STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.

DISA Rule

SV-104337r2_rule

Vulnerability Number

V-94507

Group Title

SRG-OS-000109-VMM-000550

Rule Version

ESXI-65-100038

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

When using host profiles do the following:

From the vSphere Client go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.

To join a host to Active Directory manually without host profiles do the following:

From the vSphere Client select the ESXi Host and go to Configuration >> Authentication Services. Click Properties and change the "Directory Service Type" to Active Directory, enter the domain to join, check "Use vSphere Authentication Proxy" and enter the proxy server address then click "Join Domain".

Check Contents

For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable.

From the vSphere Client go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain".

or

From a PowerCLI command prompt while connected to vCenter run the following command:

Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}

Verify if JoinADEnabled is True then JoinDomainMethod should be "FixedCAMConfigOption".

For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser", this is a finding.

If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.
If you are not using Host Profiles to join active directory, this is not a finding.

Vulnerability Number

V-94507

Documentable

False

Rule Version

ESXI-65-100038

Severity Override Guidance

For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable.

From the vSphere Client go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain".

or

From a PowerCLI command prompt while connected to vCenter run the following command:

Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}

Verify if JoinADEnabled is True then JoinDomainMethod should be "FixedCAMConfigOption".

For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser", this is a finding.

If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.
If you are not using Host Profiles to join active directory, this is not a finding.

Check Content Reference

M

Target Key

3485

Comments