STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host must use Active Directory for local user authentication.

DISA Rule

SV-207638r378847_rule

Vulnerability Number

V-207638

Group Title

SRG-OS-000104-VMM-000500

Rule Version

ESXI-65-000037

Severity

CAT III

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Click Join Domain and enter the AD domain to join, select the "Using credentials” radio button and enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain) and then click OK.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

Check Contents

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Verify the Directory Services Type is set to Active Directory.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable.

For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding.

If the Directory Services Type is not set to "Active Directory", this is a finding.

Vulnerability Number

V-207638

Documentable

False

Rule Version

ESXI-65-000037

Severity Override Guidance

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Verify the Directory Services Type is set to Active Directory.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable.

For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding.

If the Directory Services Type is not set to "Active Directory", this is a finding.

Check Content Reference

M

Target Key

2925

Comments