5.6
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
Software Provisioning Credentials
Normally, VCM does not store customer credentials on a managed machine. During software
provisioning though, the Network Authority credentials are temporarily stored and used to authorize
package installation, uninstallation, user access control (UAC), access to network repositories, restart, or
resume activities. The credentials are protected from disclosure to unprivileged users but are accessible to
a determined local machine administrator who uses custom software.
Because an untrustworthy local administrator can gain access to the Network Authority credentials during
a software provisioning operation, you can mitigate the risk by using the following techniques:
n
Do not initiate software provisioning installation or uninstallation operations on an untrustworthy
machine.
n
Assign the minimal necessary permissions and login rights to the Network Authority account used for
software provisioning.
n
Create an individual Network Authority account with a set of local administrator credentials for
operations on an untrustworthy managed machine.
Software Provisioning Components
VMware, Inc.
47