Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Active Directory ESX Admin group membership must not be used.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63247 | ESXI-06-000039 | SV-77737r2_rule | Low |
| Description |
|---|
| When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. |
| STIG | Date |
|---|---|
| VMware vSphere ESXi 6.0 Security Technical Implementation Guide | 2019-01-04 |
Details
| Check Text ( C-63981r3_chk ) |
|---|
| From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding. |
| Fix Text (F-69165r2_fix) |
|---|
| From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value |