Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
ESXI5-VMNET-000007 | ESXI5-VMNET-000007 | ESXI5-VMNET-000007_rule | Low |
Description |
---|
This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage the role-based access controls within vSphere to ensure that only authorized administrators have access to the different virtual networking components. For example, VM administrators should have access only to port groups in which their VMs reside. Network administrators should have permissions to all virtual networking components but not have access to VMs. These controls will depend very much on the organization's policy on separation of duties, least privilege, and the responsibilities of the administrators within the organization. |
STIG | Date |
---|---|
VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Check Text ( C-ESXI5-VMNET-000007_chk ) |
---|
vSphere permissions to specific port groups must be granted only to individuals who need it. From the vSphere Client/vCenter as a user with full Administrator Role rights to the Inventory object to be checked: Select "[Inventory Object]>> Permissions". Verify that users assigned to the selected Inventory object have the appropriate role. If any user assigned to the selected Inventory object have an inappropriate role, this is a finding. |
Fix Text (F-ESXI5-VMNET-000007_fix) |
---|
vSphere permissions to specific port groups must be granted only to individuals who need it. From the vSphere Client/vCenter as a user with full Administrator Role rights to the Inventory object to be checked: (1) Select "[Inventory Object]>> Permissions". Assign users with the appropriate Role to the all Inventory object(s). |