Details
Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced, and reduces the risk of security breaches and unauthorized access.
Note: If the AD group ‘ESX Admins’ (default) exists, then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.
Satisfies: SRG-OS-000104-VMM-000500, SRG-OS-000109-VMM-000550, SRG-OS-000112-VMM-000560, SRG-OS-000113-VMM-000570
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services.
Click ‘Join Domain’ and enter the AD domain to join. Select the ‘Using credentials’ radio button, enter the credentials of an account with permissions to join machines to AD (use UPN naming – [email protected]), and then click ‘OK’.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain ‘domain name’ -User ‘username’ -Password ‘password’
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.
References
- 800-53|IA-2
- 800-53|IA-2(5)
- 800-53|IA-2(8)
- 800-53|IA-2(9)
- CAT|III
- CCI|CCI-000764
- CCI|CCI-000770
- CCI|CCI-001941
- CCI|CCI-001942
- Rule-ID|SV-239292r674805_rule
- STIG-ID|ESXI-67-000037
- STIG-Legacy|SV-104107
- STIG-Legacy|V-94021
- Vuln-ID|V-239292