UCF STIG Viewer Logo

VMware vSphere 8.0 vCenter Security Technical Implementation Guide


Overview

Date Finding Count (67)
2024-07-11 CAT I (High): 1 CAT II (Med): 64 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-258917 High The vCenter Server must enable FIPS-validated cryptography.
V-258909 Medium The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
V-258908 Medium vCenter Server plugins must be verified.
V-258947 Medium The vCenter server must be configured to send events to a central log server.
V-258946 Medium The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
V-258941 Medium The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
V-258940 Medium The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
V-258943 Medium The vCenter Server must configure the "vpxuser" password to meet length policy.
V-258942 Medium The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
V-258967 Medium The vCenter Server must reset port configuration when virtual machines are disconnected.
V-258966 Medium The vCenter Server must not override port group settings at the port level on distributed switches.
V-258965 Medium The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
V-258905 Medium The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
V-258948 Medium The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
V-258907 Medium The vCenter Server must produce audit records containing information to establish what type of events occurred.
V-258906 Medium The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon.
V-258923 Medium The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
V-258922 Medium The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
V-258921 Medium The vCenter Server user roles must be verified.
V-258920 Medium The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
V-258927 Medium The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-258926 Medium The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-258925 Medium The vCenter Server must be configured to send logs to a central log server.
V-258924 Medium The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
V-265979 Medium The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
V-258929 Medium The vCenter Server must enable data at rest encryption for vSAN.
V-258928 Medium The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
V-265978 Medium The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
V-258969 Medium The vCenter Server must enable data in transit encryption for vSAN.
V-258968 Medium The vCenter Server must disable Secure Shell (SSH) access.
V-258910 Medium The vCenter Server must require multifactor authentication.
V-258911 Medium The vCenter Server passwords must be at least 15 characters in length.
V-258945 Medium The vCenter Server must use unique service accounts when applications connect to vCenter.
V-258952 Medium The vCenter Server must restrict access to cryptographic permissions.
V-258953 Medium The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
V-258950 Medium The vCenter Server must disable Username/Password and Windows Integrated Authentication.
V-258951 Medium The vCenter Server must restrict access to the default roles with cryptographic permissions.
V-258956 Medium The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
V-258957 Medium The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group.
V-258954 Medium The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
V-258955 Medium The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
V-258963 Medium The vCenter Server must separate authentication and authorization for administrators.
V-258958 Medium The vCenter server configuration must be backed up on a regular basis.
V-258959 Medium The vCenter server must have task and event retention set to at least 30 days.
V-258962 Medium The vCenter server must enable the OVF security policy for content libraries.
V-258916 Medium The vCenter Server passwords must contain at least one special character.
V-258914 Medium The vCenter Server passwords must contain at least one lowercase character.
V-258915 Medium The vCenter Server passwords must contain at least one numeric character.
V-258912 Medium The vCenter Server must prohibit password reuse for a minimum of five generations.
V-258913 Medium The vCenter Server passwords must contain at least one uppercase character.
V-258936 Medium The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
V-258937 Medium The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
V-258938 Medium The vCenter Server must only send NetFlow traffic to authorized collectors.
V-258939 Medium The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
V-258960 Medium The vCenter server Native Key Provider must be backed up with a strong password.
V-258918 Medium The vCenter Server must enforce a 90-day maximum password lifetime restriction.
V-258919 Medium The vCenter Server must enable revocation checking for certificate-based authentication.
V-258930 Medium The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
V-258949 Medium The vCenter Server must configure the vSAN Datastore name to a unique name.
V-258931 Medium The vCenter server must enforce SNMPv3 security features where SNMP is required.
V-258932 Medium The vCenter server must disable SNMPv1/2 receivers.
V-258933 Medium The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
V-258934 Medium The vCenter Server must disable the distributed virtual switch health check.
V-258961 Medium The vCenter server must require authentication for published content libraries.
V-258935 Medium The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
V-258964 Low The vCenter Server must disable CDP/LLDP on distributed switches.
V-258944 Low The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.