UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 7.0 vCenter Security Technical Implementation Guide


Overview

Date Finding Count (57)
2023-03-01 CAT I (High): 2 CAT II (Med): 53 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-256331 High The vCenter Server must enable FIPS-validated cryptography.
V-256318 High The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
V-256364 Medium The vCenter Server must restrict access to the cryptographic role.
V-256349 Medium The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
V-256348 Medium The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
V-256352 Medium The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
V-256353 Medium The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
V-256350 Medium The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
V-256351 Medium The vCenter Server must only send NetFlow traffic to authorized collectors.
V-256356 Medium The vCenter Server must configure the "vpxuser" password to meet length policy.
V-256357 Medium The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
V-256354 Medium The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
V-256355 Medium The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
V-256374 Medium vCenter Native Key Providers must be backed up with a strong password.
V-256358 Medium The vCenter Server must use unique service accounts when applications connect to vCenter.
V-256359 Medium The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
V-256370 Medium The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
V-256371 Medium The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group.
V-256372 Medium The vCenter server configuration must be backed up on a regular basis.
V-256373 Medium vCenter task and event retention must be set to at least 30 days.
V-256330 Medium The vCenter Server passwords must contain at least one special character.
V-256332 Medium The vCenter Server must enforce a 60-day maximum password lifetime restriction.
V-256333 Medium The vCenter Server must enable revocation checking for certificate-based authentication.
V-256334 Medium The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
V-256335 Medium The vCenter Server users must have the correct roles assigned.
V-256336 Medium The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
V-256337 Medium The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
V-256338 Medium The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
V-256339 Medium The vCenter Server must be configured to send logs to a central log server.
V-256319 Medium The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
V-256343 Medium The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
V-256345 Medium The vCenter server must disable SNMPv1/2 receivers.
V-256344 Medium The vCenter server must enforce SNMPv3 security features where SNMP is required.
V-256346 Medium The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
V-256341 Medium The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-256340 Medium vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-256369 Medium The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.
V-256368 Medium The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
V-256367 Medium The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
V-256366 Medium The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
V-256365 Medium The vCenter Server must restrict access to cryptographic permissions.
V-256342 Medium The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
V-256362 Medium The vCenter Server must configure the vSAN Datastore name to a unique name.
V-256361 Medium The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
V-256360 Medium The vCenter server must be configured to send events to a central log server.
V-256323 Medium The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
V-256322 Medium vCenter Server plugins must be verified.
V-256321 Medium The vCenter Server must produce audit records containing information to establish what type of events occurred.
V-256320 Medium The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.
V-256327 Medium The vCenter Server passwords must contain at least one uppercase character.
V-256326 Medium The vCenter Server must prohibit password reuse for a minimum of five generations.
V-256325 Medium The vCenter Server passwords must be at least 15 characters in length.
V-256324 Medium The vCenter Server must require multifactor authentication.
V-256329 Medium The vCenter Server passwords must contain at least one numeric character.
V-256328 Medium The vCenter Server passwords must contain at least one lowercase character.
V-256347 Low The vCenter Server must disable the distributed virtual switch health check.
V-256363 Low The vCenter Server must disable Username/Password and Windows Integrated Authentication.