| V-251794 | High | The NSX-T Manager must be running a release that is currently supported by the vendor. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
| V-251793 | High | The NSX-T Manager must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the Information System Security Officer (ISSO). | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
| V-251778 | High | NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles. | To mitigate the risk of unauthorized access, privileged access must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be... |
| V-251789 | High | The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With... |
| V-251781 | High | The NSX-T Manager must terminate the device management session at the end of the session or after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-251800 | Medium | The NSX-T Manager must enable the global FIPS compliance mode for load balancers. | If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at... |
| V-251799 | Medium | The NSX-T Manager must disable SNMP v2. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that... |
| V-251798 | Medium | The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2. | TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 must be enabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. |
| V-251797 | Medium | The NSX-T Manager must disable unused local accounts. | Prior to NSX-T 3.1 and earlier, there are three local accounts: root, admin, and audit. These local accounts could not be disabled and no additional accounts could be created. Starting in NSX-T... |
| V-251795 | Medium | The NSX-T Manager must not provide environment information to third parties. | Providing technical details about an environment's infrastructure to third parties could unknowingly expose sensitive information to bad actors if intercepted. |
| V-251792 | Medium | The NSX-T Manager must obtain its public key certificates from an approved DoD certificate authority. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For Federal agencies operating a legacy public key... |
| V-251791 | Medium | The NSX-T Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system... |
| V-251790 | Medium | The NSX-T Manager must be configured to conduct backups on an organizationally defined schedule. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-251779 | Medium | The NSX-T Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| V-251788 | Medium | The NSX-T Manager must generate log records for the info level to capture the DoD-required auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or... |
| V-251784 | Medium | The NSX-T Manager must prohibit the use of cached authenticators after an organization-defined time period. | Some authentication implementations can be configured to use cached authenticators.
If cached authentication information is out-of-date, the validity of the authentication information may be... |
| V-251785 | Medium | The NSX-T Manager must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This... |
| V-251786 | Medium | The NSX-T Manager must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident... |
| V-251787 | Medium | The NSX-T Manager must be configured to send logs to a central log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information systems with limited audit storage capacity. |
| V-251780 | Medium | The NSX-T Manager must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-251782 | Medium | The NSX-T Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-251783 | Medium | The NSX-T Manager must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |
| V-251796 | Low | The NSX-T Manager must disable SSH. | The NSX-T shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX-T shell is well suited for checking and modifying... |
