Check: ESXI-65-100037
VMware vSphere 6.5 ESXi STIG:
ESXI-65-100037
(in versions v2 r4 through v1 r3)
Title
The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication. (Cat III impact)
Discussion
Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.
Check Content
For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable. From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser"", this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding. If you are not using Host Profiles to join active directory, this is not a finding.
Fix Text
From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Click "Properties" and change the "Directory Service Type" to "Active Directory", enter the domain to join, check "Use vSphere Authentication Proxy" and enter the proxy server address then click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
Additional Identifiers
Rule ID: SV-207675r378862_rule
Vulnerability ID: V-207675
Group Title: SRG-OS-000109-VMM-000550
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
Controls
Number | Title |
---|---|
IA-2 (5) |
Group Authentication |