Hello,
i do some research for security reasons for topic running programs on guest-VM . We plan to do a bigger restructuring of our AD to secure our most important servers like domaincontrollers etc.. I try to figure out how VCenter is involved in this security scenario and how to adress this, because all importans servers are also VMs in our VCenter. Currentyl we do not have a special treatment for special VMs.
Currently we use some different types of roles for users. for example we have snapshotmanagers allowed to use the whole bunch of snapshotfunctions. of course we also have some people who act as admin on our vcenters. privileges obtained by role-membership are currently not limited to a specific number or type/folder of hosts. If you are in role of snapshotmanagers, you are allowed to create and reset snapshots also on Domaincontrollers. This is basically not ideal but not that security issue which i try to investigate.
Currently i wonder how or if it is possible to run Commands/manipulate files on GuestOS and what credentials are needed. For my example we just act as VCenter Admin with all privilges on VCenter Side, we can use all functions from VCenter direct or by using API+Powershell. Currently i did not find a way to run commands directly in VM without knowing VM-Credentions too. can you confirm this? I thought VCenter (or ESXi Host) itself is able to do so using vmwaretools from the outside. is this wrong? How could a Domaincontroller manipulated from outside without knowing Credentials of VM. What is your experience? do you protect some of your servers in a special way?
Thank you,
Hans