UCF STIG Viewer Logo

The NSX vCenter must be configured to use an authentication server to provide automated support for account management functions to centrally control the authentication process for the purpose of granting administrative access.


Finding ID Version Rule ID IA Controls Severity
V-69161 VNSX-ND-000006 SV-83765r1_rule High
Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations and privilege levels. NSX Manager must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. All accounts used for access to the NSX components are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. With the exception of the account of last resort, all accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the network device.
VMware NSX Manager Security Technical Implementation Guide 2016-06-27


Check Text ( C-69599r1_chk )
Verify the Windows server hosting vCenter is joined to the domain and access to the server and vCenter is done using Active Directory accounts.

If the vCenter server is not joined to an Active Directory domain, this is a finding.

If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding.

If Active Directory is not used in the environment, this is not applicable.
Fix Text (F-75347r1_fix)
If the server hosting vCenter is not joined to the domain, follow the OS-specific procedures to join it to Active Directory.

If local accounts are used for normal operations, Active Directory accounts should be created and used.