A deployed PAM VM by default without password can be accessed from VMware console to make network and other changes......How to prevent it?
Hello Alex, Please go to Configuration, expand Security on the left and select the Access page under it. It contains the option you are looking for. This is documented on page https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/implementing/configuring-your-server/configure-security-settings/server-access-options-configuration
Thank you Ralf, but this option is binary - either the VM console access is completely disabled or wide open. I was looking for a password protection or another security control.
Hi Alex, There is no additional control on the PAM side. You should be able to control access to the VM on the VM server side to minimize the risk of the wrong person making changes to the VM. Someone with access to the console would also be able e.g. to stop the VM, which I would regard a more severe concern. Going into the configuration and changing network parameters requires deliberate action and would not be done by accident or mistake. If you would like to see an additional layer of protection for the PAM console anyway, please raise an idea in this community.