UCF STIG Viewer Logo

VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide


Overview

Date Finding Count (65)
2021-06-23 CAT I (High): 2 CAT II (Med): 52 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-216849 High The vCenter Server for Windows must minimize access to the vCenter server.
V-216836 High The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
V-216888 Medium The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
V-216889 Medium The vCenter Server for Windows must disable SNMPv1.
V-216859 Medium The vCenter Server for Windows passwords must be at least 15 characters in length.
V-216882 Medium The vCenter Server for Windows must restrict access to cryptographic role.
V-216883 Medium The vCenter Server for Windows must restrict access to cryptographic permissions.
V-216855 Medium The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
V-216854 Medium The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
V-216857 Medium vCenter Server for Windows plugins must be verified.
V-216856 Medium The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
V-216851 Medium The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
V-216850 Medium The vCenter Server for Windows Administrators must clean up log files after failed installations.
V-216852 Medium The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-216877 Medium The vCenter Server for Windows reverse proxy must use DoD approved certificates.
V-216876 Medium The vCenter Server for Windows must enable TLS 1.2 exclusively.
V-216875 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216874 Medium The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
V-216873 Medium The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-216872 Medium The vCenter Server for Windows must enable the vSAN Health Check.
V-216871 Medium The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-216870 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216833 Medium The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
V-216832 Medium The vCenter Server for Windows must use Active Directory authentication.
V-216830 Medium The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
V-216837 Medium The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
V-216835 Medium The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
V-216838 Medium The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
V-216887 Medium The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
V-216829 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-216846 Medium The vCenter Server for Windows must configure the vpxuser password meets length policy.
V-216869 Medium The vCenter Server for Windows must alert administrators on permission update operations.
V-216842 Medium The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
V-216843 Medium The vCenter Server for Windows must enable SSL for Network File Copy (NFC).
V-216840 Medium The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
V-216841 Medium The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-216868 Medium The vCenter Server for Windows must alert administrators on permission deletion operations.
V-216879 Medium The vCenter Server for Windows must enable revocation checking for certificate based authentication.
V-216844 Medium The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
V-216845 Medium The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
V-216864 Medium The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
V-216865 Medium The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
V-216848 Medium The vCenter Server for Windows must check the privilege re-assignment after restarts.
V-216867 Medium The vCenter Server for Windows must alert administrators on permission creation operations.
V-216860 Medium The vCenter Server for Windows passwords must contain at least one uppercase character.
V-216861 Medium The vCenter Server for Windows passwords must contain at least one lowercase character.
V-216862 Medium The vCenter Server for Windows passwords must contain at least one numeric character.
V-216863 Medium The vCenter Server for Windows passwords must contain at least one special character.
V-216825 Medium The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
V-216826 Medium The vCenter Server for Windows must not automatically refresh client sessions.
V-216827 Medium The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
V-216828 Medium The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
V-216878 Medium The vCenter Server for Windows must enable certificate based authentication.
V-216866 Medium The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
V-216886 Low The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
V-216884 Low The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
V-216885 Low The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
V-216880 Low The vCenter Server for Windows must disable Password and Windows integrated authentication.
V-216858 Low The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
V-216853 Low The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-216831 Low The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
V-216834 Low The vCenter Server for Windows must disable the distributed virtual switch health check.
V-216839 Low The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
V-216847 Low The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
V-216881 Low The vCenter Server for Windows must enable Login banner for vSphere web client.