UCF STIG Viewer Logo

The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).


Overview

Finding ID Version Rule ID IA Controls Severity
V-265979 VCSA-80-000305 SV-265979r1003616_rule Medium
Description
If not used for their intended purpose, default accounts must be disabled. vCenter ships with several default accounts, two of which are specific to IWA and SASL/Kerberos authentication. If other methods of authentication are used, these accounts are not needed and must be disabled.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-69902r1003614_chk )
If IWA is used for vCenter authentication, this is not applicable.

From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users.

Change the domain to "vsphere.local" and review the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts.

If the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts are not disabled, this is a finding.
Fix Text (F-69805r1003615_fix)
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users.

Select the "K/M" or "krbtgt/VSPHERE.LOCAL" and click "More" then select "Disable".

Click "Ok" to disable the user account.