Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-39566 | VCENTER-000031 | SV-51424r1_rule | High |
Description |
---|
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts. |
STIG | Date |
---|---|
VMware vCenter Server Version 5 Security Technical Implementation Guide | 2013-12-18 |
Check Text ( C-46791r1_chk ) |
---|
Windows domain administrators must not have administrative rights on the vCenter Server. If domain administrators have administrative rights to the vCenter Administrator account, this is a finding. Ask the SA if a special-purpose, local vCenter Administrator account is used for managing individual user accounts. If a special-purpose, local vCenter Administrator account for managing individual user accounts has not been created, this is a finding. If a special-purpose, local vCenter Administrator account for managing individual user accounts has been created, this is not a finding. |
Fix Text (F-44579r1_fix) |
---|
Remove all domain administrator, administrative rights to the vCenter Administrator account. Remove all administrative rights to the vCenter Administrator account from the local Windows administrator account. Create a special-purpose, local vCenter Administrator account for creating individual user accounts. |