The ESXi host must use multifactor authentication for local DCUI access to privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239295 | ESXI-67-000040 | SV-239295r816574_rule | Low |
| Description |
|---|
| To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Note: This feature requires an existing PKI and AD integration. Satisfies: SRG-OS-000107-VMM-000530, SRG-OS-000376-VMM-001520, SRG-OS-000377-VMM-001530, SRG-OS-000403-VMM-001640 |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2022-01-05 |
Details
| Check Text ( C-42528r816573_chk ) |
|---|
| From the vSphere Client, select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Smart Card Mode" is "Disabled", this is a finding. For environments that do not have PKI or AD available, this is Not Applicable. |
| Fix Text (F-42487r674813_fix) |
|---|
| The following are prerequisites to configuration of smart card authentication for the ESXi DCUI: - Active Directory domain that supports smart card authentication, smart card readers, and smart cards; - ESXi joined to an Active Directory domain; and - Trusted certificates for root and intermediary certificate authorities. From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services, click "Edit", and check the "Enable Smart Card Authentication" checkbox. At the "Certificates" tab, click the green plus sign to import trusted certificate authority certificates and click "OK". |