In my post yesterday (vexpert.me/hS) I talked about how to recover from an expired default SSO administrator password – this prompted a discussion on twitter with Anthony Spiteri (@anthonyspiteri) and Grant Orchard (@grantorchard) about the defaults for expiration and how to mitigate the risk. The first solution is to modify the password expiration policy for SSO. I’m not advocating this necessarily – I think that expiring passwords ensure that you change them regularly and increase the overall security of your SSO solution.

Today I found out that in vSphere 5.1 the SSO administrator account (admin@system-domain) has a password that expires after 365 days. See KB2035864: vCenter Single Sign-On account (SSO) passwords expire after 365 days, including the password for admin@system-domain. Awesome. In vSphere 5.5 it gets even better – the password expires every 90 days by default! (See the vSphere 5.5 SSO documentation) By default, vCenter Single Sign-On passwords, including the password for administrator@vsphere.

There are different schools of thought as to whether you should have SSH enabled on your hosts. VMware recommend it is disabled. With SSH disabled there is no possibility of attack, so that’s the “most secure” option. Of course in the real world there’s a balance between “most secure” and “usability” (e.g. the most secure host is powered off and physically isolated from the network, but you can’t run any workloads ).

Last night was the VMworld party which was loads of fun, I took some pictures so I won’t write loads! Highlights include watching people fall over on the roller disco, losing to @shogan85 at street fighter (he has some skills showing a misspent youth) and a rather amusing game of spot the difference. #vcm5477 Cloud Service Automation with NSX and vCloud Automation Center with Cargi Keeling and Phil Fleischer This was one of the most technically cool sessions I’ve been in this week, setting how vCAC and NSX come together to deploy multi tiered applications with the networks provisioned on demand, including firewalls and routing.

Today was always going to be a bit of a funny day as I scheduled the VCAP5-DCD exam for 10am this morning. I am happy to say that I passed! I’m a bit light on VMworld to report today, so forgive my DCD experience to pad it out! Preparation I have to confess my prep for this exam was light – I literally only watched the TrainSignal course by Scott Lowe (@scott_lowe) and just about finished that last night in the hotel!

I flew from Gatwick to Barcelona last night to my very first VMworld! I’m staying in a hotel that is actually quite far from the conference, it’s a metro, train and bus journey away from the conference center and it takes about 40 minutes to get here. On the plus side I was only 5 minutes away from the VMUG party last night so I went over there for an hour or so.

Recently I had the privilege to be asked to attend a Google hangout with Joe Baguley (VMware CTO EMEA), Paul Saffo (Technology Forecaster) and several other well known guys from the VMUG community VMware - The future of IT Google Hangout It was a first for me but a really enjoyable experience. Questions that were asked in the hour long session were.. To jump to specific questions, see the links below:

Losing a root password isn’t something that happens often, but when it does it’s normally a really irritating time. I have to rotate the password of all hosts once a month for compliance, but sometimes a host drops out of the loop and the root password gets lost. Fortunately, as the vpxuser is still valid I can manage the host via vCenter - this lends itself to this little recovery process:

This is the second article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. The first article in this series was vSphere Security: Understanding ESXi 5.x Lockdown Mode. Why would you want to join an ESXi host to an Active Directory domain? Well you’re not going to get Group Policies applying, what you’re really doing is adding another authentication provider directly to the ESXi host.

This is the first article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant. I think lockdown mode is a feature that is rarely understood, and even more rarely used. Researching this article I’ve already encountered several different definitions that weren’t quite right. As far as I can see there are no differences between lockdown more in 5.