- This topic has 8 replies, 3 voices, and was last updated January 27, 2017 by
Gene T.
Administrator Privilages Not Required
-
I’m a new Zerto user and when I’m told a product requires “Administrator” privileges to vCenter I have a problem with that. This is a big gaping security hole that needs to be plugged. I did my own product testing and discovered there are only a couple of additional settings from what is listed in the Security / Hardening guidelines for a vSphere 6.0 implementation. Those are:
Global – Disable Methods
Global – Enable Methods
Zerto – <All entries>
I created a new role assigned the permissions and was able to install, protect, failover and failback. If I find any other permissions as I continue my testing I will be sure to post them here.
If anyone else has limited Zerto access to their vSphere environment I would appreciate hearing your experiences.
Thank you.
Harry SNovember 3, 2016 02:36:27 PMHi Dan!
Thanks very much for your sharing your experiences and feedback. I’ll compare your notes to ours internally and see if I can provide any further clarification (and documentation updates).
Thanks again! Keep the feedback coming!
Harry
Follow me: www.twitter.com/HarrySiiiI have downloaded and finished my testing on Version 5 of the VMware product. One additional permission was required:
Host / Configuration / Query patch
With that in place, installation, test failovers, and failovers have been successful. I’m not sure why Zerto doesn’t understand why granting full on Administrator permissions is a security risk. Especially when this level of access is not required.
Thanks and if anyone has found additional permissions I may have missed, please let me know.
Gene TJanuary 25, 2017 10:48:15 PMThanks for posting this. Has the latest hardening guide been updated with the input above?
IT Professional with focus on VMware Virtualization and BCDR solutions.Gene TJanuary 25, 2017 11:44:32 PMThe “Security and Hardening with Zerto Virtual Replication Version 5.0 Update 1” guide also shows this, which I don’t see in my vCenter Roles/Privileges where the documentation says they are:
Authorization > Modify Permission
Authorization > Modify Role
Authorization > Reassign role permissions
^^^ The above is actually under Permissions > Modify Permission | Modify Role | Re-Assign Role Permissions
IT Professional with focus on VMware Virtualization and BCDR solutions.Gene TJanuary 26, 2017 10:30:02 PMSo, with all of the above, there’s still something blocking deployment of VRAs. Given all the sections in the hardening guide to customize for the role, I ended up just enabling each of those top level privileges and I got everything to work, so will work my way backwards to see if I can find what exactly is missing from the hardening guide. Standby.
IT Professional with focus on VMware Virtualization and BCDR solutions.Gene TJanuary 27, 2017 02:01:18 AMI found something under Host > Configuration that isn’t in the guide, where without it, I’m not able to install or delete VRAs.
Host > Configuration > Query Patch
The only way I can see this being required is if Zerto is checking patch levels for the ESXi hosts, which makes sense. I’m still testing, and will now look into other operations like creating/deleting VRAs and failover/move. I’ll publish a doc and put the URL here. Note, I’m on vSphere 6.0 U2
IT Professional with focus on VMware Virtualization and BCDR solutions.Harry SJanuary 27, 2017 12:33:17 PMThanks for all your feedback!
I’m checking out the hardening guide and looking to verify everything against your versions.
Dan B, what version of vSphere are you on? Can you also clarify what you mean by “Zerto – <All entries>?”
Gene T, is it safe to assume you are on vSphere 6.0 u2 for vCenter and the ESXi hosts?
Thanks!
~harry
Follow me: www.twitter.com/HarrySiiiGene TJanuary 27, 2017 11:16:33 PM@Harry, my version is 6.0U2a.
I just finished testing everything I could think of, and this file has the new role I created, along with updates. There wasn’t much that was missed in the hardening guide – 1 mis-label, and 1 missing privilege, and the entire Zerto set of privileges (which Dan mentioned, above).
I also tested with the Zerto –> All Permissions on and off, and validated that it is required to perform functions within Zerto.
Under <b>Global, </b>I didn’t need to add the “Enable Methods” or “Disable Methods” for full functionality (didn’t see any difference with the settings on or off).
My vCenter version is: 6.0 build 4541947 (Update 2a) –
IT Professional with focus on VMware Virtualization and BCDR solutions.