Detections
Analytics
ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
Information
When adding ESXi hosts to Active Directory (AD), all user/group accounts assigned to the AD group 'ESX Admins' will have full administrative access to the host. If this group is not controlled or known to the System Administrators, it may be used for inappropriate access to the host. Therefore, the default group must be changed to a site-specific AD group and membership therein must be severely restricted.Satisfies: SRG-OS-000104-VMM-000500, SRG-OS-000109-VMM-000550, SRG-OS-000112-VMM-000560, SRG-OS-000113-VMM-000570
Solution
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings.Click 'Edit' and select the 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' key and configure its value to an appropriate Active Directory group other than 'ESX Admins'.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 ESXi v1r3
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2, 800-53|IA-2(5), 800-53|IA-2(8), 800-53|IA-2(9), CAT|III, CCI|CCI-000764, CCI|CCI-000770, CCI|CCI-001941, CCI|CCI-001942, Rule-ID|SV-239294r854591_rule, STIG-ID|ESXI-67-000039, Vuln-ID|V-239294
Plugin: VMware
Control ID: 8578ed9229cb6f9ec23084741532830e2dafcf3bd91ad4db2d610340cb9588e6