Magic Quadrant™ for Privileged Access Management 2025: Netwrix Recognized for the Fourth Year in a Row. Download the report.

Contact usSupportCommunity
EnglishEspañolItalianoFrançaisDeutschPortuguês
Data Security
Al GovernanceData Security Posture ManagementData Access GovernanceData Loss PreventionData Discovery & Classification
Identity Security
Identity Threat Detection & ResponseIdentity Governance & AdministrationIdentity Security Posture ManagementPrivileged Access ManagementDirectory Security

The future of data security

The Netwrix 1Secure™ Platform

Explore
Solutions
Featured Use Cases See all use cases
Active Directory SecurityNon Human Identity DefenseCopilot ReadinessOn-Premise DeploymentIdentity Risk Detection & AnalysisPrivilege Discovery & CleanupMergers, Acquisitions, & DivestituresRegulatory ComplianceMicrosoft 365 SecurityZero Trust
Featured Products See all products
Netwrix AuditorNetwrix Access AnalyzerNetwrix PingCastleNetwrix Endpoint ProtectorNetwrix Privilege SecureNetwrix Identity Manager

Self-service checkout available to organizations with up to 150 employees

Get started in minutes

Buy now
Netwrix AI Environments we protect Integrations MSPs Active Directory Security Risks Compliance Buy Now Pricing
Resource Center See All
BlogAttack CatalogComplianceCustomer StoriesCybersecurity FrameworksCybersecurity GlossaryEventsFreewareGuidesIdeas PortalNewsPodcastsPublicationsProduct AnnouncementsResearchWebinars
Asset not found

Featured Customer Story

DXC Technology Enables Customers to Achieve PCI DSS Compliance and Focus on Strategic Initiatives
Partners
Partner ProgramBecome a PartnerMSPsPartner LocatorWebinarsMicrosoft Alliance
Asset not found

Featured Customer Story

AppRiver Enhances Control over Active Directory While Significantly Reducing Auditing Time
Asset not found

Featured Customer Story

MSP Helps Client Recover from Ransomware in 6 Hours
Why Netwrix
About UsLeadershipNetwrix AICustomer StoriesRecognitionNewsCareers
Asset not found

Featured Customer Story

Horizon Leisure Centres Accelerates Data Classification to Comply with GDPR and Saves £80,000 Annually
Asset not found

Featured Customer Story

Samsung R&D Institute Secures Data with Cross-Platform Use and Fast macOS Deployment Using Netwrix Endpoint Protector
Resource center
vSphere Active Directory Security: Research Report

vSphere Active Directory Security: Research Report

VMware vSphere's Active Directory integration exposes credentials at the network, disk, and memory layers when using default configurations. Standalone ESXi hosts store machine passwords in cleartext, cache user Kerberos tickets on disk, and grant root access to all SSH sessions regardless of the authenticated user. vCenter Server provides stronger security through SAML token isolation and granular role-based access control, but only when configured to use LDAPS or SPNEGO authentication instead of the default LDAP identity source.

vSphere Active Directory security: A comprehensive research report

When administrators authenticate to VMware vSphere using Active Directory credentials, they reasonably expect passwords to be validated and then forgotten. The reality is far more complex.

This independent security research traces AD credentials across every layer of a vSphere environment, from ESXi 7 and 8 to vCenter Server 7 and 8. The findings reveal that default configurations expose passwords through cleartext LDAP transmissions, world-readable keytabs, and persistent Kerberos ticket caches. On standalone ESXi hosts joined to AD, any administrator can access other users' cached credentials, and the ESXi Admin role is functionally equivalent to Domain Admin when Domain Controller VMs run on the host.

vCenter Server provides stronger authentication through SAML token isolation and granular role-based access control, but only when deliberately configured to use LDAPS or SPNEGO authentication. The default AD-over-LDAP identity source recreates the worst credential exposure at the network layer.

This report documents every vulnerability with packet captures, memory dumps, and functional attack chains, then provides prioritized recommendations to harden your vSphere AD integration.

In this guide, you will learn how to

  • Identify where AD credentials are exposed at the network, disk, and memory layers in vSphere environments.
  • Understand why standalone ESXi AD domain join creates unfixable architectural security weaknesses.
  • Configure vCenter identity sources to eliminate cleartext password transmission using LDAPS or SPNEGO.
  • Protect the ESXi admin group with the same rigor as Domain Admins, since AD group membership directly controls hypervisor root access.
  • Prevent Kerberos downgrade attacks by enforcing AES-only encryption on ESXi and vCenter computer accounts.
  • Restrict ESXi administrator access to hosts running Domain Controller VMs to prevent offline ntds.dit extraction and snapshot rollback attacks.
  • Detect credential theft attempts through DC Event 2889 monitoring and file access auditing.

Why download this guide

  • Gain visibility into credential flows that default vSphere documentation does not disclose.
  • Understand the security trade-offs between standalone ESXi management and vCenter-managed environments.
  • Implement prioritized hardening recommendations based on tested attack chains.
  • Reduce domain compromise risk by treating ESXi Admin privileges with appropriate sensitivity.
  • Strengthen incident response procedures with certificate revocation alongside password resets.

Share on

Related Resources

Dig deeper with our related resources

Resource Center
Guide

Implementing a data security platform: A step-by-step guide

Data Security Posture Management
eBook

Closing the macOS Gap: Endpoint DLP & Privilege Control

Endpoint Security