UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 8.0 vCenter Security Technical Implementation Guide


Overview

Date Finding Count (67)
2024-07-11 CAT I (High): 1 CAT II (Med): 64 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-258917 High The vCenter Server must enable FIPS-validated cryptography.
V-258909 Medium The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
V-258908 Medium vCenter Server plugins must be verified.
V-258947 Medium The vCenter server must be configured to send events to a central log server.
V-258946 Medium The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
V-258941 Medium The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
V-258940 Medium The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
V-258943 Medium The vCenter Server must configure the "vpxuser" password to meet length policy.
V-258942 Medium The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
V-258967 Medium The vCenter Server must reset port configuration when virtual machines are disconnected.
V-258966 Medium The vCenter Server must not override port group settings at the port level on distributed switches.
V-258965 Medium The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
V-258905 Medium The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
V-258948 Medium The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
V-258907 Medium The vCenter Server must produce audit records containing information to establish what type of events occurred.
V-258906 Medium The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon.
V-258923 Medium The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
V-258922 Medium The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
V-258921 Medium The vCenter Server user roles must be verified.
V-258920 Medium The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
V-258927 Medium The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-258926 Medium The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-258925 Medium The vCenter Server must be configured to send logs to a central log server.
V-258924 Medium The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
V-265979 Medium The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
V-258929 Medium The vCenter Server must enable data at rest encryption for vSAN.
V-258928 Medium The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
V-265978 Medium The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
V-258969 Medium The vCenter Server must enable data in transit encryption for vSAN.
V-258968 Medium The vCenter Server must disable Secure Shell (SSH) access.
V-258910 Medium The vCenter Server must require multifactor authentication.
V-258911 Medium The vCenter Server passwords must be at least 15 characters in length.
V-258945 Medium The vCenter Server must use unique service accounts when applications connect to vCenter.
V-258952 Medium The vCenter Server must restrict access to cryptographic permissions.
V-258953 Medium The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
V-258950 Medium The vCenter Server must disable Username/Password and Windows Integrated Authentication.
V-258951 Medium The vCenter Server must restrict access to the default roles with cryptographic permissions.
V-258956 Medium The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
V-258957 Medium The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group.
V-258954 Medium The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
V-258955 Medium The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
V-258963 Medium The vCenter Server must separate authentication and authorization for administrators.
V-258958 Medium The vCenter server configuration must be backed up on a regular basis.
V-258959 Medium The vCenter server must have task and event retention set to at least 30 days.
V-258962 Medium The vCenter server must enable the OVF security policy for content libraries.
V-258916 Medium The vCenter Server passwords must contain at least one special character.
V-258914 Medium The vCenter Server passwords must contain at least one lowercase character.
V-258915 Medium The vCenter Server passwords must contain at least one numeric character.
V-258912 Medium The vCenter Server must prohibit password reuse for a minimum of five generations.
V-258913 Medium The vCenter Server passwords must contain at least one uppercase character.
V-258936 Medium The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
V-258937 Medium The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
V-258938 Medium The vCenter Server must only send NetFlow traffic to authorized collectors.
V-258939 Medium The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
V-258960 Medium The vCenter server Native Key Provider must be backed up with a strong password.
V-258918 Medium The vCenter Server must enforce a 90-day maximum password lifetime restriction.
V-258919 Medium The vCenter Server must enable revocation checking for certificate-based authentication.
V-258930 Medium The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
V-258949 Medium The vCenter Server must configure the vSAN Datastore name to a unique name.
V-258931 Medium The vCenter server must enforce SNMPv3 security features where SNMP is required.
V-258932 Medium The vCenter server must disable SNMPv1/2 receivers.
V-258933 Medium The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
V-258934 Medium The vCenter Server must disable the distributed virtual switch health check.
V-258961 Medium The vCenter server must require authentication for published content libraries.
V-258935 Medium The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
V-258964 Low The vCenter Server must disable CDP/LLDP on distributed switches.
V-258944 Low The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.