The ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-94547 | ESXI-65-300039 | SV-104377r1_rule | Low |
| Description |
|---|
| When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 ESXi Security Technical Implementation Guide | 2019-12-13 |
Details
| Check Text ( C-93735r1_chk ) |
|---|
| For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. From the vSphere Client select the ESXi host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser", this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value is set to "ESX Admins", this is a finding. |
| Fix Text (F-100663r1_fix) |
|---|
| From the vSphere Client select the ESXi host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value |