A least-privileges assignment must be used for the Update Manager database user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39562	VCENTER-000024	SV-51420r1_rule		Medium

Description
Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.

STIG	Date
VMware vCenter Server Version 5 Security Technical Implementation Guide	2013-12-18

Details

Check Text ( C-46787r1_chk )
Verify only the following permissions are allowed to the VUM DB user after installation. For Oracle DB normal operation, only the following permissions are required. Create session create any table drop any table For SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Check Text ( C-46787r1_chk )

Verify only the following permissions are allowed to the VUM DB user after installation.

For Oracle DB normal operation, only the following permissions are required.
Create session
create any table
drop any table

For SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database.

Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Fix Text (F-44575r1_fix)
For Oracle DB normal runtime operation, set the following permissions. Create session create any table drop any table For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

Fix Text (F-44575r1_fix)

For Oracle DB normal runtime operation, set the following permissions.
Create session
create any table
drop any table

For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database.

Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.