| V-243116 | Medium | The vCenter Server must disable Password and Windows integrated authentication. | All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as... |
| V-243117 | Medium | The vCenter Server must enable the login banner for vSphere Client. | The required legal notice must be configured for the vCenter Web Client. |
| V-243114 | Medium | The vCenter Server must enable certificate based authentication. | The vSphere Client is capable of CAC authentication. This capability must be enabled and properly configured. |
| V-243115 | Medium | The vCenter Server must enable revocation checking for certificate-based authentication. | The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking. |
| V-243112 | Medium | The vCenter Server must enable TLS 1.2 exclusively. | TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating... |
| V-243113 | Medium | The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. | The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients... |
| V-243110 | Medium | The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server. | The vSAN Health Check is able to download the hardware compatibility list from VMware to check compliance against the underlying vSAN Cluster hosts.
To ensure the vCenter server is not directly... |
| V-243111 | Medium | The vCenter Server must configure the vSAN Datastore name to a unique name. | A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and... |
| V-243131 | Medium | The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator. | By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter... |
| V-243132 | Medium | The vCenter Server must enable TLS 1.2 exclusively. | TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating... |
| V-243118 | Medium | The vCenter Server must restrict access to the cryptographic role. | In vSphere 6.7, the built-in "Administrator" role contains permission to perform cryptographic operations such as KMS functions and encrypting and decrypting virtual machine disks. This role must... |
| V-243119 | Medium | The vCenter Server must restrict access to cryptographic permissions. | These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography. |
| V-243099 | Medium | The vCenter Server passwords must be at least 15 characters in length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the... |
| V-243098 | Medium | The vCenter Server must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. |
| V-243093 | Medium | The vCenter Server must enable all tasks to be shown to Administrators in the Web Client. | By default, not all tasks are shown in the Web Client to Administrators, and only that user's tasks will be shown. Enabling all tasks to be shown will allow the Administrator to potentially see... |
| V-243092 | Medium | The vCenter Server must check the privilege reassignment after restarts. | Check for privilege reassignment when restarting vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group... |
| V-243091 | Medium | The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects. | The MOB was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to... |
| V-243090 | Medium | The vCenter Server must configure the vpxuser password meets length policy. | The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies.
Longer passwords make brute-force password... |
| V-243097 | Medium | vCenter Server plugins must be verified. | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter... |
| V-243096 | Medium | The vCenter Server must use unique service accounts when applications connect to vCenter. | In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts. |
| V-243095 | Medium | The vCenter Server must use a least-privileges assignment for the vCenter Server database user. | Least privileges mitigate attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and... |
| V-243094 | Medium | The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server. | The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would... |
| V-243108 | Medium | The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage... |
| V-243101 | Medium | The vCenter Server passwords must contain at least one lowercase character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-243100 | Medium | The vCenter Server passwords must contain at least one uppercase character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-243103 | Medium | The vCenter Server passwords must contain at least one special character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-243102 | Medium | The vCenter Server passwords must contain at least one numeric character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-243105 | Medium | The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | By limiting the number of failed login attempts within a specified time period, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Limits are... |
| V-243104 | Medium | The vCenter Server must limit the maximum number of failed login attempts to three. | By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| V-243107 | Medium | The vCenter Server users must have the correct roles assigned. | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality,... |
| V-243106 | Medium | The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | By requiring that SSO accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set... |
| V-243123 | Medium | The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source. | LDAP is an industry-standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel.
To protect... |
| V-243122 | Medium | The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes, this... |
| V-243121 | Medium | The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and... |
| V-243120 | Medium | The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets. | When Mutual CHAP is enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MitM attack when not authenticating both the iSCSI target... |
| V-243133 | Medium | The vCenter Server must disable Password and Windows integrated authentication. | All forms of authentication other than CAC must be disabled. Password authentication can be temporarily reenabled for emergency access to the local SSO domain accounts, but it must be disabled as... |
| V-243126 | Medium | The vCenter Server must terminate management sessions after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-243125 | Medium | The vCenter Server must not automatically refresh client sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-243124 | Medium | The vCenter Server must use a limited privilege account when adding an LDAP identity source. | When adding an LDAP identity source to vSphere SSO, the account used to bind to AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other... |
| V-243129 | Medium | The vCenter Server Administrators must clean up log files after failed installations. | In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into... |
| V-243128 | Medium | The vCenter Server must minimize access to the vCenter server. | After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very... |
| V-243088 | Medium | The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches. | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs... |
| V-243089 | Medium | The vCenter Server must configure the vpxuser auto-password to be changed every 30 days. | By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets site policies; if not, configure to meet password aging policies.
Note: It is... |
| V-243080 | Medium | The vCenter Server must limit the use of the built-in SSO administrative account. | Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible. |
| V-243081 | Medium | The vCenter Server must disable the distributed virtual switch health check. | Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network... |
| V-243082 | Medium | The vCenter Server must set the distributed port group Forged Transmits policy to reject. | If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage... |
| V-243083 | Medium | The vCenter Server must set the distributed port group MAC Address Change policy to reject. | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in... |
| V-243084 | Medium | The vCenter Server must set the distributed port group Promiscuous Mode policy to reject. | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual... |
| V-243085 | Medium | The vCenter Server must only send NetFlow traffic to authorized collectors. | The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it... |
| V-243086 | Medium | The vCenter Server must configure all port groups to a value other than that of the native VLAN. | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will... |
| V-243087 | Medium | The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached VMs without modifying the VLAN tags. In vSphere, this is referred to as... |
| V-243130 | Medium | The vCenter Server must enable all tasks to be shown to Administrators in the Web Client. | By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown. Enabling all tasks to be shown will allow the administrator to potentially see any... |
| V-243075 | Medium | The vCenter Server must terminate management sessions after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-243074 | Medium | The vCenter Server must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and... |
| V-243077 | Medium | The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Managing... |
| V-243076 | Medium | The vCenter Server users must have the correct roles assigned. | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality,... |
| V-243127 | Medium | The vCenter Server services must be ran using a service account instead of a built-in Windows account. | You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server. The Microsoft Windows built-in system account has more permissions and rights on the... |
| V-243073 | Medium | The vCenter Server must not automatically refresh client sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-243072 | Medium | The vCenter Server must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need... |
| V-243079 | Medium | The vCenter Server must implement Active Directory authentication. | The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account... |
| V-243078 | Medium | The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events. | It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
