UCF STIG Viewer Logo

The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.


Overview

Finding ID Version Rule ID IA Controls Severity
V-39352 SRG-OS-99999-ESXI5-000160 SV-51210r2_rule Medium
Description
ESXi hosts configured to join an Active Directory domain using host profiles do not protect the passwords used for host authentication. To avoid transmitting clear text passwords, the vSphere Authentication Proxy must be used to configure hosts in an Active Directory.
STIG Date
VMware ESXi Server 5.0 Security Technical Implementation Guide 2017-01-06

Details

Check Text ( C-46626r3_chk )
For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable.

NOTE: vSphere Authentication Proxy is available via the vSphere vCenter Server ISO. Although mainly used with Auto Deploy, which is available only with the vSphere Enterprise Plus Edition, vSphere Authentication Proxy does not require a specific vSphere Edition (i.e., Standard vs Enterprise) to be installed.

From the vSphere client, select "Host Profiles". Right click the Host Profile and select Edit. Choose "Authentication configuration >> Active Directory Configuration >> Join Domain Method". Verify the Join Domain Method is set to "Use vSphere Authentication Proxy to add the host to domain".

If the vSphere Authentication Proxy is installed and the Join Domain Method is not set to "Use vSphere Authentication Proxy to add the host to domain", this is a finding.
Fix Text (F-44366r2_fix)
From the vSphere client, select "Host Profiles". Right click the Host Profile and select Edit. Choose "Authentication configuration >> Active Directory Configuration >> Join Domain Method". Set the Join Domain Method to "Use vSphere Authentication Proxy to add the host to domain".