The vSphere Administrator role must be secured by assignment to specific user(s).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
VCENTER-000031	VCENTER-000031	VCENTER-000031_rule		High

Description
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.

Description

By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.

STIG	Date
VMware vCenter Server Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-VCENTER-000031_chk )
Ask the SA if domain administrators have administrative rights to the vSphere administrator account have been removed, if administrative rights have been removed from the local Windows administrator account and if a special-purpose, local vSphere administrator account for creating individual user accounts has been created. If domain administrators have administrative rights to the vSphere administrator account, this is a finding. If administrative rights have not been removed from the local Windows administrator account, this is a finding. If a special-purpose, local vSphere administrator account for creating individual user accounts has not been created, this is a finding.

Check Text ( C-VCENTER-000031_chk )

Ask the SA if domain administrators have administrative rights to the vSphere administrator account have been removed, if administrative rights have been removed from the local Windows administrator account and if a special-purpose, local vSphere administrator account for creating individual user accounts has been created.

If domain administrators have administrative rights to the vSphere administrator account, this is a finding.

If administrative rights have not been removed from the local Windows administrator account, this is a finding.

If a special-purpose, local vSphere administrator account for creating individual user accounts has not been created, this is a finding.

Fix Text (F-VCENTER-000031_fix)
Remove all domain administrator, administrative rights to the vSphere administrator account. Remove all administrative rights to the vSphere administrator account from the local Windows administrator account. Create a special-purpose, local vSphere administrator account for creating individual user accounts.