2.8 When adding ESXi hosts to Active Directory use the vSphere Authentication Proxy to protect passwords

Information

If you are using Host Profiles to join ESXi hosts to Active Directory then vSphere
Authentication Proxy should be used to keep credentials from being sent over the
network.


*Rationale*

If you configure your host to join an Active Directory domain using Host Profiles the active
directory credentials are saved in the host profile and are transmitted over the network. To
avoid having to save active directory credentials in the Host Profile and to avoid
transmitting active directory credentials over the network use the vSphere Authentication
Proxy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To implement the recommended configuration state, perform the following-1. From the vSphere web client, navigate to 'Host Profiles'
2. Select the host profile.
3. Select 'Manage' -> 'Edit Host profile'.
4. Expand 'Security and Services' -> 'Security Settings' -> 'Authentication
Configuration'.
5. Select 'Active Directory configuration'.
6. Set the 'Join Domain Method' to 'Use vSphere Authentication Proxy to add the host
do domain'.
7. Provide the IP address of the authentication proxy.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: VMware

Control ID: 5a4b69a68615d42bffc72c9d05331826fd097bcb4c608c99b8608a183c517ceb