Privilege re-assignment must be checked after the vCenter Server restarts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| VCENTER-000005 | VCENTER-000005 | VCENTER-000005_rule | Medium |
| Description |
|---|
| During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server grants the Administrator role to the local Windows administrators group, to act as a new vCenter Server administrator. Since it is not recommended to grant vCenter Server Administrator rights to Windows Administrators, resulting in a situation that should be rectified by re-establishing a legitimate administrator account. |
| STIG | Date |
|---|---|
| VMware vCenter Server Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-VCENTER-000005_chk ) |
|---|
| After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding. |
| Fix Text (F-VCENTER-000005_fix) |
|---|
| As a Windows Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements. |