The system must set a timeout for all thick-client logins without activity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39563	VCENTER-000027	SV-51421r1_rule		Medium

Description
An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.

STIG	Date
VMware vCenter Server Version 5 Security Technical Implementation Guide	2014-11-10

Details

Check Text ( C-46788r2_chk )
On each Windows computer with the vSphere Client installed, verify: A 15 minute (maximum) timeout is set in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, verify the setting X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Verify the timeout that the vSphere Client executable is started with is an execution flag: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of "-inactivityTimeout 15" in the command. If either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.

Check Text ( C-46788r2_chk )

On each Windows computer with the vSphere Client installed, verify:
A 15 minute (maximum) timeout is set in the VpxClient.exe.config file:
Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, verify the setting X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.

Verify the timeout that the vSphere Client executable is started with is an execution flag:
Locate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of "-inactivityTimeout 15" in the command.

If either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.

Fix Text (F-44576r2_fix)
On each Windows computer with the vSphere Client installed: Set a 15 minute (maximum) timeout in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, modify the X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file. Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add "-inactivityTimeout X", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.

Fix Text (F-44576r2_fix)

On each Windows computer with the vSphere Client installed:
Set a 15 minute (maximum) timeout in the VpxClient.exe.config file:
Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, modify the X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file.

Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable:
Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add "-inactivityTimeout X", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.