I am attempting to reduce rights to the bare minimum on local OnTAP service accounts to increase our security posture. I've created a custom role for the VSC service account that just allows for discovery, however it occurred to me that we can probably go further.
We use VSC for one single purpose only: to verify our ESX host settings match NetApp best practices. The only thing we do is browse to Overview and click Edit ESXi Host Settings when we have a new ESX host added. With this in mind: do we need an account on the cluster at all? Do we have to perform discovery if all we do is apply appropriate settings to ESX hosts? In other words: do I even need a local service account at all? Would love to hear any suggestions or thoughts!
Thanks @JohnChampion ! I have seen that list before, but never thought about scripting the changes in PowerShell. I don't know that I will have time to write and troubleshoot a PS script for something like that however. Plus I really like being able to look in VSC and verify that settings are correct for all systems.
Bumping this to see if anyone is able to answer my question regarding whether I need a VSC local account on the NetApp at all.
Here is a correlary question: if I do need to keep it, I've already given the account a custom role based on documented limited rights the account needs. However, some of those rights are still admin-oriented, which still leaves me a little concerned about someone gaining access to the account. The only application applied to the account is ontapi. I am not clear about what "ontapi" really means in this context. If someone obtained access to the account, what would they be able to do with the "ontapi" application?