Friday, May 13, 2016

NetScaler VPX - Part 9 (user management)

Upon installation (as a virtual appliance), the NetScaler VPX has a "default" user account named nsroot (with nsroot as the password as well). This account is an administrator account and as such can execute any type of operation on the appliance.

One of the first things we should do, in observation of best security practices, is to change the default password "nsroot". We can do so by clicking on the "Change Password" option:

We may also want to create a user account for each person responsible for managing some aspect of the NetScaler. In general, this is often recommended for accountability: if we audit events on the appliance, we can determine who did what. This is obviously impossible if 10 different administrators log on as "nsroot".

We may also want the different administrators to have different levels of access. Some may need to make changes while read-only access may suffice for others.

We create additional accounts in the Users section.

Click on "Add" and then enter (at minimum) a user name and password.

Click "Continue". On the resulting page, we click on "No System Command Policy"...

We select a "Command Policy" which is essentially a set of permissions that allows the user to execute certain operations on the NetScaler - or simply have read-only access (more on this subject later): 

Then bind the command policy to the user:

When finished, click on "Done". Now we have a second user (with "sysadmin" rights):

For practice, you can logon with the new account and verify that it can accomplish the desired tasks.

As I discovered, a user with sysadmin privileges can enable features, for example, but cannot access (or even view) the user list:

Note: yes, clicking on OK allowed be to make the changes (but always remember to click the floppy icon to save the running configuration):

On the other hand, the new user could not even view the list of users:

We would have to grant that user the "superuser" command policy. Although the term "admin" (sysadmin) might imply more authority than "user" (and even "superuser") the sysadmin has limited rights in some sections of the NetScaler, while "superuser" is on par with the nsroot account.

This Citrix document outlines user management and the different types of command policies in particular (see the chart):

Configuring Users, User Groups, and Command Policies

Remember that NetScaler credentials are case-sensitive. If we create a user called NS_Admin1, this will not work (even with the correct password):

The creation of additional users offers some flexibility but works best if we have a single NetScaler or perhaps a pair of NetScalers. But the more NetScalers we have (and the more administrators we have), the more inefficient user creation on individual appliances becomes.

If possible, it would be preferable to manage authentication and authorization with an external database already containing an account for the various users we would like to designate as NetScalers administrators. Active Directory is one example of such an external database (and the one I will use in the following blog post). Better yet, we could use an Active Directory group, called "NetScaler_Admins" perhaps, and assign a command policy to this group. Subsequently, any users belonging to the group in question would not only be allowed to logon to the NetScaler but also inherit the rights granted to the Active Directory group of which they are a member.

I will outline the configuration of external authentication (with Active Directory) in my next blog post.

No comments:

Post a Comment