UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vSphere Administrator role must be secured by assignment to specific user(s).


Overview

Finding ID Version Rule ID IA Controls Severity
VCENTER-000031 VCENTER-000031 VCENTER-000031_rule High
Description
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.
STIG Date
VMware vCenter Server Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-VCENTER-000031_chk )
Ask the SA if domain administrators have administrative rights to the vSphere administrator account have been removed, if administrative rights have been removed from the local Windows administrator account and if a special-purpose, local vSphere administrator account for creating individual user accounts has been created.

If domain administrators have administrative rights to the vSphere administrator account, this is a finding.

If administrative rights have not been removed from the local Windows administrator account, this is a finding.

If a special-purpose, local vSphere administrator account for creating individual user accounts has not been created, this is a finding.
Fix Text (F-VCENTER-000031_fix)
Remove all domain administrator, administrative rights to the vSphere administrator account.
Remove all administrative rights to the vSphere administrator account from the local Windows administrator account.
Create a special-purpose, local vSphere administrator account for creating individual user accounts.