The vCenter Server must restrict access to cryptographic permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256365	VCSA-70-000285	SV-256365r885706_rule		Medium

Description
These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography.

STIG	Date
VMware vSphere 7.0 vCenter Security Technical Implementation Guide	2023-03-01

Details

Check Text ( C-60040r885704_chk )
From the vSphere Client, go to Administration >> Access Control >> Roles. Highlight each role and click the "Privileges" button in the right pane. Verify only the "Administrator" and any site-specific cryptographic group(s) have the following permissions: Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $roles = Get-VIRole ForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match "Crypto" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add" -or $privileges -match "Host.Local operations.Manage user groups"){ Write-Host "$role has Cryptographic privileges" } } If any role other than administrator and any site-specific group(s) have any of these permissions, this is a finding.

Check Text ( C-60040r885704_chk )

From the vSphere Client, go to Administration >> Access Control >> Roles.

Highlight each role and click the "Privileges" button in the right pane.

Verify only the "Administrator" and any site-specific cryptographic group(s) have the following permissions:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$roles = Get-VIRole
ForEach($role in $roles){
$privileges = $role.PrivilegeList
If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){
Write-Host "$role has Cryptographic privileges"
}
}

If any role other than administrator and any site-specific group(s) have any of these permissions, this is a finding.

Fix Text (F-59983r885705_fix)
From the vSphere Client, go to Administration >> Access Control >> Roles. Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than "Administrator and any site-specific cryptographic group(s): Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups

Fix Text (F-59983r885705_fix)

From the vSphere Client, go to Administration >> Access Control >> Roles.

Highlight each role and click the pencil button if it is enabled.

Remove the following permissions from any group other than "Administrator and any site-specific cryptographic group(s):

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups