Virtual accounts in vSphere 6.0 for Windows increase the security of vCenter Server by disallowing privilege escalation within the host operating system in the event that a single service becomes compromised. Because all services are placed into their own silo using virtual accounts. Even when a user gains access to a single virtual account, they are limited only to the functionality of that account and also limited to only that single service. This ensures that the vSphere 6.0 environment is running on a minimum set of privileges that is dependent on the specific service.
The following virtual accounts are now used as the service accounts to run their respective service.
Service | Service Account |
VMware Component Manager | NT SERVICE\VMwareComponentManager |
VMware Content Library Service | NT SERVICE\vdcs |
VMware ESX Agent Manager | NT SERVICE\EsxAgentManager |
VMware Message Bus Config Service | NT SERVICE\mbcs |
VMware Performance Charts | NT SERVICE\vmware-perfcharts |
VMware Postgres | NT SERVICE\vPostgres |
VMware vAPI Endpoint | NT SERVICE\vapiEndpoint |
VMware vCenter workflow manager | NT SERVICE\vmware-vpx-workflow |
VMware vService Manager | NT SERVICE\VServiceManager |
VMware vSphere Audo Deploy Waiter | NT SERVICE\vmware-autodeploy-waiter |
VMware vSphere Web Client | NT SERVICE\vspherewebclientsvc |
Notes:
- Future releases of vSphere uses unique virtual accounts for all services. However, vSphere 6.0 is limited to the preceding list.
- Do not change these accounts after they are established.