Details
The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this
attribute is set to ‘ESX Admins’. All members of the ‘ESX Admins’ group are granted full
administrative access to all ESXi hosts in the domain. Monitor AD for the creation of this
group and limit membership to highly trusted users and groups.
*Rationale*
An unauthorized user having membership in the group set by the esxAdminsGroup
attribute will have full administrative access to all ESXi hosts. Given this, such users may
compromise the confidentiality, availability, and integrity of the all ESXi hosts and the
respective data and processes they influence.
Solution
1. Verify the setting of the esxAdminsGroup attribute (‘ESX Admins’ by default).
2. Check the list of members for that Microsoft Active Directory group.
3. Remove any unauthorized users from that group.
Impact-Coordination between vSphere admins and Active Directory admins is needed.
Default Value-The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to ‘ESX Admins’
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.