Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63911 | ESXI-06-300039 | SV-78401r1_rule | Low |
Description |
---|
When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
STIG | Date |
---|---|
VMware vSphere ESXi 6.0 Security Technical Implementation Guide | 2017-07-11 |
Check Text ( C-64661r1_chk ) |
---|
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding. |
Fix Text (F-69839r1_fix) |
---|
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value |