STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.

DISA Rule

SV-239293r674808_rule

Vulnerability Number

V-239293

Group Title

SRG-OS-000104-VMM-000500

Rule Version

ESXI-67-000038

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
• CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Weight

10

Fix Recommendation

From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit.

View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method.

Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.

Check Contents

From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit.

View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method.

Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain".

or

From a PowerCLI command prompt while connected to vCenter, run the following command:

Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}

Verify that if "JoinADEnabled" is "True", "JoinDomainMethod" is "FixedCAMConfigOption".

If not using Host Profiles to join active directory, this is not a finding.

Vulnerability Number

V-239293

Documentable

False

Rule Version

ESXI-67-000038

Severity Override Guidance

From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit.

View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method.

Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain".

or

From a PowerCLI command prompt while connected to vCenter, run the following command:

Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}

Verify that if "JoinADEnabled" is "True", "JoinDomainMethod" is "FixedCAMConfigOption".

If not using Host Profiles to join active directory, this is not a finding.

Check Content Reference

M

Target Key

5326

Comments