4.4 Ensure only authorized users and groups belong to the esxAdminsGroup group

Information

The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this
attribute is set to 'ESX Admins'. All members of the 'ESX Admins' group are granted full
administrative access to all ESXi hosts in the domain. Monitor AD for the creation of this
group and limit membership to highly trusted users and groups.

*Rationale*

An unauthorized user having membership in the group set by the esxAdminsGroup
attribute will have full administrative access to all ESXi hosts. Given this, such users may
compromise the confidentiality, availability, and integrity of the all ESXi hosts and the
respective data and processes they influence.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remove unauthorized users and groups belonging to esxAdminsGroup, perform the following steps after coordination between vSphere admins and Active Directory admins:
1. Verify the setting of the esxAdminsGroup attribute.
2. View the list of members for that Microsoft Active Directory group.
3. Remove all unauthorized users and groups from that group.
If full admin access for the AD ESX admins group is not desired, you can disable this behavior using the advanced host setting: "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd".

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4.1

Plugin: VMware

Control ID: e938092cfe72b8f57d1e5313bd141de60eeab2132dcce14dd14f366aadbc374f