UCF STIG Viewer Logo

VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide


Overview

Date Finding Count (65)
2020-03-27 CAT I (High): 2 CAT II (Med): 52 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-94763 High The vCenter Server for Windows must minimize access to the vCenter server.
V-94739 High The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
V-94789 Medium The vCenter Server for Windows passwords must contain at least one numeric character.
V-94853 Medium The vCenter Server for Windows must disable SNMPv1.
V-94783 Medium The vCenter Server for Windows passwords must be at least 15 characters in length.
V-94785 Medium The vCenter Server for Windows passwords must contain at least one uppercase character.
V-94787 Medium The vCenter Server for Windows passwords must contain at least one lowercase character.
V-94749 Medium The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-94743 Medium The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
V-94733 Medium The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
V-94831 Medium The vCenter Server for Windows must restrict access to cryptographic permissions.
V-94725 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94807 Medium The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-94773 Medium The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
V-94805 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94715 Medium The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
V-94721 Medium The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
V-94737 Medium The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
V-94731 Medium The vCenter Server for Windows must use Active Directory authentication.
V-94809 Medium The vCenter Server for Windows must enable the vSAN Health Check.
V-94779 Medium vCenter Server for Windows plugins must be verified.
V-94759 Medium The vCenter Server for Windows must configure the vpxuser password meets length policy.
V-94757 Medium The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
V-94741 Medium The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
V-94839 Medium The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
V-94753 Medium The vCenter Server for Windows must enable SSL for Network File Copy (NFC).
V-94777 Medium The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
V-94821 Medium The vCenter Server for Windows must enable certificate based authentication.
V-94799 Medium The vCenter Server for Windows must alert administrators on permission creation operations.
V-94767 Medium The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
V-94793 Medium The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
V-94791 Medium The vCenter Server for Windows passwords must contain at least one special character.
V-94797 Medium The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
V-94823 Medium The vCenter Server for Windows must enable revocation checking for certificate based authentication.
V-94795 Medium The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
V-94765 Medium The vCenter Server for Windows Administrators must clean up log files after failed installations.
V-94727 Medium The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
V-94717 Medium The vCenter Server for Windows must not automatically refresh client sessions.
V-94755 Medium The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
V-94811 Medium The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-94815 Medium The vCenter Server for Windows users must have the correct roles assigned.
V-94845 Medium The vCenter Server for Windows must check the privilege re-assignment after restarts.
V-94817 Medium The vCenter Server for Windows must enable TLS 1.2 exclusively.
V-94801 Medium The vCenter Server for Windows must alert administrators on permission deletion operations.
V-94813 Medium The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
V-94775 Medium The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
V-94769 Medium The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-94829 Medium The vCenter Server for Windows must restrict access to cryptographic role.
V-94751 Medium The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
V-94723 Medium The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
V-94803 Medium The vCenter Server for Windows must alert administrators on permission update operations.
V-94747 Medium The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
V-94841 Medium The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
V-94819 Medium The vCenter Server for Windows reverse proxy must use DoD approved certificates.
V-94781 Low The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
V-94825 Low The vCenter Server for Windows must disable Password and Windows integrated authentication.
V-94735 Low The vCenter Server for Windows must disable the distributed virtual switch health check.
V-94729 Low The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
V-94827 Low The vCenter Server for Windows must enable Login banner for vSphere web client.
V-94771 Low The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-94745 Low The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
V-94837 Low The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
V-94835 Low The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
V-94833 Low The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
V-94761 Low The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.