ESXI-06-300039 - The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.

Information

When adding ESXi hosts to Active Directory, if the group 'ESX Admins' exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the 'ESX Admins' group.

Solution

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings.

Select the 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' value.

Configure it to an Active Directory group other than 'ESX Admins'.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(9), CAT|III, CCI|CCI-001942, Group-ID|V-63911, Rule-ID|SV-78401r2_rule, STIG-ID|ESXI-06-300039, Vuln-ID|V-63911

Plugin: VMware

Control ID: 773cc6d5ad2aa9b745de4ec3795af83697bd5f488b9b8862292339d044ca48a7