Mo's Notes

IT knowledgebase

ESXi Security-hardening | change the default “ESX Admins” AD group

One of the methods that you should follow to secure your ESXi hosts. By joining ESXi hosts to Active Directory domain, you can login to the host (DCUI, SSH, and the direct web console) using AD user accounts, but don’t forget to set a strong password for the “root” account, and use it only in emergency situations.

For more information about joining a host to AD domain, preview this page.

By default, ESXi host is configured to use an AD users group named “ESX Admins”, but this group name is known and could cause you a security threat. If a user has managed to add his user account to that group, all of your ESXi hosts are compromised. In this article, I will explain how to change that default group, using the GUI, and PowerCLi. PowerCLi will be more efficient to change the group name to all of your hosts, instead of visiting each host.

First, I will show you how to replace it using the GUI.

Steps:

  1. create a new AD group, and don’t give it a self-explanatory name, give it a vague name, and don’t type a description for it of course.
  2. in vSphere web client, select a host from the left navigation pane, and then go to Configure >> Advanced System Settings >> Edit >> and then  search for “ESX Admins”.

001

 

As you can see in the picture above, the advanced parameter “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” is responsible for defining the default AD group used by the hosts. Replace the value with the group name that you’ve created, and then click OK. this should affect in less than a minute, and it doesn’t require a reboot.

3- Now, open SSH session to the host and try to login with your AD user account that is a member of the new AD group, it should work fine.

test-CMD

 

Powershell (PowerCLi) method

Steps:

using PowerCLi will facilitate applying this to all of your hosts in a simple command.

1- user the following command first to query against the hosts.

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup

The result should look like this below. it indicates the current AD group on each host.

002

I’ve added “Get-Cluster” to the beginning of the command just to query against a specific cluster.

2- Now, run the following command to change the default group with the new group to all hosts.

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdm
insGroup | Set-AdvancedSetting -Value “GROUPNAME” -confirm:$false

The result should look like this.

 

004

I hope that this has been informative.

References:

https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247

https://kb.vmware.com/s/article/2075361

 

 

Leave a Reply

About

Privacy Policy

Terms & Conditions

Subscribe

Contact

Work with me

Services

Blog at WordPress.com.

%d bloggers like this: