VMware GSX Server 2.5.2

Features | Documentation | Knowledge Base | Discussion Forums

Authentication and Security Features on a Windows Host

How GSX Server for Windows Authenticates Users

Every time a VMware Remote Console or VMware Management Interface makes a connection to the GSX Server host, the VMware Authorization Service requests a username and password, then authenticates only valid users. When connecting with a remote console, the service first checks to see if the user account is local, then if it is on the domain. This can have implications if the user connecting has the same user name locally and on the domain, but with different permissions, and the user intends to connect with the local account but passes an incorrect password. The user can connect to the virtual machine, but the power on may fail.

When connecting with the VMware Management Interface, the service only authenticates local user accounts.

Issues may also arise if a virtual machine is created by a local user but is modified by a user in the domain.

Once a user is authenticated, the VMware Authorization Service accepts a pathname to a virtual machine configuration file. If the virtual machine associated with the configuration file is not running, the service starts a new, separate process for the virtual machine as the user making the connection. A separate process is started for the remote console. If the virtual machine is already running as another process, the service connects you to that process and starts a new process for the remote console.

Note: If you are connecting to a virtual machine with the local console, the console and the virtual machine are the same process.

The VMware Authorization Service listens on port 902 for VMware Remote Console connections. For the VMware Management Interface, the service listens on ports 8222 and 8333 (for encrypted connections). For the local console, the service listens on the named pipe.

Access to the configuration file is restricted in the following ways:

On a Windows Server 2003 or Windows 2000 host, if a user has:

All permissions for the configuration file denied, then the user cannot connect to the virtual machine at all. If a permission for a user is both allowed and denied, the denial takes precedence. If permissions are neither allowed nor denied, then the user is considered to have no permissions.
Read permission for the configuration file, then the user can connect to the virtual machine only if the virtual machine is already running. The user cannot power the virtual machine on or off, nor can the user reset, suspend or resume the virtual machine. The user cannot save changes to the configuration file.
Read & Execute and Write permissions for the configuration file, then the user can connect to the virtual machine, whether it is running or not. The user can perform all of the virtual machine's power operations, such as powering on and off, resetting, suspending and resuming. The user can modify the configuration file.

On a Windows NT host, if a user has:

No Access permission for the configuration file, then the user cannot connect to the virtual machine at all.
Read permission for the configuration file, then the user can connect to the virtual machine only if the virtual machine is already running. The user cannot power the virtual machine on or off, nor can the user reset, suspend or resume the virtual machine. The user cannot save changes to the configuration file.
Read, Execute and Write permissions for the configuration file, then the user can connect to the virtual machine, whether it is running or not. The user can perform all of the virtual machine's power operations, such as powering on and off, resetting, suspending and resuming. The user can modify the configuration file.

Note: If you intend to configure a virtual machine to use a raw disk, you need to be a member of the PowerUsers or Administrators group.

Configuring Permissions to Access a Virtual Machine

The system administrator (that is, the administrator responsible for setting up the host running GSX Server, not necessarily the Windows Administrator login) can set the access permissions on the configuration file using the following procedure. In general, you would want your GSX Server users to have Read permission to virtual machine configuration files; you can add any specific users that should have Read & Execute and Write permissions.

Locate the configuration file on the host system. Right-click the configuration file and select Properties. The Properties dialog box appears.
Click the Security tab, then do one of the following, depending upon which Windows host operating system you are running.
Windows Server 2003 and Windows 2000 hosts:
1. In the Properties dialog box, select each user or group and select the appropriate permission, typically Read. If the permissions are inherited, you may need to uncheck Allow inheritable permissions from parent to propagate to this object.
2. To specify that a user or group that should not have access to the configuration file, either click Remove or check all permissions in the Deny column to deny all permissions to that user or group.
3. To add more users or groups, click Add. The Select Users, Computers and Groups dialog box appears. In the dialog box, select the groups or users that you want to access the virtual machine and click Add. After you finish adding the users or groups, click OK. The users and groups are added with default Read and Write permissions. In the Properties dialog box, change the type of access for the user or group to the configuration file; choose either Read or Read & Execute and Write. Click OK to set the permissions to the configuration file.
  Windows NT hosts:
4. Click the Permissions button. The File Permissions dialog box appears.
5. In the File Permissions dialog box, select each user or group and select the appropriate permission, typically Read.
6. For any users or groups that should not have access to the virtual machine at all, select the user or group and click Remove or change the permission to No Access.
7. To add more users or groups, click Add. The Add Users and Groups dialog box appears. In the dialog box, select the groups that are allowed to access the virtual machine; to select individual users, click Show Users. As you select each user or group, specify the type of access for the user to the configuration file; choose from No Access, Read, or Special Access (and select Read, Write and Execute). Click OK twice to set the permissions to the configuration file.

Prev Contents Last Next