Check: ESXI-67-000037
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000037
(in versions v1 r3 through v1 r1)
Title
The ESXi host must use Active Directory for local user authentication. (Cat III impact)
Discussion
Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced, and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists, then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain. Satisfies: SRG-OS-000104-VMM-000500, SRG-OS-000109-VMM-000550, SRG-OS-000112-VMM-000560, SRG-OS-000113-VMM-000570
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Click "Join Domain" and enter the AD domain to join. Select the "Using credentials” radio button, enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain), and then click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
Additional Identifiers
Rule ID: SV-239292r854589_rule
Vulnerability ID: V-239292
Group Title: SRG-OS-000104-VMM-000500
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |
IA-2 (5) |
Group Authentication |
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |
IA-2 (9) |
Network Access To Non-Privileged Accounts - Replay Resistant |