Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243096 | VCTR-67-000034 | SV-243096r719531_rule | Medium |
Description |
---|
In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts. |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2022-01-04 |
Check Text ( C-46371r719529_chk ) |
---|
Verify that each external application that connects to vCenter has a unique service account dedicated to that application. For example, there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter. If any application shares a service account that is used to connect to vCenter, this is a finding. |
Fix Text (F-46328r719530_fix) |
---|
For applications sharing service accounts, create a new service account to assign to the application so that no application shares a service account with another. When standing up a new application that requires access to vCenter, always create a new service account prior to installation and grant only the permissions needed for that application. |