ESXI-06-300037 - The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.

Information

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group 'ESX Admins' (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, select the ESXi Host.

Go to Configuration >> Authentication Services.

Click 'Properties'.

Change the 'Directory Service Type' to 'Active Directory'.

Enter the domain to join.

Check 'Use vSphere Authentication Proxy'.

Enter the proxy server address.

Click 'Join Domain'.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain 'domain name' -User 'username' -Password 'password'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(9), CAT|III, CCI|CCI-001942, Group-ID|V-63907, Rule-ID|SV-78397r2_rule, STIG-ID|ESXI-06-300037, Vuln-ID|V-63907

Plugin: VMware

Control ID: 464b09ae5ed4421aefc615d689b0110cad3aa70d1eef06182532ce5d5fbe14c0