ESXI-06-000039 – Active Directory ESX Admin group membership must not be used.

Details

When adding ESXi hosts to Active Directory, if the group ‘ESX Admins’ exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the ‘ESX Admins’ group.

Solution

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings.

Select the ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroup’ value.

Configure it to an Active Directory group other than ‘ESX Admins’.

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.

References

800-53|IA-2
CAT|III
CCI|CCI-000764
Group-ID|V-63247
Rule-ID|SV-77737r2_rule
STIG-ID|ESXI-06-000039
Vuln-ID|V-63247

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles