UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide


Overview

Date Finding Count (65)
2020-03-27 CAT I (High): 2 CAT II (Med): 52 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-94763 High The vCenter Server for Windows must minimize access to the vCenter server.
V-94739 High The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
V-94789 Medium The vCenter Server for Windows passwords must contain at least one numeric character.
V-94853 Medium The vCenter Server for Windows must disable SNMPv1.
V-94783 Medium The vCenter Server for Windows passwords must be at least 15 characters in length.
V-94785 Medium The vCenter Server for Windows passwords must contain at least one uppercase character.
V-94787 Medium The vCenter Server for Windows passwords must contain at least one lowercase character.
V-94749 Medium The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-94743 Medium The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
V-94733 Medium The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
V-94831 Medium The vCenter Server for Windows must restrict access to cryptographic permissions.
V-94725 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94807 Medium The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-94773 Medium The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
V-94805 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94715 Medium The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
V-94721 Medium The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
V-94737 Medium The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
V-94731 Medium The vCenter Server for Windows must use Active Directory authentication.
V-94809 Medium The vCenter Server for Windows must enable the vSAN Health Check.
V-94779 Medium vCenter Server for Windows plugins must be verified.
V-94759 Medium The vCenter Server for Windows must configure the vpxuser password meets length policy.
V-94757 Medium The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
V-94741 Medium The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
V-94839 Medium The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
V-94753 Medium The vCenter Server for Windows must enable SSL for Network File Copy (NFC).
V-94777 Medium The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
V-94821 Medium The vCenter Server for Windows must enable certificate based authentication.
V-94799 Medium The vCenter Server for Windows must alert administrators on permission creation operations.
V-94767 Medium The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
V-94793 Medium The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
V-94791 Medium The vCenter Server for Windows passwords must contain at least one special character.
V-94797 Medium The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
V-94823 Medium The vCenter Server for Windows must enable revocation checking for certificate based authentication.
V-94795 Medium The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
V-94765 Medium The vCenter Server for Windows Administrators must clean up log files after failed installations.
V-94727 Medium The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
V-94717 Medium The vCenter Server for Windows must not automatically refresh client sessions.
V-94755 Medium The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
V-94811 Medium The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-94815 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94845 Medium The vCenter Server for Windows must check the privilege re-assignment after restarts.
V-94817 Medium The vCenter Server for Windows must enable TLS 1.2 exclusively.
V-94801 Medium The vCenter Server for Windows must alert administrators on permission deletion operations.
V-94813 Medium The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
V-94775 Medium The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
V-94769 Medium The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-94829 Medium The vCenter Server for Windows must restrict access to cryptographic role.
V-94751 Medium The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
V-94723 Medium The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
V-94803 Medium The vCenter Server for Windows must alert administrators on permission update operations.
V-94747 Medium The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
V-94841 Medium The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
V-94819 Medium The vCenter Server for Windows reverse proxy must use DoD approved certificates.
V-94781 Low The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
V-94825 Low The vCenter Server for Windows must disable Password and Windows integrated authentication.
V-94735 Low The vCenter Server for Windows must disable the distributed virtual switch health check.
V-94729 Low The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
V-94827 Low The vCenter Server for Windows must enable Login banner for vSphere web client.
V-94771 Low The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-94745 Low The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
V-94837 Low The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
V-94835 Low The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
V-94833 Low The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
V-94761 Low The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.