VMware vCenter Configuration Manager

VMware vCenter Configuration Manager–Auditing and Changing Local Accounts

September 27, 2012

One of the many useful features of VMware vCM is that you can audit local accounts for security risks and then through various actions remediate those risks. In this example I have discovered on my Windows machines that I have a single admin account that does not have the “Password Required” attribute set and want to disable the account. To get to this point I have collected “Accounts” data against my Windows machines.

Next I navigate to Security > Local Accounts and am greeted with the below graph. (Hint, you can skip the graph and go straight to the data grid if you hold down CTRL when you click on the “Local Accounts” button.) It is on this screen that I see that one of my admin accounts does not have a password enabled. Let’s click on it to get some more details.

Next I see all the information on the account. Also if you hover over that first icon on the left you will notice that it says the account is currently enabled. Not for long… Click on “Edit Properties”.

Your account is already pre-selected for change…

Select the Account Attribute…

… and say that you want it to be disabled…

Next run the action or schedule it for later.

Once that job completes we need to recollect from that machine to get the current status of the account information. To do that start a new collection and go grab the “Accounts” information.

Perfect, if you notice on the top graph 1 account now shows as disabled. Let’s drill into the admin account that does not require a password. Hopefully it will show up as disabled.

Looking at the first icon we see that it is indeed disabled. But let’s go one step further, lets use vCM to rename the account and change the password.

Next we go through the “Change Password” and “Rename Account” wizards and supply new values that we want. After the changes are complete and we recollect we can see that the password age is now 0 days, the account name has been changed and the account is disabled.

This little tutorial demonstrates a couple tasks that are really important and easily implemented.

1. Auditing Accounts (also includes password age, failed password attempts, date of last login)

2. Automatically changing passwords for Local Accounts (Yes, you can change multiple passwords at the same time.)

3. Renaming Local Accounts

Be pretty cool if you could do that all automatically right? Well, stay tuned for a later post on using vCM Compliance Rules to automate your compliance and remediation.

My Personal Quick Start Guide to Installing VMware vCM Prereqs

September 25, 2012

The complete and supported install guide for installing VMware vCenter Configuration Manager is located here but sometimes you just want a quick and simple install guide that covers most scenarios in a simple Single Tier install. At least I do for lab testing so here’s my quick version of the install guide. Be aware that it has been slimmed down by me for use in a test environment. If you are installing in a production environment please ignore this and follow the real guide located on the VMware website and hyperlinked above. Also this guide is not a complete step by step tutorial but more of a general roadmap pointing out highlights along the route. It is assumed that you have experience with IIS and SQL at a minimum. A lot of the settings can be left at the defaults and I won’t specify that, I’ll just stop at the important things to change.
1. Install Windows Server 2008 R2 SP2 Standard Edition
2. Join machine to your domain and make yourself a local admin.
3. Disable IE Enhanced Security for Administrators and disable the UAC for convenience.
4. Reboot and login as your domain account.
5. Request a machine certificate. I did this via AD and Certificates Snap-In in mmc.exe.
6. Install IIS with:
Common HTTP Features:

1. Static Content
2. Dynamic Content
3. Directory Browsing
4. HTTP Errors
5. HTTP Redirection

Application Development:

1. ASP.NET

2. .Net Extensibility

3. ASP

4. ISAPI Extensions

5. ISAPI Filters

6. Server Side Includes

Health and Diagnostics:

1. HTTP Logging

2. Logging Tools

3. Request Monitor

4. Tracing

Security:

Just install them all.

Performance:

1. Static Content Compression

2. Dynamic Content Compression

Management Tools:

1. IIS Management Console

2. IIS Management Scripts and Tools

7. Configure IIS by going to IIS Manager and under the default website clicking on the “Advanced Settings” button on the right toolbar. From there you can change the “Connection Time-out” to 3600 seconds.

8. Next disable “Anonymous Authentication” and enable “Basic Authentication” under the Authentication settings on the Default Web Site. Also under “Bindings” add a HTTPS binding using your certificate.

9. Install SQLXML 4.0 SP1 x64.

10. Install Microsoft SQL Server 2008 R2 x64. It will probably tell you when you start the installer that .Net needs enabled or the Windows Installer needs updated. Click yes and it will do this automatically behind the scenes.
Configure a new instance with the below options installed.

1. Database Engine Services
2. Full-Text Search – optional
3. Reporting Services
4. Client Tools Connectivity
5. Management Tools – Basic
6. Management Tools – Complete

Use the default instance and continue on. Next set the SQL Accounts to all use the “NT AuthoritySystem” and set the SQL Server Agent to Automatic.

Next change the Authentication Mode to “Mixed Mode”, set a password and make sure to click on the “Add Current User” so that you are added as a SQL Administrator.

At this point complete the SQL install, patch it and you are ready to install vCM. Launch the installer and proceed through Foundation Checker. It should succeed:

At his point the hard part is over and the rest of the installer is stuff that is very specific to your environment. Once you complete the installer you are now ready to go. Have fun!

Lottabytes

Category: VMware vCenter Configuration Manager

VMware vCenter Configuration Manager–Auditing and Changing Local Accounts

My Personal Quick Start Guide to Installing VMware vCM Prereqs