4.6 (L1) Ensure Active Directory is used for local user authentication

Information

ESXi can be configured to use a directory service such as Active Directory to manage users and groups. It is recommended that a directory service be used.

Note: If the AD group "ESX Admins" (default) is created, all users and groups that are members of this group will have full administrative access to all ESXi hosts in the domain.

Joining ESXi hosts to an Active Directory (AD) domain eliminates the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced, and reduces the risk of security breaches and unauthorized access.

Solution

To use AD for local user authentication, perform the following from the vSphere Web Client:

- Select the host
- Click on Configure then expand System
- Select Authentication Services
- Click Join Domain followed by the appropriate domain and credentials.
- Click OK

Alternately, run the following PowerCLI command:

# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain domain.local -User Administrator -Password Passw0rd -JoinDomain

Notes :

- Host Profiles can be used to automate adding hosts to an AD domain.
- Consider using the vSphere Authentication proxy to avoid transmitting AD credentials over the network.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: Unix

Control ID: 5e0e8555a67280f2b778fc037c0d665cf5495d8c983d24a0d796063494c733a5