Details
If you are using Host Profiles to join ESXi hosts to Active Directory then vSphere
Authentication Proxy should be used to keep credentials from being sent over the
network.
*Rationale*
If you configure your host to join an Active Directory domain using Host Profiles the active
directory credentials are saved in the host profile and are transmitted over the network. To
avoid having to save active directory credentials in the Host Profile and to avoid
transmitting active directory credentials over the network use the vSphere Authentication
Proxy.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To implement the recommended configuration state, perform the following-1. From the vSphere web client, navigate to ‘Host Profiles’
2. Select the host profile.
3. Select ‘Manage’ -> ‘Edit Host profile’.
4. Expand ‘Security and Services’ -> ‘Security Settings’ -> ‘Authentication
Configuration’.
5. Select ‘Active Directory configuration’.
6. Set the ‘Join Domain Method’ to ‘Use vSphere Authentication Proxy to add the host
do domain’.
7. Provide the IP address of the authentication proxy.
Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.