Active Directory ESX Admin group membership must be verified unused.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39349 | SRG-OS-99999-ESXI5-000155 | SV-51207r1_rule | Low |
| Description |
|---|
| When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2017-01-06 |
Details
| Check Text ( C-46623r1_chk ) |
|---|
| For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this check is a finding. From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Verify "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" is not set to "ESX Admins". If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding. |
| Fix Text (F-44363r1_fix) |
|---|
| From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Change the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" to a pre-defined group other than the default "ESX Admins". Note: The new administrator group must have been previously defined on the Active Directory server. |