STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

DISA Rule

SV-207640r378847_rule

Vulnerability Number

V-207640

Group Title

SRG-OS-000104-VMM-000500

Rule Version

ESXI-65-000039

Severity

CAT III

CCI(s)

CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

Fix Recommendation

Check Contents

From the vSphere Web Client select the ESXi Host and go to Configuration >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable.

For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding.

If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Vulnerability Number

V-207640

Documentable

False

Rule Version

ESXI-65-000039

Severity Override Guidance

Check Content Reference

Target Key

2925

Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments