Details
By default, each ESXi host has a single “root” admin account that is used for local
administration and to connect the host to vCenter Server. Use of this shared account should
be limited, and named (non-root) user accounts with admin privileges should be used instead.
*Rationale*
To avoid sharing a common root account, it is recommended on each host to create at least
one named user account and assign it full admin privileges, and to use this account in lieu
of a shared “root” account. Limit the use of “root”, including setting a highly complex
password for the account, but do not remove the “root” account.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To create one or more named user accounts (local ESXi user accounts), perform the
following using the vSphere client (not the vSphere web client) for each ESXi host:
1. Connect directly to the ESXi host using the vSphere Client.
2. Login as root.
3. Select the ‘Local Users & Groups’ tab
4. Add a local user, be sure to grant shell access to this user.
5. Select the ‘Permissions’ tab.
6. Assign the ‘Administrator’ role to the user.
7. Repeat this for each ESXi hosts.
Notes-
1. Even if you add your ESXi host to an Active Directory domain it is still recommended
to add at least one local user account to ensure admins can still login in the event the
host ever becomes isolated and unable to access Active Directory.
2. Adding local user accounts can be automated using Host Profiles.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.