| V-39566 | High | The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators. | By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter... |
| V-39562 | Medium | A least-privileges assignment must be used for the Update Manager database user. | Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the... |
| V-39561 | Medium | A least-privileges assignment must be used for the vCenter Server database user. | Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and... |
| V-39545 | Medium | Privilege re-assignment must be checked after the vCenter Server restarts. | During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the... |
| V-39563 | Medium | The system must set a timeout for all thick-client logins without activity. | An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session... |
| V-39544 | Medium | The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server. | The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and... |
| V-39564 | Medium | vSphere Client plugins must be verified. | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter... |
| V-39569 | Medium | The Update Manager must not directly connect to public patch repositories on the Internet. | In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and... |
| V-39568 | Medium | The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server. | In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to... |
| V-39554 | Medium | Log files must be cleaned up after failed installations of the vCenter Server. | If the vCenter installation fails, a log file (with a name of the form "hs_err_pidXXXX") is created that contains the database password in plain text. An attacker who breaks into the vCenter... |
| V-39555 | Medium | Revoked certificates must be removed from the vCenter Server. | If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's... |
| V-39556 | Medium | The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator. | By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter... |
| V-39557 | Medium | Access to SSL certificates must be restricted. | The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the... |
| V-39550 | Medium | The vCenter Server administrative users must have the correct roles assigned. | Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability... |
| V-39551 | Medium | Access to SSL certificates must be monitored. | The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to... |
| V-39553 | Medium | Expired certificates must be removed from the vCenter Server. | If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's... |
| V-39558 | Medium | The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine. | By default, vCenter Server "Administrator" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege... |
| V-39560 | Low | Network access to the vCenter Server system must be restricted. | Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system... |
| V-39547 | Low | The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects. | The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used... |
| V-39546 | Low | The Web datastore browser must be disabled, unless required for normal day-to-day operations. | The Web datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the... |
| V-39549 | Low | The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server. | The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would... |
| V-39548 | Low | The vCenter Server must be installed using a service account instead of a built-in Windows account. | The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides... |
| V-39559 | Low | The use of Linux-based clients must be restricted. | Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation.... |
