UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide


Overview

Date Finding Count (31)
2023-02-21 CAT I (High): 0 CAT II (Med): 31 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-256769 Medium The Security Token Service must not enable support for TRACE requests.
V-256768 Medium The Security Token Service must be configured to not show error reports.
V-256745 Medium The Security Token Service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
V-256747 Medium The Security Token Service must limit the maximum size of a POST request.
V-256746 Medium The Security Token Service must limit the number of concurrent connections permitted.
V-256749 Medium The Security Token Service must record user access in a format that enables monitoring of remote access.
V-256748 Medium The Security Token Service must protect cookies from cross-site scripting (XSS).
V-256761 Medium The Security Token Service directory tree must have permissions in an out-of-the-box state.
V-256760 Medium The Security Token Service must not have any symbolic links in the web content directory tree.
V-256767 Medium The Security Token Service must not show directory listings.
V-256766 Medium The Security Token Service must set the welcome-file node to a default web page.
V-256765 Medium The Security Token Service must use the "setCharacterEncodingFilter" filter.
V-256764 Medium The Security Token Service must set "URIEncoding" to UTF-8.
V-256756 Medium The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
V-256763 Medium The Security Token Service must limit the number of allowed connections.
V-256762 Medium The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-256754 Medium The Security Token Service must not be configured with unused realms.
V-256755 Medium The Security Token Service must be configured to limit access to internal packages.
V-256757 Medium The Security Token Service must have mappings set for Java servlet pages.
V-256752 Medium The Security Token Service application files must be verified for their integrity.
V-256753 Medium The Security Token Service must only run one webapp.
V-256758 Medium The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-256759 Medium The Security Token Service must be configured with memory leak protection.
V-256770 Medium The Security Token Service must have the debug option disabled.
V-256771 Medium The Security Token Service must be configured with the appropriate ports.
V-256772 Medium The Security Token Service must disable the shutdown port.
V-256773 Medium The Security Token Service must set the secure flag for cookies.
V-256774 Medium The Security Token Service default servlet must be set to "readonly".
V-256775 Medium Security Token Service log data and records must be backed up onto a different system or media.
V-256750 Medium The Security Token Service must generate log records during Java startup and shutdown.
V-256751 Medium Security Token Service log files must only be modifiable by privileged users.