Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Active Directory "ESX Admin" group membership must be verified.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000155 | SRG-OS-99999-ESXI5-000155 | SRG-OS-99999-ESXI5-000155_rule | Low |
| Description |
|---|
| When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000155_chk ) |
|---|
| From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Verify "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" is not set to "ESX Admins". If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000155_fix) |
|---|
| From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Change the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" to a pre-defined group other than the default "ESX Admins". Note: The new administrator group must have been previously defined on the Active Directory server. |