UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide


Overview

Date Finding Count (65)
2020-12-10 CAT I (High): 2 CAT II (Med): 52 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-216849 High The vCenter Server for Windows must minimize access to the vCenter server.
V-216836 High The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
V-216888 Medium The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
V-216889 Medium The vCenter Server for Windows must disable SNMPv1.
V-216859 Medium The vCenter Server for Windows passwords must be at least 15 characters in length.
V-216882 Medium The vCenter Server for Windows must restrict access to cryptographic role.
V-216883 Medium The vCenter Server for Windows must restrict access to cryptographic permissions.
V-216855 Medium The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
V-216854 Medium The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
V-216857 Medium vCenter Server for Windows plugins must be verified.
V-216856 Medium The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
V-216851 Medium The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
V-216850 Medium The vCenter Server for Windows Administrators must clean up log files after failed installations.
V-216852 Medium The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-216877 Medium The vCenter Server for Windows reverse proxy must use DoD approved certificates.
V-216876 Medium The vCenter Server for Windows must enable TLS 1.2 exclusively.
V-216875 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216874 Medium The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
V-216873 Medium The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-216872 Medium The vCenter Server for Windows must enable the vSAN Health Check.
V-216871 Medium The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-216870 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216833 Medium The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
V-216832 Medium The vCenter Server for Windows must use Active Directory authentication.
V-216830 Medium The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
V-216837 Medium The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
V-216835 Medium The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
V-216838 Medium The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
V-216887 Medium The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
V-216829 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216846 Medium The vCenter Server for Windows must configure the vpxuser password meets length policy.
V-216869 Medium The vCenter Server for Windows must alert administrators on permission update operations.
V-216842 Medium The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
V-216843 Medium The vCenter Server for Windows must enable SSL for Network File Copy (NFC).
V-216840 Medium The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
V-216841 Medium The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-216868 Medium The vCenter Server for Windows must alert administrators on permission deletion operations.
V-216879 Medium The vCenter Server for Windows must enable revocation checking for certificate based authentication.
V-216844 Medium The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
V-216845 Medium The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
V-216864 Medium The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
V-216865 Medium The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
V-216848 Medium The vCenter Server for Windows must check the privilege re-assignment after restarts.
V-216867 Medium The vCenter Server for Windows must alert administrators on permission creation operations.
V-216860 Medium The vCenter Server for Windows passwords must contain at least one uppercase character.
V-216861 Medium The vCenter Server for Windows passwords must contain at least one lowercase character.
V-216862 Medium The vCenter Server for Windows passwords must contain at least one numeric character.
V-216863 Medium The vCenter Server for Windows passwords must contain at least one special character.
V-216825 Medium The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
V-216826 Medium The vCenter Server for Windows must not automatically refresh client sessions.
V-216827 Medium The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
V-216828 Medium The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
V-216878 Medium The vCenter Server for Windows must enable certificate based authentication.
V-216866 Medium The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
V-216886 Low The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
V-216884 Low The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
V-216885 Low The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
V-216880 Low The vCenter Server for Windows must disable Password and Windows integrated authentication.
V-216858 Low The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
V-216853 Low The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-216831 Low The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
V-216834 Low The vCenter Server for Windows must disable the distributed virtual switch health check.
V-216839 Low The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
V-216847 Low The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
V-216881 Low The vCenter Server for Windows must enable Login banner for vSphere web client.