UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must restrict access to cryptographic permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-94831 VCWN-65-000064 SV-104661r1_rule Medium
Description
These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography.
STIG Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2020-03-27

Details

Check Text ( C-94027r1_chk )
From the vSphere Web Client go to Administration >> Access Control >> Roles

Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
$roles = Get-VIRole
ForEach($role in $roles){
$privileges = $role.PrivilegeList
If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){
Write-Host "$role has Cryptographic privileges"
}
}

If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding.
Fix Text (F-100955r1_fix)
From the vSphere Web Client go to Administration >> Access Control >> Roles

Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s):

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups