{
"stig": {
"date": "2016-02-10",
"description": "The VMware vCenter Server Version 5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-39544": {
"checkid": "C-46769r1_chk",
"checktext": "Ask the SA if software and system security patches are installed and up-to-date for all ESXi hypervisors/VMs, including the vCenter Server (vCS) and the VMware Update Manager (vUM), if they are also installed as VMs rather than as physical machines. \n\nIf the vUM's hypervisor host/VM patch, update, and remediation procedure does not include its own hypervisor/VM or that of the vCS (if installed as VMs), this check is not a finding. \n\nIf the vUM's hypervisor host/VM patch, update, and remediation process also includes its own hypervisor host/VM and/or the vCS's hypervisor host/VM, this is a finding.",
"description": "The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.",
"fixid": "F-44557r2_fix",
"fixtext": "Determine if both the VMware Update Manager (vUM) and vCenter Server (vCS) are installed as physical or virtual machines. \n\nNo fix is required for vCS/vUM if the vCS and vUM are both installed as physical machines.\n\nIf the vCS and vUM are installed as virtual machines, they must both be managed either manually or by a secondary installation of vCS and the vUM. \n\nAll remaining organization hypervisor hosts/VMs must be configured to receive software and security patch updates, via the vUM, on an organization-defined, regularly scheduled basis.",
"iacontrols": null,
"id": "V-39544",
"ruleID": "SV-51402r2_rule",
"severity": "medium",
"title": "The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.",
"version": "VCENTER-000003"
},
"V-39545": {
"checkid": "C-46770r1_chk",
"checktext": "After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. \n\nIf the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding.",
"description": "During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server defaults the Administrator role to the local Windows administrators group, to act as a new vCenter Server Administrator. This default administrative assignment must be rectified by re-establishing a legitimate vCenter Server account with an Administrator role.",
"fixid": "F-44558r2_fix",
"fixtext": "As a Windows Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.",
"iacontrols": null,
"id": "V-39545",
"ruleID": "SV-51403r2_rule",
"severity": "medium",
"title": "Privilege re-assignment must be checked after the vCenter Server restarts.",
"version": "VCENTER-000005"
},
"V-39546": {
"checkid": "C-46771r3_chk",
"checktext": "If the Web datastore browser is required for normal, daily operational tasks, this check is not applicable.\n\nVerify the Web datastore browser is disabled:\nDetermine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.\nEdit the file and locate the element.\nEnsure the following element is set. false \n\nIf the Web datastore browser is not disabled, this is a finding.",
"description": "The Web datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the organization-specific, user permissions on vCenter Server.",
"fixid": "F-44559r3_fix",
"fixtext": "If the Web datastore browser is enabled and required for normal, daily operational tasks, no fix is required.\n\nDisable the Web datastore browser:\nDetermine the location of the vpxd.cfg file on the Windows host.\nEdit the file and locate the ... element.\nEnsure the following element is set false \n\nRestart the vCenter Service to ensure the config file change(s) are in effect.",
"iacontrols": null,
"id": "V-39546",
"ruleID": "SV-51404r2_rule",
"severity": "low",
"title": "The Web datastore browser must be disabled, unless required for normal day-to-day operations.",
"version": "VCENTER-000006"
},
"V-39547": {
"checkid": "C-46772r2_chk",
"checktext": "The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. \n\nCheck the operational status of the MOB :\nDetermine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.\nEdit the file and locate the ... element.\nEnsure the following element is set. false \n\nIf the MOB is currently enabled, ask the SA if it is being used for object maintenance. \n\nIf the enableDebugBrowse element is enabled (set to true), and object maintenance is not being performed, this is a finding.\n\nIf the enableDebugBrowse element is enabled (set to true), and object maintenance is being performed, this is not a finding.",
"description": "The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.",
"fixid": "F-44560r2_fix",
"fixtext": "If the datastore browser is enabled and required for object maintenance, no fix is immediately required.\n\nDisable the managed object browser:\nDetermine the location of the vpxd.cfg file on the Windows host.\nEdit the file and locate the ... element.\nEnsure the following element is set. false \n\nRestart the vCenter Service to ensure the configuration file change(s) are in effect.",
"iacontrols": null,
"id": "V-39547",
"ruleID": "SV-51405r1_rule",
"severity": "low",
"title": "The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.",
"version": "VCENTER-000007"
},
"V-39548": {
"checkid": "C-46773r1_chk",
"checktext": "Verify vCenter Server was installed using a special-purpose user account on the Windows host with a local-only administrator role. This account should have the \"Act as part of the operating system\" privilege, and write access to the local file system with a local-only administrator role.\n\nIf the vCenter Server was not installed with a special-purpose, local-only administrator role with the \"Act as part of the operating system\" privilege, this is a finding.",
"description": "The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. A local user, administrative level account with limited permissions and rights must be set up for the vCenter Server system. ",
"fixid": "F-44561r1_fix",
"fixtext": "Re-install the vCenter Server with a special-purpose, local-only administrator role with the \"Act as part of the operating system\" privilege.",
"iacontrols": null,
"id": "V-39548",
"ruleID": "SV-51406r1_rule",
"severity": "low",
"title": "The vCenter Server must be installed using a service account instead of a built-in Windows account.",
"version": "VCENTER-000008"
},
"V-39549": {
"checkid": "C-46774r1_chk",
"checktext": "Check the following conditions:\nThe Update Manager must be configured to use the Update Manager Download Server. \nThe use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies.\n\nIf all of the above conditions are not met, this is a finding.",
"description": "The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.\n",
"fixid": "F-44562r1_fix",
"fixtext": "Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet.",
"iacontrols": null,
"id": "V-39549",
"ruleID": "SV-51407r1_rule",
"severity": "low",
"title": "The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.",
"version": "VCENTER-000009"
},
"V-39550": {
"checkid": "C-46775r2_chk",
"checktext": "Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users:\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. \nRight click on each Role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" that only site-specific, required checkboxes are selected. \n\nIf the organization does not require roles for administrator privilege sets, this is a finding.\n\nIf a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.",
"description": "Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
"fixid": "F-44563r2_fix",
"fixtext": "Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. \nGo to \"Home>> Administration>> Roles\" and create a role for each of the administrator privilege sets the organization requires and allows. \nRight click on each role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" that only site-specific, required checkboxes are selected.",
"iacontrols": null,
"id": "V-39550",
"ruleID": "SV-51408r1_rule",
"severity": "medium",
"title": "The vCenter Server administrative users must have the correct roles assigned.",
"version": "VCENTER-000012"
},
"V-39551": {
"checkid": "C-46776r1_chk",
"checktext": "Ask the SA if event log monitoring is used to alert on non-service account access to the certificates directory.\n\nIf event log monitoring is not used, this is a finding.",
"description": "The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes. The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.",
"fixid": "F-44564r1_fix",
"fixtext": "Set up Windows event log monitoring to alert on nonservice account access to the certificates directory.\n\n\n\n",
"iacontrols": null,
"id": "V-39551",
"ruleID": "SV-51409r1_rule",
"severity": "medium",
"title": "Access to SSL certificates must be monitored.",
"version": "VCENTER-000013"
},
"V-39553": {
"checkid": "C-46778r1_chk",
"checktext": "To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of expired certificates.\n\nIf a procedure does not exist and/or expired certificates are found, this is a finding.",
"description": "If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
"fixid": "F-44566r1_fix",
"fixtext": "If a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of expired certificates. Remove all expired certificates.",
"iacontrols": null,
"id": "V-39553",
"ruleID": "SV-51411r1_rule",
"severity": "medium",
"title": "Expired certificates must be removed from the vCenter Server.",
"version": "VCENTER-000015"
},
"V-39554": {
"checkid": "C-46779r1_chk",
"checktext": "If at any time a vCenter Server installation fails, only the log files of format \"hs_err_pid....\" should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format \"hs_err_pid\".\n\nIf a file name of the format \"hs_err_pid\" is found, this is a finding.\n\nIf a site policy does not exist and/or is not followed, this is a finding.",
"description": "If the vCenter installation fails, a log file (with a name of the form \"hs_err_pidXXXX\") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.",
"fixid": "F-44567r1_fix",
"fixtext": "Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format \"hs_err_pid and remove them.",
"iacontrols": null,
"id": "V-39554",
"ruleID": "SV-51412r1_rule",
"severity": "medium",
"title": "Log files must be cleaned up after failed installations of the vCenter Server.",
"version": "VCENTER-000016"
},
"V-39555": {
"checkid": "C-46780r1_chk",
"checktext": "To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of revoked certificates.\n\nIf a procedure does not exist and/or revoked certificates are found, this is a finding.",
"description": "If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
"fixid": "F-44568r1_fix",
"fixtext": "If a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of revoked certificates. Remove all revoked certificates.",
"iacontrols": null,
"id": "V-39555",
"ruleID": "SV-51413r1_rule",
"severity": "medium",
"title": "Revoked certificates must be removed from the vCenter Server.",
"version": "VCENTER-000017"
},
"V-39556": {
"checkid": "C-46781r1_chk",
"checktext": "Check the permissions assigned in vSphere. Verify that a non-Windows administrative user account is used to manage vCenter. Ensure the user does not belong to any local groups, such as administrator. \n\nIf a Windows administrative account is used to manage vCenter, this is a finding. \n\nIf the account used to manage vCenter belongs to a local Windows or administrative group, this is a finding.",
"description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.",
"fixid": "F-44569r1_fix",
"fixtext": "Ensure \"Administrator\" or any other account or group does not have any privileges except users created as follows: \nCreate an ordinary user account that will be used to manage vCenter (example vi-admin). \nMake sure the user does not belong to any local groups, such as administrator. \n On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the created account. \nLog out of vCenter and log into vCenter with the account created. Verify user is able to perform all tasks available to a vCenter administrator. \nRemove the permissions in the vCenter for the local administrator group.",
"iacontrols": null,
"id": "V-39556",
"ruleID": "SV-51414r1_rule",
"severity": "medium",
"title": "The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.",
"version": "VCENTER-000018"
},
"V-39557": {
"checkid": "C-46782r1_chk",
"checktext": "Check the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Verify the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\\ProgramData\\VMware\\VMware VirtualCenter\\SSL and for the Inventory Service SSL certificate is C:\\Program Files\\VMware\\Infrastructure\\Inventory Service\\ssl.\n\nIf the SSL certificate directory/files are not set so that only the vCenter service account and authorized vCenter Server Administrators can access them, this is a finding.",
"description": "The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.",
"fixid": "F-44570r1_fix",
"fixtext": "Ensure the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Ensure the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\\ProgramData\\VMware\\VMware VirtualCenter\\SSL and for the Inventory Service SSL certificate is C:\\Program Files\\VMware\\Infrastructure\\Inventory Service\\ssl.\n\n",
"iacontrols": null,
"id": "V-39557",
"ruleID": "SV-51415r1_rule",
"severity": "medium",
"title": "Access to SSL certificates must be restricted.",
"version": "VCENTER-000019"
},
"V-39558": {
"checkid": "C-46783r2_chk",
"checktext": "Check that a role is used to manage the vCenter Server without the Guest Access Control (example \"Administrator No Guest Access\"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. \n\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify that a role exists for administrators with Guest access removed. \nRight click on the role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" the \"Guest Operations\" checkbox is unchecked. \nVerify users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role.\n\nAsk the SA for a list of users that require administrator privileges without Guest access privileges and verify their role assignments.\n\nIf users requiring administrator privileges without Guest access privileges are assigned to the default Administrator role, this is a finding.",
"description": "By default, vCenter Server \"Administrator\" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.",
"fixid": "F-44571r2_fix",
"fixtext": "Create a role to manage vCenter without the Guest Access Control (example \"Administrator No Guest Access\"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. \n\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify a role exists for administrators with Guest access removed. \nRight click on the role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" the \"Guest Operations\" checkbox is unchecked. \nCreate account(s) requiring administrator privileges without Guest access privileges.",
"iacontrols": null,
"id": "V-39558",
"ruleID": "SV-51416r1_rule",
"severity": "medium",
"title": "The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.",
"version": "VCENTER-000020"
},
"V-39559": {
"checkid": "C-46784r1_chk",
"checktext": "Verify all client operating systems connecting to the vCenter Server are not Linux.\n\nIf any client operating system connecting to the vCenter Server is Linux-based, this is a finding.\n\n",
"description": "Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks. ",
"fixid": "F-44572r1_fix",
"fixtext": "Replace all Linux-based clients connecting to the vCenter Server with non-Linux-based clients.\n\n",
"iacontrols": null,
"id": "V-39559",
"ruleID": "SV-51417r1_rule",
"severity": "low",
"title": "The use of Linux-based clients must be restricted.",
"version": "VCENTER-000021"
},
"V-39560": {
"checkid": "C-46785r1_chk",
"checktext": "The vCenter Server must be protected by a network and/or local firewall on the vCenter Server Windows system. This protection must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.\n\nIf the vCenter Server Windows system is not protected by a network and/or local firewall, this is a finding.",
"description": "Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.",
"fixid": "F-44573r1_fix",
"fixtext": "The vCenter Server Windows system must be protected by utilizing a network and/or local firewall. Install the vCenter Server Windows system behind the firewall and/or install a firewall application on the Windows system. Firewall protections must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.",
"iacontrols": null,
"id": "V-39560",
"ruleID": "SV-51418r1_rule",
"severity": "low",
"title": "Network access to the vCenter Server system must be restricted.",
"version": "VCENTER-000022"
},
"V-39561": {
"checkid": "C-46786r2_chk",
"checktext": "Verify only the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server, is assigned. \n\nVerify that the following permissions are granted to the vCenter user in the vCenter database.\nGRANT ALTER ON SCHEMA :: to ;\nGRANT REFERENCES ON SCHEMA :: to ;\nGRANT INSERT ON SCHEMA :: to ;\nGRANT CREATE TABLE to ;\nGRANT CREATE VIEW to ;\nGRANT CREATE Procedure to ;\n\nFor SQL, verify that the following permissions are granted to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.\nGRANT SELECT on msdb.dbo.syscategories to ;\nGRANT SELECT on msdb.dbo.sysjobsteps to ;\nGRANT SELECT ON msdb.dbo.sysjobs to ;\nGRANT EXECUTE ON msdb.dbo.sp_add_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_delete_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO ;\nGRANT EXECUTE ON msdb.dbo.sp_update_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_category TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO ;\n\nFor Oracle, verify that the following permissions (or DBA role) are granted to the user.\ngrant connect to \ngrant resource to \ngrant create view to \ngrant create materialized view to \ngrant execute on dbms_job to \ngrant execute on dbms_lock to \ngrant unlimited tablespace to \n\nIf the runtime privileges are not configured per the above guidelines, this is a finding.",
"description": "Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.",
"fixid": "F-44574r2_fix",
"fixtext": "Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below. \n\nGrant the following permissions to the vCenter user in the vCenter database:\nGRANT ALTER ON SCHEMA :: to ;\nGRANT REFERENCES ON SCHEMA :: to ;\nGRANT INSERT ON SCHEMA :: to ;\nGRANT CREATE TABLE to ;\nGRANT CREATE VIEW to ;\nGRANT CREATE Procedure to ;\n\nGrant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.\nGRANT SELECT on msdb.dbo.syscategories to ;\nGRANT SELECT on msdb.dbo.sysjobsteps to ;\nGRANT SELECT ON msdb.dbo.sysjobs to ;\nGRANT EXECUTE ON msdb.dbo.sp_add_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_delete_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO ;\nGRANT EXECUTE ON msdb.dbo.sp_update_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_category TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO ;\n\nFor Oracle, either assign the DBA role or grant the following permissions to the user.\ngrant connect to \ngrant resource to \ngrant create view to \ngrant create materialized view to \ngrant execute on dbms_job to \ngrant execute on dbms_lock to \ngrant unlimited tablespace to ",
"iacontrols": null,
"id": "V-39561",
"ruleID": "SV-51419r1_rule",
"severity": "medium",
"title": "A least-privileges assignment must be used for the vCenter Server database user.",
"version": "VCENTER-000023"
},
"V-39562": {
"checkid": "C-46787r3_chk",
"checktext": "Verify only the following permissions are allowed to the VUM DB user after installation.\n\nFor Oracle DB normal operation, only the following permissions are required. \nCreate session\ncreate any table\ndrop any table\n\nFor SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database.\n\nNote: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.\n\nIf the above vendor database-dependent permissions are not strictly adhered to, this is a finding.",
"description": "Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.",
"fixid": "F-44575r3_fix",
"fixtext": "For Oracle DB normal runtime operation, set the following permissions. \nCreate session\ncreate any table\ndrop any table\n\nFor SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database.\n\nNote: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.",
"iacontrols": null,
"id": "V-39562",
"ruleID": "SV-51420r2_rule",
"severity": "medium",
"title": "A least-privileges assignment must be used for the Update Manager database user.",
"version": "VCENTER-000024"
},
"V-39563": {
"checkid": "C-46788r2_chk",
"checktext": "On each Windows computer with the vSphere Client installed, verify:\nA 15 minute (maximum) timeout is set in the VpxClient.exe.config file:\nLocate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, verify the setting X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. \n\nVerify the timeout that the vSphere Client executable is started with is an execution flag:\nLocate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of \"-inactivityTimeout 15\" in the command.\n\nIf either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.",
"description": "An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.",
"fixid": "F-44576r2_fix",
"fixtext": "On each Windows computer with the vSphere Client installed:\nSet a 15 minute (maximum) timeout in the VpxClient.exe.config file:\nLocate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, modify the X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file.\n\nSet a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable:\nLocate the vSphere Client executable icon on the desktop, right click, and select properties. Add \"-inactivityTimeout X\", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.",
"iacontrols": null,
"id": "V-39563",
"ruleID": "SV-51421r1_rule",
"severity": "medium",
"title": "The system must set a timeout for all thick-client logins without activity.",
"version": "VCENTER-000027"
},
"V-39564": {
"checkid": "C-46789r2_chk",
"checktext": "Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources:\nFrom the vSphere Client, \"Plug-ins>> Manage Plug-ins\" and click the Installed Plug-ins tab. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins.\n\nIf any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.",
"description": "The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.",
"fixid": "F-44577r2_fix",
"fixtext": "Disable/remove all listed plug-ins that cannot be verified as distributed from trusted sources:\nFrom the vSphere client, connect to the vCenter server.\nOn the menu bar, go to \"Plug-ins >> Manage Plug-ins\".\nUnder Installed Plug-ins, right-click the plug-in of choice and select Disable.",
"iacontrols": null,
"id": "V-39564",
"ruleID": "SV-51422r1_rule",
"severity": "medium",
"title": "vSphere Client plugins must be verified.",
"version": "VCENTER-000029"
},
"V-39566": {
"checkid": "C-46791r4_chk",
"checktext": "Connect to the vCenter Server via the vSphere Client. Highlight the data center name and navigate to the Permissions tab. Observe the list of users and/or groups.\n\nIf any local administrator group permissions appear in the displayed list, this is a finding.\n\nIf a vCenter Administrator account (must be an ordinary user assigned the administrator role) does not appear in the displayed list, this is a finding.\n\nIf a vCenter Administrator account (must be an ordinary user assigned the administrator role) does appear in the displayed list, this is not a finding.",
"description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.",
"fixid": "F-44579r6_fix",
"fixtext": "Log into the Windows server as the Windows administrative user and create an ordinary user account that will be used to manage vCenter Server (example user: vAdmin). \n\nEnsure the ordinary user account (created above) does not belong to any local groups (example group: administrators). \n\nAs the Windows administrative user, log into the vCenter Server (using the vSphere Client). Grant the role of administrator (global vCenter Server administrator) to the ordinary user account (created above). \n\nLog into the vCenter Server (using the vSphere Client) with the ordinary user account (created above) and verify that the user is able to perform all vCenter Server administrative tasks. \n\nAs the Windows administrative user, log into the vCenter Server (using the vSphere Client). Delete the local administrator group from the permissions tab in the vSphere Client. Close the vSphere Client connection and attempt to reconnect to the Windows server as the Windows administrative user. The connection should now fail due to lack of administrator access/permissions.",
"iacontrols": null,
"id": "V-39566",
"ruleID": "SV-51424r2_rule",
"severity": "high",
"title": "The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.",
"version": "VCENTER-000031"
},
"V-39568": {
"checkid": "C-46793r1_chk",
"checktext": "If the Update Manager Download Server does not connect to the Internet to source vendor patches, this check is not applicable.\n\nVerify there is a Web proxy between Update Manager Download Server and the Internet. Check the proxy settings for the Update Manager Download Server to ensure correct configuration. \n\nTo verify proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings.\nIn the Proxy Settings pane, select properties and view the proxy information.\n\nIf a web proxy between Update Manager Download Server and the Internet is not configured, this is a finding.",
"description": "In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to prevent access from the outside to the Update Manager Download Server. Any direct channel to the Internet represents a threat.",
"fixid": "F-44581r1_fix",
"fixtext": "If the Update Manager Download Server does not connect to the Internet to source vendor patches, no fix is required.\n\nTo configure proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select Use proxy and change the proxy information. Optional: If the proxy requires authentication, select Proxy requires authentication and provide a user name and password. Optional: Click Test Connection at any time to test a connection to the Internet through the proxy is possible. Click Apply.",
"iacontrols": null,
"id": "V-39568",
"ruleID": "SV-51426r1_rule",
"severity": "medium",
"title": "The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.",
"version": "VCENTER-000033"
},
"V-39569": {
"checkid": "C-46794r1_chk",
"checktext": "Verify the Update Manager download source is not the Internet. \n\nTo verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify \"Direct connection to Internet\" is not selected.\n\nIf \"Direct connection to Internet\" is configured, this is a finding.",
"description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet.",
"fixid": "F-44582r2_fix",
"fixtext": "To configure a Web server or local disk repository as a download source (i.e., \"Direct connection to Internet\" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.",
"iacontrols": null,
"id": "V-39569",
"ruleID": "SV-51427r1_rule",
"severity": "medium",
"title": "The Update Manager must not directly connect to public patch repositories on the Internet.",
"version": "VCENTER-000034"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-39544": "true",
"V-39545": "true",
"V-39546": "true",
"V-39547": "true",
"V-39548": "true",
"V-39549": "true",
"V-39550": "true",
"V-39551": "true",
"V-39553": "true",
"V-39554": "true",
"V-39555": "true",
"V-39556": "true",
"V-39557": "true",
"V-39558": "true",
"V-39559": "true",
"V-39560": "true",
"V-39561": "true",
"V-39562": "true",
"V-39563": "true",
"V-39564": "true",
"V-39566": "true",
"V-39568": "true",
"V-39569": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "vmware_vcenter_server_version_5",
"title": "VMware vCenter Server Version 5 Security Technical Implementation Guide",
"version": "1"
}
}