Skip to content

Posts from the ‘Security’ Category


ESX 4.1: Local users cannot login

If you regularly SSH into your ESX hosts, this may be old news to you. But if you’re like me and mostly manage your ESX hosts via vSphere Client, you might have a surprise waiting for you when you upgrade to ESX & ESXi 4.1. With the advent of ESX Active Directory integration, VMware kindly decided to impose some new changes and requirements for local user accounts. What does this mean to you?

For me, it meant that when I tried to SSH into my ESX host, I ran into “Access is denied.” And with only one non-root user account on the system, this meant no remote access (on the host itself). Root is restricted to interactive access, so that wasn’t any help. Thankfully the Dell Remote Access Card (DRAC) put me on the console, so to speak, and let me poke around as root.

The solution, though, came from a Google search, a somewhat unhelpful VMware KB article (1024235), and a little connecting of the dots. AD integration places a new dependency on the local “Administrators” role. If local user accounts aren’t in that role, they can’t get in.

Oddly enough, vSphere Client has to be targeted directly at the ESX host (not vCenter) to edit the role and local users. Looking while connected through vCenter won’t get you anywhere. So, here we go: Read moreRead more


Windows Firewall applies least privilege policy

If multiple network connections exist on a server, Windows Firewall will apply the least privilege / most secure firewall policy to all connections. Thus, if a server has two network connections, one with domain access and one with private (no domain) access, Windows will see the second NIC as residing in a “Private” or “Public” network, not “Domain”. The impact of this is that Windows will then take the Group Policy firewall settings applying to “Private” or “Public” and apply them to the “Domain” connection as well. The only way to decrease/disable the firewall restriction is to configure the policy for the “Public” or “Private” network as well.