Lesson 1 - ESXi Host Access and Authentication
Video Activity
ESXi Host Access and Authentication This lesson examines ESXi host access and authentication and discusses the following: Configuring the ESXi firewall by enabling and disabling services Ensuring and disabling lockdown mode Configuring user logins to use active directory For each of these individual services, a startup policy needs to be selected a...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
ESXi Host Access and Authentication This lesson examines ESXi host access and authentication and discusses the following:
-
Configuring the ESXi firewall by enabling and disabling services
-
Ensuring and disabling lockdown mode
-
Configuring user logins to use active directory
For each of these individual services, a startup policy needs to be selected and you can opt to Start automatically, start and stop with host or start manually.
Video Transcription
00:04
Hello, I'm Dean Tom Paleo. Welcome to Cyber Eri in the virtual ization installation, configuration and management class were on Model nine now, and we're going to talk about
00:14
access in authentication control for Yuri SX. I host.
00:19
So first we'll look a little bit at the sum of considerations for enabling the firewall that's built into us. Excited.
00:27
And then we'll also talk about what lock down mode needs.
00:31
Lastly, will talk a little bit about active director integration
00:36
after directory. Integration was actually performed in an earlier lab,
00:41
but now we've got a couple extra things to discuss as that relates to how you access your host.
00:47
So, first of all,
00:48
we have to think about the security profile.
00:51
So if you select your host in the inventory, go to your configuration tab and select security profile from the software section. Remember, we have harbor up top software on the lower portion of the screen.
01:03
Each of the service is that
01:07
we'll start and stop with. The host could be individually controlled from this from this dialog box.
01:12
So what we need to do is
01:15
for each individual service, you need to select it, start a policy
01:19
for the most part, the start of policy can be left at the default setting.
01:23
These are already configured for your typical operation of the TSX I host, and you probably don't need to monitor or modify any of these settings. But if you do want to change them, this is where you would do it.
01:37
So each of the service is one selected.
01:40
You got a pop up
01:42
or not a pop up within the dialogue, you have three choices. You can either start automatically,
01:48
which means that if the firewall opens the ports, the service can start and everything will work as expected. That's probably the default setting for most of the service is that you'll see there.
01:59
However, we can also instruct Yes, excited start and stop the the service with the host.
02:06
So that way you guarantee that when you bring the host up, it should start. And when you shut the host down and then disable that service
02:13
and your last option is to start the service manually. This might make sense if you're doing some testing or possibly you've got service is that you only need some of the time.
02:23
You can then control those manually so you don't have to deal with them. Starting and stopping automatically and therefore
02:30
reducing the amount of available resource is on your host.
02:36
Bsx. I doesn't come with a firewall.
02:39
It's included. There's no extra license required for this.
02:44
It is a service oriented firewall, which means that it's
02:49
opens the connections as they're needed, a kind of an on demand fashion compared to always being open, are always being closed.
02:58
However, the funding Wallace stateless,
03:00
which means that it's just doing a basic packet filtering type function that uses source I p address Destination I p Address protocol and port numbers. That's all it requires. So it's not a very sophisticated firewall, but it is better than nothing.
03:15
And because it's service oriented
03:19
and works when the when their connections are required, you do get a little extra security because of the way that
03:24
this particular far wall is designed.
03:28
So when you look at the firewall rule, you have to actually select the firewall properties from the same dialogue we're in here. Your configuration security profile.
03:39
When you select the firework properties, you'll get your list of rules,
03:44
and for each individual rule, you can then
03:47
click the, um, the rule and select the firewall button. And you get a choice, too, when you get a pop up saying, Do you want to allow the connections from any I p address
04:00
for some types of connections that you're yes, X I host uses. This might be appropriate,
04:04
but the other option is to only allow connections from the following I ps and you've got a little window there where you can type I p addresses in
04:14
you contrive individual I p addresses. You can type, uh, network
04:17
information,
04:19
even using cider notation if you wish.
04:23
So you do have some
04:25
some further control over your inbound rules. You're out by rules, what can connect to what?
04:30
And as you get further into the security settings of hardening in the SX, I host for typical environment. You want to get away from allowing any I p address to connect or allow connections and try to create rules that are more specifically tailored for your particular environment.
04:50
We also have lock down mode for Yuri SX. I host.
04:55
This is something that's a great future.
04:58
Once you've got your host configure the way you want
05:00
and you have your authentication service is set up, everything is working correctly. Then you can think about using walked on boat.
05:08
And what this means
05:10
is that on Lee, the V P X user has authentication permissions right off the top.
05:15
It's basically no one else can log into the host
05:19
directly.
05:21
In fact, only route can log into the host directly. And that's on Lee through the D. C. Why which we saw on in earlier labs
05:30
as the configuration and management screen for the host.
05:33
And you get to that from the council.
05:35
Or, if you're using a virtualized host, you can get to it through the council of the VM that you're actually running the host on, which is the case for some of the hosts that you'll see in the lab.
05:47
Uh, so
05:48
because the host is in lock down mode,
05:51
that means that we cannot do anything on the host directly. Everything that you do with the host must be done through the center
05:59
and, you know, from looking at other labs that were performed. If you try to connect to the host with the the V's Fear Client, you do get a message saying this. Host is managed by V Center at this I p address.
06:12
That's just a warning. Will enable lock down mode now that warning becoming enforced and you literally cannot do anything unless it goes through the center with the exception of root plugging in through the D. C. Why
06:26
so in order to do this, you can select the host,
06:29
go to the configuration tab, select security profile under the software section and select Locked on motors. Simple honor off setting.
06:36
You can also enable locked on mode from the D. C. Why
06:41
so if you want to do it from the from the consul where route is allowed to log in, you also have the option to enable the mode from that area as well.
06:49
One of the earlier labs we did
06:53
showed how integration with active directory was possible.
06:57
This is done through the configuration tab once again, and the software section
07:02
you've got a authentication service is link, which you can click
07:06
in order to add your host to a domain.
07:10
So one of the things to think about
07:13
is once you've done that, you're any local users such as Route or V P X user or any other local users that were created for that host.
07:21
Those can still be access directly from the host,
07:25
meaning that active director authentication is not required,
07:30
however, weaken once the host is attitude domain. You can then
07:33
use active director user accounts in order to access the host and then do things like create roles in order to, uh,
07:43
provide certain permissions and certain capabilities for individual users or groups of users.
07:48
So, to recap,
07:51
we looked a little bit at what the security profile means and how you can control that from within the configuration tab of your,
07:59
uh, ***. I host
08:01
looking at the firewall, seeing what kind of rules that supports whether or not you start and stop with the host or starting stop manually. You get those kinds of options.
08:11
We learned a little bit about what lock down mode means and why that's good for security reasons.
08:16
And lastly, a little bit of a reminder on how the active directory configuration works.
08:22
Okay, that concludes less than one. Stay tuned for lesson two. Thank you
Up Next
Similar Content
