STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.

DISA Rule

SV-207675r378862_rule

Vulnerability Number

V-207675

Group Title

SRG-OS-000109-VMM-000550

Rule Version

ESXI-65-100037

Severity

CAT III

CCI(s)

• CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

Weight

10

Fix Recommendation

From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Click "Properties" and change the "Directory Service Type" to "Active Directory", enter the domain to join, check "Use vSphere Authentication Proxy" and enter the proxy server address then click "Join Domain".

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

Check Contents

For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable.

From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory".

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication

For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser"", this is a finding.

If the "Directory Services Type" is not set to "Active Directory", this is a finding.
If you are not using Host Profiles to join active directory, this is not a finding.

Vulnerability Number

V-207675

Documentable

False

Rule Version

ESXI-65-100037

Severity Override Guidance

For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable.

From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory".

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostAuthentication

For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser"", this is a finding.

If the "Directory Services Type" is not set to "Active Directory", this is a finding.
If you are not using Host Profiles to join active directory, this is not a finding.

Check Content Reference

M

Target Key

2925

Comments