Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
VI Web Access sessions to the ESX Server are unencrypted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15856 | ESX0570 | SV-16797r1_rule | Medium |
| Description |
|---|
| User sessions with the ESX Server should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client, Web Access, or through VirtualCenter. To encrypt session data, the sending component, such as a gateway or redirector, applies ciphers to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. To ensure the protection of the data transmitted to and from external network connections, ESX Server uses the 256-bit AES block encryption. ESX Server also uses 1024-bit RSA for key exchange. These encryption algorithms are the default for VI Client, VI Web Access, and VirtualCenter sessions. |
| STIG | Date |
|---|---|
| VMware ESX 3 Server | 2016-05-13 |
Details
| Check Text ( C-16213r1_chk ) |
|---|
| 1. First verify Web Access is enabled by having the IAO/SA attempt to login to the ESX Server. 2. Start the Web Browser 3. Enter the URL of the ESX Server: http://(host or server name)/ui. The http should transition to https://(host or server name)/ui. If it does not transition to https, this is a finding. |
| Fix Text (F-15815r1_fix) |
|---|
| Encrypt all Web Access session to ESX Servers. |