UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide


Overview

Date Finding Count (33)
2023-10-29 CAT I (High): 0 CAT II (Med): 33 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-258981 Medium The vCenter STS service must set URIEncoding to UTF-8.
V-258980 Medium The vCenter STS service must be configured to fail to a known safe state if system initialization fails.
V-258983 Medium The vCenter STS service must set an inactive timeout for sessions.
V-258982 Medium The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".
V-258985 Medium The vCenter STS service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
V-258984 Medium The vCenter STS service must offload log records onto a different system or media from the system being logged.
V-258987 Medium The vCenter STS service must configure the "setCharacterEncodingFilter" filter.
V-258986 Medium The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
V-258989 Medium The vCenter STS service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
V-258988 Medium The vCenter STS service cookies must have "http-only" flag set.
V-258978 Medium The vCenter STS service must be configured to use a specified IP address and port.
V-258979 Medium The vCenter STS service must be configured to limit data exposure between applications.
V-259002 Medium The vCenter STS service host-manager webapp must be removed.
V-258974 Medium The vCenter STS service must produce log records containing sufficient information regarding event details.
V-258975 Medium The vCenter STS service logs folder permissions must be set correctly.
V-258976 Medium The vCenter STS service must limit privileges for creating or modifying hosted application shared files.
V-258977 Medium The vCenter STS service must disable stack tracing.
V-258970 Medium The vCenter STS service must limit the number of maximum concurrent connections permitted.
V-258971 Medium The vCenter STS service must be configured to use strong encryption ciphers.
V-258972 Medium The vCenter STS service cookies must have secure flag set.
V-258973 Medium The vCenter STS service must initiate session logging upon startup.
V-259000 Medium The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
V-258998 Medium The vCenter STS service files must have permissions in an out-of-the-box state.
V-258999 Medium The vCenter STS service must disable "ALLOW_BACKSLASH".
V-258996 Medium The vCenter STS service default ROOT web application must be removed.
V-258997 Medium The vCenter STS service default documentation must be removed.
V-258994 Medium The vCenter STS service xpoweredBy attribute must be disabled.
V-258995 Medium The vCenter STS service example applications must be removed.
V-258992 Medium The vCenter STS service directory listings parameter must be disabled.
V-258993 Medium The vCenter STS service must have Autodeploy disabled.
V-258990 Medium The vCenter STS service shutdown port must be disabled.
V-258991 Medium The vCenter STS service debug parameter must be disabled.
V-259001 Medium The vCenter STS service manager webapp must be removed.