Check: ESXI-67-000039
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000039
(in versions v1 r3 through v1 r1)
Title
Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. (Cat III impact)
Discussion
When adding ESXi hosts to Active Directory (AD), all user/group accounts assigned to the AD group "ESX Admins" will have full administrative access to the host. If this group is not controlled or known to the System Administrators, it may be used for inappropriate access to the host. Therefore, the default group must be changed to a site-specific AD group and membership therein must be severely restricted. Satisfies: SRG-OS-000104-VMM-000500, SRG-OS-000109-VMM-000550, SRG-OS-000112-VMM-000560, SRG-OS-000113-VMM-000570
Check Content
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory, this is Not Applicable. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key is set to "ESX Admins", this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key and configure its value to an appropriate Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
Additional Identifiers
Rule ID: SV-239294r854591_rule
Vulnerability ID: V-239294
Group Title: SRG-OS-000104-VMM-000500
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |
IA-2 (5) |
Group Authentication |
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |
IA-2 (9) |
Network Access To Non-Privileged Accounts - Replay Resistant |