Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
VCENTER-000031 | VCENTER-000031 | VCENTER-000031_rule | High |
Description |
---|
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts. |
STIG | Date |
---|---|
VMware vCenter Server Security Technical Implementation Guide | 2013-01-15 |
Check Text ( C-VCENTER-000031_chk ) |
---|
Ask the SA if domain administrators have administrative rights to the vSphere administrator account have been removed, if administrative rights have been removed from the local Windows administrator account and if a special-purpose, local vSphere administrator account for creating individual user accounts has been created. If domain administrators have administrative rights to the vSphere administrator account, this is a finding. If administrative rights have not been removed from the local Windows administrator account, this is a finding. If a special-purpose, local vSphere administrator account for creating individual user accounts has not been created, this is a finding. |
Fix Text (F-VCENTER-000031_fix) |
---|
Remove all domain administrator, administrative rights to the vSphere administrator account. Remove all administrative rights to the vSphere administrator account from the local Windows administrator account. Create a special-purpose, local vSphere administrator account for creating individual user accounts. |