Active Directory virtualization - security for AD VMDK

Hello

I'm an Active Directory server virtualization project manager. Currently, they are all physical, and my approach is to build virtual computers costs running 64-bit Windows 2003 R2 with sufficient storage space and disk. The actual creation of the VM is not a problem. But what is a problem for our security people and AD ops team is to protect the vmdk and associated files.

The current VSI (Virtual Server Infrastructure) has each computer virtual using a LUN for the OS disk (c :)) drive and another logic unit number for the Page file/temp files.) Data files are also placed on a separate logical unit number. Now, the question arises since all virtual machines for a single blade (host ESX, BL685 HP) server are placed on the same logical unit number, there will be a mixture of files of the type of server (apps, SQLs, ads, etc.) in the data store. This means that C readers for all the virtual machines on this blade are running under the same security policy.

If lock us the data store for the people of AD and other approved people, then the people to support normal ops (in another country) do not receive access to files. Only the AD team has right of ads and domain controllers, so I will try to reproduce this security model.

So my idea is to have specific data only for ads stores; provide one for the C: drive (SysVol, etc.) and the other for Page files. Then I can lock these and let others to their current level of security.

Does this sound logical? Feasible? Prefferable?

That others make about it? Or is it overkill?

Thank you very much

Mark-Allen

My guess is that only the AD team would never start/stop/etc a virtual machine, then maybe that's possible.

You can create a custom role on your permission vcenter and delegete for some users, who will not have access to certain virtual machines!

Tags: VMware

Similar Questions

  • An error occurred when DNS was questioned about the resource record (SRV) service location used to locate a domain controller Active Directory (AD DC) for the domain 'HAMI. LOCAL ".

    An error occurred when DNS was questioned about the resource record (SRV) service location used to locate a domain controller Active Directory (AD DC) for the domain 'HAMI. LOCAL ".

    The error was: "an existing connection was to be closed by the remote host".
    (0 x 00002746 WSAECONNRESET error code)

    The query was for the SRV record for _ldap._tcp.dc._msdcs. HAMI. LOCAL

    Hello

    Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Forums TechNet Windows 7 Technet.

    Here is the link:
    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

    Hope this helps

  • WebLogic with problem supplier Active Directory Authentication: < DN for user...: null >

    I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:

    -J' set an Active Directory authentication provider

    -changed it's order in the list of authentication providers so that it is first

    -l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:

    <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>MyOwnADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
        <wls:host>10.20.150.4</wls:host>
        <wls:port>5000</wls:port>
        <wls:ssl-enabled>false</wls:ssl-enabled>
        <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
        <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
        <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
        <wls:cache-enabled>false</wls:cache-enabled>
        <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>

    I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.

    After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.

    Here's what I see in the log file:

    <BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)

    So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:

    #!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject   : CN=wl,DC=at,DC=com
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (&(cn=tadmin)(objectclass=user))
# attributes   : objectClass


#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1

    (the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)

    As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.

    I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.

    So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?

    I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»

    Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).

    Here are some other things I tried, but doesn't change anything:

    -other attributes '-FS' were not resolved, so I tried their initialization to a value

    -J' tried other users defined in AD LDS, not tadmin

    -in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin

    -J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)

    Any thoughts?

    Thank you.

    In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.

    See also:

    Re: could not connect to the WLS console with the user of the directory

  • Is it possible to install oracle fail-safe-kind-of (active-passive) SAN replication for oracle?

    Dear Experts,

    Is it possible to configure replication of SAN (active-passive) integrated security for oracle for oracle?

    To get the RTO < 60 seconds

    • If the primary host fails, the remote site should have the option to start the oracle database.
    • Sites are geographically remote.

    SAN storage replication, can it be used in my scenario?

    • I have no option to implement oracle Data Guard as its very expensive.

    Is that what someone achieved something similar with SAN storage replication?

    • I have oracle SE.
    • It is obvious that the all-flash backup can be quick.

    What should be the strategy to have DR site get a few seconds, if the primary site failed for some reason any

    • Daily incremental backup with RMAN. And archive backup runs for every 1 minutes
    • To have the site of DR upward and running within 60 seconds, it still requires too much time to restore the database on remote site and have archive APPLIED setpoint
    • What could be the solution with san replication? RTO is 60 seconds

    Thanks and greetings

    SAN storage replication, can it be used in my scenario?

    I have no option to implement oracle Data Guard as its very expensive.

    --> If you want to use the data that it is free of CHARGE, additional license is not required for normal data guard

    --> additional license is only for the ADG

    Is that what someone achieved something similar with SAN storage replication?

    I have oracle SE.

    It is obvious that the all-flash backup can be quick.

    --> Here, I understand that if oraclle EA is going to be expensive

    --> Again, you can use manual standby

    --> What you are looking for SAN replication, you will need to check with the storage vendor

    --> If your intention is to check with oracle storage, then this may be the correct discussion room

    What should be the strategy to have DR site get a few seconds, if the primary site failed for some reason any

    Daily incremental backup with RMAN. And archive backup runs for every 1 minutes

    To have the site of DR upward and running within 60 seconds, it still requires too much time to restore the database on remote site and have archive APPLIED setpoint

    What could be the solution with san replication? RTO is 60 seconds

    --> If your intention is to check with oracle storage, then this may be the correct discussion room

    Check in this

    https://community.Oracle.com/community/Server_%26_storage_systems/storage

  • Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

    Hello

    I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

    I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

    I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

    Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

    Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

    Default: refuse

    In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

    But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

    My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

    The stages of monitoring:

    Measures

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - NetOp/NetAdm service policy

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - server RSA

    24500 Authenticating user on the server's RSA SecurID.

    24501 a session is established with the server's RSA SecurID.

    24506 check successful operation code

    24505 user authentication succeeded.

    24553 user record has been cached

    24502 with RSA SecurID Server session is closed

    Authentication 22037 spent

    22023 proceed to the recovery of the attribute

    24628 user cache not enabled in the configuration of the RADIUS identity token store.

    Identity sequence 22016 completed an iteration of the IDStores

    Evaluate the strategy of group mapping

    15006 set default mapping rule

    Authorization of emergency policy assessment

    15042 no rule has been balanced

    Evaluation of authorization policy

    15006 set default mapping rule

    15016 selected the authorization - DenyAccess profile

    15039 selected authorization profile is DenyAccess

    11003 returned RADIUS Access-Reject

    Thank you

    Christophe

    I think you need to do is to create a sequence of identity with RSA as a selection in

    Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

  • Replication Active Directory for ReadyNas

    After you create a security group in Active Directory, how long should I wait before I can see this group when you use the ReadyNas interface? I created a group via AD but when I search for it through the ReadyNas interface is not appear after 10 minutes so far.

    Hi prcist,

    Please confirm that the problem has been resolved. Please continue to ask questions, share ideas and suggestion in the community.

    Kind regards

    BrianL
    NETGEAR community

  • domain with the active directory security / user name

    Hello

    I use weblogic 12 c, I create the provider for active directory in myrealm like going to the console >security domains>suppliers > New and I put specific provider and I don't have a ADF application using security ADF taking Kingdom deployed to the same server, weblogic, its work well with username and does not work with the id of the user for example if the user as described below:

    User ID Username Password
    aa123Test userXXXX
    bb123Test User2XXXX

    its fine work when put the username: User of Test or Test User2 but does not work with aa123 or bb123 how I let provider to keep the user id instead of the username?

    for the user name attribute active directory samAccountName, can you please try that instead of CN?

    If it doesn't work, can paste you the information from the user, you can use the ldifde command to export the user to Active Directory.

    I hope this helps.

    -Faisal

    http://www.WebLogic-wonders.com

  • Advanced Security with Active directory

    Hello guys,.

    should I ASO the license if I use an external authentication and the clients are connecting with the credentials of MS Active directory? Thank you!

    Gytis

    Guys,

    Here you go: "network encryption (network encryption native and SSL/TLS) and strong authentication (Kerberos, PKI and RADIUS) services are no longer part of the Oracle Advanced security features and are available in all editions under license of all the supported versions of the Oracle database."

    http://docs.Oracle.com/database/121/DBLIC/options.htm#DBLIC143

    Looks like that ASO is no longer necessary.

    PS. though even the documentation is for Oracle 12 c local support confirmed that this also applies to earlier versions.

    Gytis

  • Active Directory for authentication - authorization database

    Hello

    I searched a lot but could not find a way to work to do and I have Weblogic Server 10.3.4. My problem is; I currently have an Authenticator SQL read-only which validates the name of user and password and he also holds a group membership of those users. Thus, the when users are connected to our Flex application, they are authenticated and authorized through this security provider. Now, I want to * move the part name validation of username/password to Active Directory * and group membership and other roles etc will stay in the read-only SQL authenticator. To do this, I added the second security provider to my Kingdom which is Active Directory Authenticator, but right now because users are authenticated via Active Directory roles, the etc group memberships do not come to the user, resulting in not to be able to call EJB.

    So my question is, How can I manipulate simply authenticate users to Active Directory and other parties (roles, groups) of database (in the database I don't store the password more meaningless it longer)? Do I have to write a custom provider to do this, if this is the case can show you a way to work from the merger of two suppliers of security?

    Thank you.

    Yes, you will need to create a security provider for this.

    -Faisal
    http://www.WebLogic-wonders.com

  • Principal name for Active Directory "domain users".

    Hello

    I integrated successufully Weblogic & Active Directory Kerberos (SINGLE sign-on). I tested a web application and successifully logined with authentication.
    The system automatically recognizes my Active Directory user name. It worked.

    For authentication in my weblogic.xml I used

    < security-role-assignment >
    Admin > role name < < / role name >
    Kursat < SPN > < / main-name >
    < SPN > Fenerbahçe < / main-name >
    < / security role assignment >

    Now I am trying to allow all domain members authenticate my request. For my application, I need only the usernames of the directory an actress for them.

    To do this, I removed "Chris", "fenerbahce" of my weblogic.xml
    Kursat < SPN > < / main-name >
    < SPN > Fenerbahçe < / main-name >

    I added
    users in domain < SPN > - < / main-name >
    rather than write all users in the domain.

    However, I could not authenticate. I got the "Error 403 - Forbidden".

    Y does it can someone help me?

    test by creating a domain users groups and use it as your primary name in your weblogic.xml

    -Faisal
    http://www.WebLogic-wonders.com

  • Installation of Active Directory LDAP for the editor

    I hope it is easy.
    I have 10.3.4.1 BEEP and answers/dashboards. Answers/dashboard currently use active directory for authentication. I would like to do the same thing with BEEP.
    How can I do?
    Since I have now two products I have to go to a place of business?


    Article links would be fine. There is nothing in the manual of the editor on LDAP or Security (really). The websites I found display a file xml with a series of parameters, but they seem to refer to an earlier version of publisher.

    Should be easy points.

    Did you check this: http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188.pdf?

    Your version is 10.1.3.4.1?

    Thank you!

  • Active Directory - join the domain for multiple devices

    Hi all

    I need your expertise to advice me how join domain for multiple devices.

    Currently my organization have more than 10,000 computers are made up of Windows XP, 7, 8 and 10.

    We will deploy new Active Directory server in the data center.

    Currently, we plan to go every computer/devices to perform a field joints. This method will take much time to complete the 10,000 devices.

    is there another method to do this?

    is there a method that all devices will join automatically field when it is connected to the corporate network.

    Thank you.

    Hello

    Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • What are the conditions for launching a server active directory?

    I need to install a server from domain to employees on my business what should I need?

    My information is that I need a server such as a hardware and Windows Server software.

    Should I have any other license to connect all computers exist to this server active directory?

    This community is for consumers, not technical professional of computer science.  I would ask you to ask your question in the official COMPUTING community at http://technet.microsoft.com.

  • Hi, Qus staff associated with multiple user accounts in active directory for different purposes

    Hi, personal related Qus with several user accounts in active directory for a different purpose, at the time of employees who leave employment what is the easiest way to track and disable all the user id created for him? sort of put a link if I disable the main account, other accounts will be disabled?

    Active directory and the server are better asking questions about Technet. http://social.technet.Microsoft.com

  • EventID: 1206 Event Source: Active Directory Web Services ADWS failed to determine whether the computer is a global catalog server. What will be the solution for this.

    EventID: 1206 Event Source: Active Directory Web Services ADWS failed to determine whether the computer is a global catalog server. What will be the solution for this.

    Hi K jtm,.

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Forum. You can follow the link to your question:
    http://social.technet.Microsoft.com/forums/en/category/WindowsServer/

Maybe you are looking for