Details

The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration.

Click the ‘Add identity source’.

Select either ‘Active Directory over LDAP’ or ‘Active Directory (Windows Integrated Authentication)’ and configure appropriately.

Note: Windows Integrated Authentication requires that the vCenter server be joined to AD before configuration via Administration >> Single Sign-On >> Configuration >> Active Directory Domain.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.

References

• 800-53|IA-2(5)
• CAT|II
• CCI|CCI-000770
• Rule-ID|SV-243079r719480_rule
• STIG-ID|VCTR-67-000009
• Vuln-ID|V-243079

Source

• Tenable.com/audits