Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243092 | VCTR-67-000026 | SV-243092r719519_rule | Medium |
Description |
---|
Check for privilege reassignment when restarting vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account administrator@vsphere.local. This account can then act as the Administrator. Reestablish a named Administrator account and assign the Administrator role to that account to avoid using the anonymous administrator@vsphere.local account. |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2021-04-16 |
Check Text ( C-46367r719517_chk ) |
---|
Note: For vCenter Server Appliance, this is not applicable. After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the Administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter Administrator role permissions cannot be verified as intact, this is a finding. |
Fix Text (F-46324r719518_fix) |
---|
As the SSO Administrator, log in to the vCenter Server and restore a legitimate Administrator account per site-specific user/group/role requirements. |