Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-265979 | VCSA-80-000305 | SV-265979r1003616_rule | Medium |
| Description |
|---|
| If not used for their intended purpose, default accounts must be disabled. vCenter ships with several default accounts, two of which are specific to IWA and SASL/Kerberos authentication. If other methods of authentication are used, these accounts are not needed and must be disabled. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2024-07-11 |
Details
| Check Text ( C-69902r1003614_chk ) |
|---|
| If IWA is used for vCenter authentication, this is not applicable. From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users. Change the domain to "vsphere.local" and review the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts. If the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts are not disabled, this is a finding. |
| Fix Text (F-69805r1003615_fix) |
|---|
| From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users. Select the "K/M" or "krbtgt/VSPHERE.LOCAL" and click "More" then select "Disable". Click "Ok" to disable the user account. |