We often hear that you need guard the keys to the kingdom but depending on what you do the kingdom can very different. If you are a Windows administrator then protecting the file system is of utmost importance however if you are a DBA then your world is the database. I could go on and on but I think you get the point.
However, in each case the common denominator to these different environments is getting access which means having a proper user id and password to login to the environment. So in this case the kingdom I am referring to is Active Directory. Now, not ever technology points back to AD but many do including Virtual Center. If I am able to get a valid account in the correct group, then I can cause a great deal of havoc in not only the physical world but the virtual as well.
Edward Haletky wrote an excellent story about adding additional access security to protect your ESX server including TCP wrappers, pam_access, and the packet-filtering firewall. He also wrote that in the polls he conducted on VMware Communities that 70% of the users authenticate using Active Directory. Edward goes onto say he is quite skeptical of the AD authentication model which is why he suggests using the three additional access security controls. While I think this is an excellent technical article I believe this is the not the biggest concern when it comes to authentication via AD.
The largest issue with AD authentication is a lack of monitoring of the environment as well as poor processes when people leave their current role or even the company. When I ask my customers how would they know if a new user was inserted into a new group, the majority say they would not unless they did a periodic audit. That is a bit scary considering that these groups can control access to literally the entire server infrastructure.
In addition to the lack of a monitoring policy of this critical environment, is usually a lack of a process for revoking privileges when a user moves into a new role within an organization or worse when they leave. It is the absence of a well defined process that allows someone to keep their existing authority and add new privileges over time. At a previous employer, I moved from a database role into more of an account management role (my beginning down the dark path of sales) however I maintained all my previous access rights. I don’t have extensive surveys to support this but I would say that this is probably more the norm than the exception. To a degree, this makes sense for a short time after a person transitions into a new role because they may provide some overlay assistance. Then after this grace period is over, the old access rights should be revoked if they are no longer needed.
So I do recommend following Edward’s advice in settting up additional access layers for your ESX server, I would also recommend creatinga process to review access rights on a regular basis as well as monitor your cricital Active Directory groups for membership changes.