UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide


Overview

Date Finding Count (33)
2023-06-15 CAT I (High): 0 CAT II (Med): 33 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-256810 Medium The vSphere UI default servlet must be set to "readonly".
V-256785 Medium vSphere UI application files must be verified for their integrity.
V-256784 Medium vSphere UI log files must only be accessible by privileged users.
V-256787 Medium vSphere UI must not be configured with the "UserDatabaseRealm" enabled.
V-256786 Medium vSphere UI plugins must be authorized before use.
V-256781 Medium vSphere UI must protect cookies from cross-site scripting (XSS).
V-256780 Medium vSphere UI must limit the maximum size of a POST request.
V-256783 Medium vSphere UI must generate log records for system startup and shutdown.
V-256782 Medium vSphere UI must record user access in a format that enables monitoring of remote access.
V-256789 Medium vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
V-256788 Medium vSphere UI must be configured to limit access to internal packages.
V-256808 Medium vSphere UI must disable the shutdown port.
V-256809 Medium vSphere UI must set the secure flag for cookies.
V-256802 Medium vSphere UI must be configured to show error pages with minimal information.
V-256803 Medium vSphere UI must not enable support for TRACE requests.
V-256800 Medium The vSphere UI must not show directory listings.
V-256801 Medium vSphere UI must be configured to hide the server version.
V-256806 Medium vSphere UI log files must be moved to a permanent repository in accordance with site policy.
V-256807 Medium vSphere UI must be configured with the appropriate ports.
V-256804 Medium vSphere UI must have the debug option turned off.
V-256805 Medium vSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server.
V-256792 Medium vSphere UI must be configured with memory leak protection.
V-256793 Medium vSphere UI must not have any symbolic links in the web content directory tree.
V-256790 Medium vSphere UI must have mappings set for Java servlet pages.
V-256791 Medium vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-256796 Medium vSphere UI must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-256797 Medium vSphere UI must limit the number of allowed connections.
V-256794 Medium The vSphere UI directory tree must have permissions in an out-of-the-box state.
V-256795 Medium vSphere UI must restrict its cookie path.
V-256798 Medium vSphere UI must set URIEncoding to UTF-8.
V-256799 Medium vSphere UI must set the welcome-file node to a default web page.
V-256778 Medium vSphere UI must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
V-256779 Medium vSphere UI must limit the number of concurrent connections permitted.