4.7 Ensure only authorized users and groups belong to the esxAdminsGroup group

Information

The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to 'ESX Admins'. All members of the group are granted full administrative access to all ESXi hosts in the domain. Monitor AD for the creation of this group, and limit membership to highly trusted users and groups.

Rationale:

An unauthorized user or group having membership in the esxAdminsGroup group will have full administrative access to all ESXi hosts. Such users may compromise the confidentiality, availability, and integrity of the all ESXi hosts and the respective data and processes they influence.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remove unauthorized users and groups belonging to esxAdminsGroup, perform the following steps after coordination between vSphere admins and Active Directory admins:

Verify the setting of the esxAdminsGroup attribute.

View the list of members for that Microsoft Active Directory group.

Remove all unauthorized users and groups from that group.

If full admin access for the AD ESX admins group is not desired, you can disable this behavior using the advanced host setting: 'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd'.

Default Value:

'ESX Admins'

See Also

https://workbench.cisecurity.org/benchmarks/7798