VCP 5 – Objective 1.4 –Secure vCenter Server and ESXi

Identify common vCenter Server privileges and roles

Default roles in vCenter and/or ESXi include

No Access (ESXi/vCenter)

  • Cannot view or change object
  • Tabs in vSphere client appear, but contain no content
  • Mainly used to revoke permissions that may otherwise be inherited.

Read Only (ESXi/vCenter)

  • View state and details about object
  • Can view all tabs in vSphere client with exception of the console tab
  • Cannot perform any actions through menus or toolbars

Administrator (ESXi/vCenter)

  • All privileges for all objects.
  • Can add, remove, and set access rights and privileges for all vCenter Server users and all objects within the virtual infrastructure.

Virtual Machine Power User (vCenter)

  • A set of privileges to allow users to interact with and make changes to hardware of the virtual machines
  • Also allowed to manage snapshots.
  • All privileges for schedule tasks.
  • Selected privileges for global items, datastore and vim privileges groups.
  • No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance and permissions privileges groups.
  • Normally granted on a folder that contains VMs or on individual VMs

Virtual Machine User (vCenter)

  • Allows the user to interact with the VMs’ console, insert media, and perform power operations.
  • No privileges to make changes to hardware.
  • All privileges to schedule tasks.
  • Selected privileges on global items
  • No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
  • Usually granted on a folder that contains virtual machines or on individual virtual machines.

Resource Pool Administrator (vCenter)

  • Allows user to create child resource pools and modify configuration of the children, but cannot modify configuration for the pool or cluster where the permission was granted.
  • User can grant permissions to child resource pools and assign VMs to the parent or the child.
  • All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
  • Selected privileges for resource and permissions privileges groups.
  • No privileges for datacenter, network, host, sessions, or performance privileges groups.
  • Additional privileges must be granted on virtual machines and datastores to allow provisioning of new virtual machines.
  • Usually granted on a cluster or on a resource pool

Datastore Consumer (vCenter)

  • Allows a user to consume space on the datastore that the role was granted.
  • Things like creating a virtual disk or creating a snapshot require the user to have additional virtual machine privileges.
  • Usually granted on a datastore or folder of datastores.

Network Consumer (vCenter)

  • Allows user to assign VMs or hosts to networks (only if the appropriate privileges are granted on the VMs/hosts).
  • Usually granted on a network or folder of networks.

Describe how permissions are applied and inherited in vCenter Server

You have the ability to choose whether or not the permission will propagate down the object hierarchy.

The hierarchal inheritance of permissions is explained here (

Permissions assigned to a child object will always override those that are inherited from their parent object.

If you assign permissions on two objects in the same level, then the child objects will inherit (if set) a combination of both those permissions.

Permissions assigned directly to users will always take precedence over those permissions assigned to the groups.

Configure and administer the ESXi firewall

Firewall is used to separate management interface and the network.  By default the firewall is configured to block incoming and outgoing traffic except for the default services.  In addition to those services ICMP and communication DHCP and DNS are enabled as well.

You can add your supported services by adding the rule set config files to the firewall directory (/etc/vmware/firewall/).  The default rules set configuration is in service.xml

Configuration files (for additional supported rule sets) should be installed using a VIB package.  When you include a rule set configuration in a VIB file and use the installation path of /etc/vmware/, the system will detect the rule and refresh the firewall automatically.  If you need to manually refresh the firewall use the command esxcli –server=hostname network firewall refresh

You can also specify which IPs are allowed to connect to each service on the host.  This can be done through the vSphere client or the command line.  (Setup under Security Profile)  IP addresses can be entered in the following formats,, 2001::1/64, or fd3e:29a6:0a81:e478::/64.

Enable/Configure/Disable services in the ESXi firewall

All done in the same spot (configuration -> Security Profile).

Following are options for Startup policies..

  • Start Automatically if any ports are open, and stop when all ports are closed
  • Start and stop with host
  • Start and stop manually.

Enable Lockdown Mode

Can be enabled either through the DCUI or the vSphere Client.

Lockdown mode basically restricts all users except for the vpxuser (vCenter user) of their authentication permissions.  Meaning no operations can be performed unless routed through the vCenter Server.  vMA commands and powercli scripts will not work.  Management tools or external software may not be able to retrieve information from the host as expected.  Note that root will still have authentication rights directly on the DCUI, as well as SSH will work if using an authorized key file.

Configure network security policies

Network security policies are as follows

Promiscuous Mode

  • Reject by default
  • If set to accept the VM attached will see all traffic (even that which isn’t sent to it).
  • Helpful when wanting to use network monitoring or capturing tools such as wireshark to troubleshoot issues.

Forged Transmits

  • Accept by default
  • Effects traffic that a virtual machine transmits
  • Basically means ESXi will not compare the source and effective MACs.

MAC Address Changes

  • Accept by default
  • Effects traffic that a virtual machine receives.
  • ESXi will accept requests to change the effective MAC address to something other than the initial MAC address.
  • Use case would be a clustering situation.

View/Sort/Export user and group lists

Done from the Local Users and Groups tab -> Users & Groups.

Can sort by clicking on the column header.

Export by right clicking anywhere in the table.

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Select inventory object and go to permissions tab.

Right Click -> Add Permission.

Select role and add the user.

Create/Clone/Edit vCenter Server Roles

All done through Roles from the Home screen.

Add an ESXi Host to a directory service

Can be done in one of two ways.


  • Configuration -> Properties
  • In Directory Services enter the domain in either or format.
  • Click Join
  • Enter Username/Password.

Using CAM Service

  • Configuration -> Authentication Services
  • Properties
  • Directory Services Configuration enter domain in or format.
  • Select Use vSphere Authentication Policy
  • Enter the IP of the auth proxy server
  • Click Join Domain.

Apply permissions to ESXi Hosts using Host Profiles

Done in the Host Profile Editor under the Security Configuration -> Permission Rules

Determine the appropriate set of privileges for common tasks in vCenter Server

Too many common permissions to list.


Leave a Reply

Your email address will not be published. Required fields are marked *