2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

vSphere Authentication Proxy enables ESXi hosts to join a domain without using Active Directory credentials. vSphere Authentication Proxy enhances security for PXE-booted hosts and hosts that are provisioned using Auto Deploy and Host profiles, by removing the need to store Active Directory credentials in the host configuration.

The vSphere Authentication Proxy service binds to an IPv4 address for communication with vCenter Server, and does not support IPv6. The vCenter Server can be on a host machine in an IPv4-only, IPv4/IPv6 mixed-mode, or IPv6-only network environment, but the machine that connects to the vCenter Server through the vSphere Client must have an IPv4 address for the vSphere Authentication Proxy service to work.

Rationale:

If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To properly set the vSphere Authentication Proxy from Web Client directly:

Select the host

Click on 'Configure' -> 'Settings' -> 'Authentication Services'

Click on 'Join Domain'

Select 'Using Proxy Server' radio button.

Provide proxy server IP address.

To properly set the vSphere Authentication Proxy via Host Profiles:

Install and configure the Authentication proxy

From the vSphere web client, navigate to 'Host Profiles'

Select the host profile

Select 'Configure' -> 'Edit Host profile'

Expand 'Security and Services' -> 'Security Settings' -> 'Authentication Configuration'

Select 'Active Directory configuration'

Set the 'Join Domain Method' to 'Use vSphere Authentication Proxy to add the host do domain'

Provide the IP address of the authentication proxy

References:

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-084B74BD-40A5-4A4B-A82C-0C9912D580DC.html

Notes:

You can install vSphere Authentication Proxy on the same machine as the associated vCenter Server, or on a different machine that has network connection to the vCenter Server. The vSphere Authentication Proxy is not supported with vCenter Server versions earlier than version 5.0.

See Also

https://workbench.cisecurity.org/files/2816

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv7|16.2

Plugin: VMware

Control ID: 21eafd96b72048297c6c2816cade764da12210440503b433cc89192a109136e2