BrownBag #12 – VCAP Follow-Up Fail

Sorry about this folks, I’ve had some random “Life Happens” issues that caused this not to get posted on time. Here are the show notes and the video:


ProfessionalVMware BrownBag 12 – VCAP Security from ProfessionalVMware on Vimeo.


We covered quite a few items this go around. Most importantly however were the lessons learned regarding lab setup:

  • You lab should use 4.0 (for now)
  • You want at least one ESX and ESXi host
  • Password policy is a pain!
  • Un-mute first, then end the call :-\

Despite the lab fail, we did manage to cover a few areas, first being ESXi Lockdown mode. The following is borrowed from Duncan Epping @ Yellow-Bricks

Enabling lockdown mode disables all direct root access to ESXi machines. Any subsequent local changes to the host must be made in a vSphere Client session or vSphere CLI command to vCenter Server using a fully editable Active Directory account. You can also use a local user account defined by the host. By default, no local user accounts exist on the ESXi system. Such accounts can only be created prior to enabling lockdown mode in a vSphere Client session directly on the ESXi system. The changes to the host are limited to the privileges granted to that user locally on that host.

Some additional info on lockdown mode can be found on “It’s All Virtual”. Next we covered SSL and adjusting timeouts and ESX/ESXi Certificates.