers file
There are several advantages to leveraging Group Policy to centrally enforce policies on
UNIX and Linux systems, including ESX servers. First, we can use Active Directory
group management to control UNIX/Linux group membership; in this example,
individual Active Directory accounts can be added or removed to esxadmin group from
Active Directory without having to redistribute the sudoers file. The Group Policy Object
Editor, which is a familiar interface for Windows admins, can be used to control the
contents of the sudoers config file and to define distribution settings. A single, consistent
sudoers file can be pushed to every DirectControl-managed ESX server over an
authenticated and encrypted connection. Or, different policies can be defined for different
groups or Zones of ESX systems based on your needs.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 17CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Group Policy for UNIX/Linux can also be used to manage many common configuration
files in UNIX, including the sudoers file, crontab file, SSHD settings, IP tables, firewall
settings and screen lock settings. Group Policies are also available to set DirectControl
configuration options on the managed systems.
The following figure shows the interface in Group Policy Object Editor to enable setting
the sudo file for the ESX servers.
Figure 8. The sudo rights property page within the Group Policy Object Editor
While using Group Policy to manage sudo rights will work much better than any manual
method, it can still be difficult to define a policy file that grants narrowly restricted rights
to meet stringent security needs. Additionally, distributing static policy files is inadequate
as a security model due to the very dynamic nature of day-to-day IT challenges, which
may require privileges on a specific system to be disabled on short notice or to be
extended for a short amount of time in order to address an issue. To meet these
challenges and to simplify the adoption of a higher security model, Centrify set out to
deliver a product that would make it easier to define and enforce a more stringent security
policy: Centrify DirectAuthorize.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 18CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
3.2 Centralized Management of User Privileges with DirectAuthorize
Centrify DirectAuthorize provides an alternative method of controlling user privileges by
leveraging Active Directory to centrally manage and enforce role-based entitlements.
DirectAuthorize provides fine-grained control over user access and privileges on UNIX
and Linux systems, including ESX. By controlling which methods users access systems
and what they can do once logged in, DirectAuthorize enables organizations to lock down
sensitive systems and eliminate uncontrolled use of root accounts and passwords.
DirectAuthorize simplifies privilege management by enabling administrators to define
privileged commands and then grant the right to use those commands to specific roles.
Using a Windows MMC console, administrators define each command along with the
available options. This eliminates the need for administrators to have detailed knowledge
of sudoers file syntax. The data is stored centrally in Active Directory and retrieved upon
login when needed by the dzdo policy enforcer, DirectAuthorize’s equivalent for sudo.
Figure 9. Privileged command definition in DirectAuthorize
This model for defining privileged commands has its advantages beyond the simplicity of
the policy definition. DirectAuthorize always reads the policy at user login from Active
Directory, ensuring that the most accurate policy is properly enforced. Obviously there
will be situations where the user may need to log in while disconnected from the network
or while offline, and in these situations the policy is retrieved from a local cache.
DirectAuthorize also simplifies the user’s experience by making it easier to execute an
explicit list of commands with the appropriate privileges for each. In many environments,
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 19CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
administrators log in to a system, switch to the root or other superuser account, and then
execute various commands as that privileged user. With DirectAuthorize, once they log
in using their own account, they can simply precede commands with dzdo, and those
commands are executed with the correct privileges.
To further control exactly which commands a user can run, DirectAuthorize provides a
Restricted Environment. A Restricted Environment restricts a user in a role to a specific
“whitelist” of commands. Users only need to learn the exact commands they need to
execute.
A Restricted Environment can be defined for ESX administrators or help desk personnel
so that they can easily log in to perform specific sets of tasks, such as vdf or esxtop, as
if they were root. They can simply log in using their own account and run these
commands without having to know the root password. The benefit is that IT can now
grant the appropriate permissions to enable lower-level administrators to perform their
duties without exposing the password of privileged accounts.
Figure 10. Restricted Environment definition in DirectAuthorize
3.3 Benefits of Centralized Role-Based Authorization through DirectAuthorize
DirectAuthorize is a core component of the Centrify Suite, which provides a single,
unified architecture for access control, authentication, authorization and auditing. In
working with customers to understand their IT security and compliance challenges, we
focused on delivering the following benefits:
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 20CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Centralized, role-based management designed for compliance
Consolidates UNIX and Linux entitlement management in Microsoft Active
Directory, streamlining administration and closing security gaps caused through lax
deprovisioning and change management practices
Links entitlements to Active Directory accounts and groups, enhancing
accountability and compliance reporting through a global view of users’ entitlements
across the enterprise
Role-based entitlement model meets regulatory requirements for defining “least
access” controls and administrative privileges delegated according to job duty,
protecting enterprises against both accidental and malicious changes
Restricted Environment feature permits users to execute only specific “whitelisted”
commands, resulting in unambiguous compliance reporting compared to other
systems that require security managers to pile on “deny” specifications
Built-in reports for users and computers give auditors a complete view of
authorizations
Simplified privilege management that goes beyond sudo and other existing products
Graphical user interface makes creating roles and rights far easier compared to
scripting complex sudo policy files or learning other solutions’ proprietary scripting
languages that cannot match the rich group-based modeling available in Active
Directory
Centrally and securely apply and report on policies from Active Directory, as
opposed to trying to manage config files on individual systems
Unique ability to control users’ access to secured systems via PAM-enabled
applications and interfaces (SSH, FTP, etc.)
Unique Restricted Environment feature provides the option to restrict users to a
“whitelist” of specific commands, compared to older, cumbersome and error-prone
solutions that permit all actions except those that are put on a “deny” list
Simplifies users’ workflow, enabling them to execute commands with privilege
without having to change accounts, remember additional passwords, or learn new
commands
Single, cost-effective architecture for cross-platform authentication, access control
and authorization
Comprehensive privilege management provided as part of an integrated
authentication, access control and authorization solution that is priced below what
you would expect to pay for a single, older point product that addresses just one of
these areas
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 21CENTRIFY WHITE PAPER SECURING VMWARE VIRTUAL INFRASTRUCTURE WITH CENTRIFY'S IDENTITY AND ACCESS MANAGEMENT SUITE
Part of a comprehensive suite designed from the ground up to seamlessly integrate a
wide array of UNIX and Linux systems with existing Active Directory infrastructure,
tools and processes
Rapid, non-intrusive deployment and management
Leverages existing Active Directory domain controller infrastructure; no additional
servers or network infrastructure needed
No Active Directory schema changes required
Does not require proprietary changes to UNIX kernel; no reboot required after
installation
Streamlines IT management by leveraging existing Active Directory tools and
processes
Management data is stored in Active Directory, a modern LDAP database that has a
rich ecosystem of available administration, provisioning and reporting tools
Highly available and fault-tolerant
Leveraging Active Directory domain controller infrastructure ensures high
availability and fault-tolerant network connection
Local caching ensures entitlements are enforced even in cases when the computer is
disconnected
4 Auditing Interactive Administrative Access Using DirectAudit
ESX servers are typically one of the most crucial components in a virtualized
infrastructure, and hence should be protected from security intrusion in the IT
environment. Thus, all administrative access and activities on an ESX server should be
logged and tracked. Centrify DirectAudit complements DirectControl by providing
detailed and non-intrusive recording of UNIX and Linux user sessions, which gives
auditors and security officers ad-hoc search and reporting capabilities. By using
DirectAudit, the auditor now has an audit trail of which users accessed what systems,
what commands they executed, and what changes they made to key files and data. To
limit the amount of output, he can further restrict the session auditing to a specific user or
a specific shell.
When deployed in an ESX environment, DirectAudit strengthens your regulatory
compliance reporting and helps you spot suspicious activity and detect deviances from
standard usage patterns. You can also perform in-depth troubleshooting by replaying the
recorded sessions to detect activities that may have contributed to system failures.
© CENTRIFY CORPORATION 2005-2009. ALL RIGHTS RESERVED. 22You can also read
