The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-94761	VCWN-65-000025	SV-104591r1_rule		Low

Description
The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.

STIG	Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide	2020-03-27

Details

Check Text ( C-93951r1_chk )
The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the ... element. Ensure the following element is set. false If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.

Check Text ( C-93951r1_chk )

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities.

Check the operational status of the MOB:
Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.
Edit the file and locate the ... element.
Ensure the following element is set. false

If the MOB is currently enabled, ask the SA if it is being used for object maintenance.

If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.

Fix Text (F-100879r1_fix)
If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the ... element. Ensure the following element is set. false Restart the vCenter Service to ensure the configuration file change(s) are in effect.