UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.


Overview

Finding ID Version Rule ID IA Controls Severity
V-39566 VCENTER-000031 SV-51424r1_rule High
Description
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.
STIG Date
VMware vCenter Server Version 5 Security Technical Implementation Guide 2013-12-18

Details

Check Text ( C-46791r1_chk )
Windows domain administrators must not have administrative rights on the vCenter Server. If domain administrators have administrative rights to the vCenter Administrator account, this is a finding.

Ask the SA if a special-purpose, local vCenter Administrator account is used for managing individual user accounts.

If a special-purpose, local vCenter Administrator account for managing individual user accounts has not been created, this is a finding.

If a special-purpose, local vCenter Administrator account for managing individual user accounts has been created, this is not a finding.
Fix Text (F-44579r1_fix)
Remove all domain administrator, administrative rights to the vCenter Administrator account.
Remove all administrative rights to the vCenter Administrator account from the local Windows administrator account.
Create a special-purpose, local vCenter Administrator account for creating individual user accounts.