Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-94825 | VCWN-65-000061 | SV-104655r1_rule | Low |
Description |
---|
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional. |
STIG | Date |
---|---|
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2020-03-27 |
Check Text ( C-94021r1_chk ) |
---|
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:// In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@ 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. If the selection box next to “Password and Windows session authentication” is checked, this is a finding. |
Fix Text (F-100949r1_fix) |
---|
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:// In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@ 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. 4. Check the box next to “Password and Windows session authentication”. Click "OK". To re-enable password authentication for troubleshooting run the following command from the PSC: /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local |