Active Directory "ESX Admin" group membership must be verified.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000155 | SRG-OS-99999-ESXI5-000155 | SRG-OS-99999-ESXI5-000155_rule | Low |
| Description |
|---|
| When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000155_chk ) |
|---|
| From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Verify "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" is not set to "ESX Admins". If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000155_fix) |
|---|
| From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Change the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" to a pre-defined group other than the default "ESX Admins". Note: The new administrator group must have been previously defined on the Active Directory server. |