Details
ESXi can be configured to use a directory service such as Active Directory to manage users
and groups. It is recommended that a directory service be used.
Note: If the AD group “ESX Admins” (default) is created, all users and groups that are
members of this group will have full administrative access to all ESXi hosts in the domain.
*Rationale*
Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and
maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi
host configuration, ensures password complexity and reuse policies are enforced and
reduces the risk of security breaches and unauthorized access.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To use AD for local user authentication, perform the following from the vSphere Web Client:
1. Select the host and go to ‘Manage’ -> ‘Settings’ -> ‘System’ -> ‘Authentication
Services’.
2. Click the ‘Join Domain’ button.
3. Provide the domain name along with the user credentials for an AD user that has the
rights to join computers to the domain.
4. Click ‘OK’.
Alternately, run the following PowerCLI command:
# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication –
Domain domain.local -User Administrator -Password Passw0rd -JoinDomain
Notes:
1. Host Profiles can be used to automate adding hosts to an AD domain.
2. Consider using the vSphere Authentication proxy to avoid transmitting AD
credentials over the network.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.