UCF STIG Viewer Logo

VMware vSphere 6.7 vCenter Security Technical Implementation Guide


Overview

Date Finding Count (61)
2022-01-04 CAT I (High): 0 CAT II (Med): 61 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-243116 Medium The vCenter Server must disable Password and Windows integrated authentication.
V-243117 Medium The vCenter Server must enable the login banner for vSphere Client.
V-243114 Medium The vCenter Server must enable certificate based authentication.
V-243115 Medium The vCenter Server must enable revocation checking for certificate-based authentication.
V-243112 Medium The vCenter Server must enable TLS 1.2 exclusively.
V-243113 Medium The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
V-243110 Medium The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-243111 Medium The vCenter Server must configure the vSAN Datastore name to a unique name.
V-243131 Medium The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-243132 Medium The vCenter Server must enable TLS 1.2 exclusively.
V-243118 Medium The vCenter Server must restrict access to the cryptographic role.
V-243119 Medium The vCenter Server must restrict access to cryptographic permissions.
V-243099 Medium The vCenter Server passwords must be at least 15 characters in length.
V-243098 Medium The vCenter Server must produce audit records containing information to establish what type of events occurred.
V-243093 Medium The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
V-243092 Medium The vCenter Server must check the privilege reassignment after restarts.
V-243091 Medium The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.
V-243090 Medium The vCenter Server must configure the vpxuser password meets length policy.
V-243097 Medium vCenter Server plugins must be verified.
V-243096 Medium The vCenter Server must use unique service accounts when applications connect to vCenter.
V-243095 Medium The vCenter Server must use a least-privileges assignment for the vCenter Server database user.
V-243094 Medium The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-243108 Medium The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-243101 Medium The vCenter Server passwords must contain at least one lowercase character.
V-243100 Medium The vCenter Server passwords must contain at least one uppercase character.
V-243103 Medium The vCenter Server passwords must contain at least one special character.
V-243102 Medium The vCenter Server passwords must contain at least one numeric character.
V-243105 Medium The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
V-243104 Medium The vCenter Server must limit the maximum number of failed login attempts to three.
V-243107 Medium The vCenter Server users must have the correct roles assigned.
V-243106 Medium The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
V-243123 Medium The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source.
V-243122 Medium The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
V-243121 Medium The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
V-243120 Medium The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.
V-243133 Medium The vCenter Server must disable Password and Windows integrated authentication.
V-243126 Medium The vCenter Server must terminate management sessions after 10 minutes of inactivity.
V-243125 Medium The vCenter Server must not automatically refresh client sessions.
V-243124 Medium The vCenter Server must use a limited privilege account when adding an LDAP identity source.
V-243129 Medium The vCenter Server Administrators must clean up log files after failed installations.
V-243128 Medium The vCenter Server must minimize access to the vCenter server.
V-243088 Medium The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
V-243089 Medium The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.
V-243080 Medium The vCenter Server must limit the use of the built-in SSO administrative account.
V-243081 Medium The vCenter Server must disable the distributed virtual switch health check.
V-243082 Medium The vCenter Server must set the distributed port group Forged Transmits policy to reject.
V-243083 Medium The vCenter Server must set the distributed port group MAC Address Change policy to reject.
V-243084 Medium The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.
V-243085 Medium The vCenter Server must only send NetFlow traffic to authorized collectors.
V-243086 Medium The vCenter Server must configure all port groups to a value other than that of the native VLAN.
V-243087 Medium The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
V-243130 Medium The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
V-243075 Medium The vCenter Server must terminate management sessions after 10 minutes of inactivity.
V-243074 Medium The vCenter Server must enforce a 60-day maximum password lifetime restriction.
V-243077 Medium The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
V-243076 Medium The vCenter Server users must have the correct roles assigned.
V-243127 Medium The vCenter Server services must be ran using a service account instead of a built-in Windows account.
V-243073 Medium The vCenter Server must not automatically refresh client sessions.
V-243072 Medium The vCenter Server must prohibit password reuse for a minimum of five generations.
V-243079 Medium The vCenter Server must implement Active Directory authentication.
V-243078 Medium The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.