UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VI Web Access sessions with VirtualCenter are unencrypted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15873 ESX0740 SV-16814r1_rule ECCT-1 ECCT-2 Medium
Description
User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component, such as a gateway or redirector, applies ciphers to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. To ensure the protection of the data transmitted to and from external network connections, all VI client and web access sessions with VirtualCenter will be encrypted with a FIPS 140-2 encryption algorithm.
STIG Date
VMware ESX 3 Virtual Center 2016-05-03

Details

Check Text ( C-16230r1_chk )
1. Login to VirtualCenter through the VI Client.
2. Select an ESX Server host from the inventory panel.
3. Select the configuration tab.
4. Select advanced settings in the software section.
5. Verify the “Config.Defaults.security.host.ruissl” is checked. This requires SSL to be used when communicating with the host over 902. If this is not checked, this is a finding.
Fix Text (F-15833r1_fix)
Encrypt all VI Web Access sessions with VirtualCenter.