ESXI-06-100039 - The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.

Information

When adding ESXi hosts to Active Directory, if the group 'ESX Admins' exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the 'ESX Admins' group.

Solution

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings.

Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value.

Configure it to an Active Directory group other than 'ESX Admins'.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(5), CAT|III, CCI|CCI-000770, Group-ID|V-63769, Rule-ID|SV-78259r2_rule, STIG-ID|ESXI-06-100039, Vuln-ID|V-63769

Plugin: VMware

Control ID: da4bb4ea9eec59d2e4255e08dd4abcd08bdb530f0dafd503c817031903de2bc3