4.3 Use Active Directory for local user authentication - Review Domain

Information

ESXi can be configured to use a directory service such as Active Directory to manage users
and groups. It is recommended that a directory service be used.

*Rationale*

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and
maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi
host configuration, ensures password complexity and reuse policies are enforced and
reduces the risk of security breaches and unauthorized access.
Note- If the AD group 'ESX Admins' (default) is created, all users and groups that are
assigned as members to this group will have full administrative access to all ESXi hosts the
domain. Refer to the 'verify-admin-group' recommendation for more information.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From the vSphere Web Client-

1. Select the host and go to 'Manage' -> 'Settings' -> 'System' -> 'Authentication
Services'.
2. Click the 'Join Domain' button.
3. Provide the domain name along with the user credentials for an AD user that has the
rights to join computers to the domain.
4. Click 'OK'.To implement the recommended configuration state, run the following PowerCLI
command-# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain
domain.local -User Administrator -Password Passw0rd -JoinDomain

Notes-
1. Host Profiles can be used to automate adding hosts to an AD domain.
2. Consider using the vSphere Authentication proxy to avoid transmitting AD
credentials over the network.
3. If the AD group 'ESX Admins' (default) is created all users and groups that are
assigned as members to this group will have full administrative access to all ESXi
hosts the domain.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: VMware

Control ID: bf89c96ed50000902fecedcc7d3069dbc32051cc97e876fd16e096725ad68463