A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator
conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user
accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies?
A.
Mandatory access controls
B.
Disable remote login
C.
Host hardening
D.
Disabling services
what does OS hardening have anything to do with several accounts will not be used in production.
This is a question about people or accounts not being used in a production environment. So if you Harden the OS and those accounts will still exits to be used in a production environment, how does that help?????
the best answer is A
1
1
I think you mean D. We need to disable the accounts that are not being used.
1
0
Badly written question:
B- C and D would affect ALL users in production and not just a few.
B- Would disable remote login for all users
C- Host hardening would make no difference at all
D- Disabling services would disable services for all users. And what services am I to disable? And who in his right mind would run a service using a “user account?”. Services need to be run using “system accounts.”
This question has to do with “permissions” so the best and only possible answer is indeed A- Mandatory access controls
If the proper access controls aren’t in place, virtual machines are even more vulnerable to abuse than physical systems, as any user with access to the vSphere client can delete or modify the guest operating systems or make changes to other inventory objects, like folders, resource pools, and datastores.
In VMware, you can manage these user and group rights with roles and privileges. There are 11 predefined roles that determine what actions a user or group is allowed to take in vCenter Server or ESX/ESXi. Some roles have one or more privileges, while others have no privileges at all. You can’t assign privileges to a user without first assigning a role to that user.
Three of the pre-established roles are permanent, meaning that the privileges associated with that role cannot be modified. These permanent roles are available to a stand-alone ESX or ESXi server, or to vCenter Server. The remaining eight are sample roles which can be modified as needed. These eight roles are exclusive to vCenter Server.
Below are the pre-established roles:
No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object
Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it
Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.
Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM
Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
Datacenter Administrator: Permits a user to add new datacenter objects
VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run
Datastore Consumer: Allows the user to consume space on a datastore
Network Consumer: Allows the user to assign a network to a virtual machine or a host
The privileges assigned to a pre-defined role are more comprehensive than described as above, so if you want to know exactly what permissions a role allows to a user, you can view the selected privileges when assigning the role to a user or group.
VMware automatically allows users access to child objects. For example, if a user has been given read-only rights for a folder, that user will have read-only rights for all of the sub-folders as well. You can disable this setting, if necessary, when allocating roles.
You can change the privileges associated with the sample roles listed above. Before editing a role, however, it’s recommended that you clone the role first.
1
1