UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 6.7 vCenter Security Technical Implementation Guide


Overview

Date Finding Count (61)
2022-09-09 CAT I (High): 0 CAT II (Med): 61 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-243116 Medium The vCenter Server must disable Password and Windows integrated authentication.
V-243117 Medium The vCenter Server must enable the login banner for vSphere Client.
V-243114 Medium The vCenter Server must enable certificate based authentication.
V-243115 Medium The vCenter Server must enable revocation checking for certificate-based authentication.
V-243112 Medium The vCenter Server must enable TLS 1.2 exclusively.
V-243113 Medium The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
V-243110 Medium The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
V-243111 Medium The vCenter Server must configure the vSAN Datastore name to a unique name.
V-243131 Medium The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-243132 Medium The vCenter Server must enable TLS 1.2 exclusively.
V-243118 Medium The vCenter Server must restrict access to the cryptographic role.
V-243119 Medium The vCenter Server must restrict access to cryptographic permissions.
V-243099 Medium The vCenter Server passwords must be at least 15 characters in length.
V-243098 Medium The vCenter Server must produce audit records containing information to establish what type of events occurred.
V-243093 Medium The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
V-243092 Medium The vCenter Server must check the privilege reassignment after restarts.
V-243091 Medium The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.
V-243090 Medium The vCenter Server must configure the vpxuser password meets length policy.
V-243097 Medium vCenter Server plugins must be verified.
V-243096 Medium The vCenter Server must use unique service accounts when applications connect to vCenter.
V-243095 Medium The vCenter Server must use a least-privileges assignment for the vCenter Server database user.
V-243094 Medium The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
V-243108 Medium The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-243101 Medium The vCenter Server passwords must contain at least one lowercase character.
V-243100 Medium The vCenter Server passwords must contain at least one uppercase character.
V-243103 Medium The vCenter Server passwords must contain at least one special character.
V-243102 Medium The vCenter Server passwords must contain at least one numeric character.
V-243105 Medium The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
V-243104 Medium The vCenter Server must limit the maximum number of failed login attempts to three.
V-243107 Medium The vCenter Server users must have the correct roles assigned.
V-243106 Medium The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
V-243123 Medium The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source.
V-243122 Medium The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
V-243121 Medium The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
V-243120 Medium The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.
V-243133 Medium The vCenter Server must disable Password and Windows integrated authentication.
V-243126 Medium The vCenter Server must terminate management sessions after 10 minutes of inactivity.
V-243125 Medium The vCenter Server must not automatically refresh client sessions.
V-243124 Medium The vCenter Server must use a limited privilege account when adding an LDAP identity source.
V-243129 Medium The vCenter Server Administrators must clean up log files after failed installations.
V-243128 Medium The vCenter Server must minimize access to the vCenter server.
V-243088 Medium The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
V-243089 Medium The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.
V-243080 Medium The vCenter Server must limit the use of the built-in SSO administrative account.
V-243081 Medium The vCenter Server must disable the distributed virtual switch health check.
V-243082 Medium The vCenter Server must set the distributed port group Forged Transmits policy to reject.
V-243083 Medium The vCenter Server must set the distributed port group MAC Address Change policy to reject.
V-243084 Medium The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.
V-243085 Medium The vCenter Server must only send NetFlow traffic to authorized collectors.
V-243086 Medium The vCenter Server must configure all port groups to a value other than that of the native VLAN.
V-243087 Medium The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
V-243130 Medium The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
V-243075 Medium The vCenter Server must terminate management sessions after 10 minutes of inactivity.
V-243074 Medium The vCenter Server must enforce a 60-day maximum password lifetime restriction.
V-243077 Medium The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
V-243076 Medium The vCenter Server users must have the correct roles assigned.
V-243127 Medium The vCenter Server services must be ran using a service account instead of a built-in Windows account.
V-243073 Medium The vCenter Server must not automatically refresh client sessions.
V-243072 Medium The vCenter Server must prohibit password reuse for a minimum of five generations.
V-243079 Medium The vCenter Server must implement Active Directory authentication.
V-243078 Medium The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.