The system must use Active Directory for local user authentication for accounts other than root and the vpxuser.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39348	SRG-OS-99999-ESXI5-000154	SV-51206r1_rule		Low

Description
Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access. Note that when adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host.

Description

Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access. Note that when adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host.

STIG	Date
VMware ESXi Server 5.0 Security Technical Implementation Guide	2017-01-06

Details

Check Text ( C-46622r1_chk )
For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this check is a finding. From the vSphere client, select the host, then "Configuration >> Authentication Services" and verify the Directory Services Type is set to Active Directory. If the Directory Services Type is not set to "Active Directory", this is a finding.

Check Text ( C-46622r1_chk )

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable.

For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this check is a finding.

From the vSphere client, select the host, then "Configuration >> Authentication Services" and verify the Directory Services Type is set to Active Directory.

If the Directory Services Type is not set to "Active Directory", this is a finding.

Fix Text (F-44362r1_fix)
Perform the following steps to configure the ESXi host to use Active Directory: (1) Log into the ESXi host using the vSphere Client and authenticating with the root account (or an equivalent account). (2) Select the ESXi host from the inventory and click the Configuration tab. (3) From the Software section, select Authentication Services. (4) Click Properties in the upper-right corner. (5) From the Directory Services Configuration dialog box, select Active Directory from the Select Directory Service Type drop-down list. (6) Supply the DNS domain name of the Active Directory domain this ESXi host will use for authentication. (7) Click the Join Domain button. (8) Specify a username and password that has permission to allow the host to join the domain. Once the ESXi host is joined to Active Directory, users will be able to authenticate to an ESXi host using their Active Directory credentials. Using the vSphere Client or the vCLI, users can use either the domain\username or username@domain syntax.

Fix Text (F-44362r1_fix)

Perform the following steps to configure the ESXi host to use Active Directory:
(1) Log into the ESXi host using the vSphere Client and authenticating with the root account (or an equivalent account).
(2) Select the ESXi host from the inventory and click the Configuration tab.
(3) From the Software section, select Authentication Services.
(4) Click Properties in the upper-right corner.
(5) From the Directory Services Configuration dialog box, select Active Directory from the Select Directory Service Type drop-down list.
(6) Supply the DNS domain name of the Active Directory domain this ESXi host will use for authentication.
(7) Click the Join Domain button.
(8) Specify a username and password that has permission to allow the host to join the domain.

Once the ESXi host is joined to Active Directory, users will be able to authenticate to an ESXi host using their Active Directory credentials. Using the vSphere Client or the vCLI, users can use either the domain\username or username@domain syntax.