UCF STIG Viewer Logo

VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide


Overview

Date Finding Count (50)
2017-07-11 CAT I (High): 2 CAT II (Med): 39 CAT III (Low): 9
STIG Description
The VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-63965 High The system must ensure the distributed port group MAC Address Change policy is set to reject.
V-63991 High The system must minimize access to the vCenter server.
V-64009 Medium The system must use unique service accounts when applications connect to vCenter.
V-63975 Medium All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-63149 Medium The system must prohibit password reuse for a minimum of five generations.
V-63967 Medium The system must ensure the distributed port group Promiscuous Mode policy is set to reject.
V-64011 Medium vSphere Client plugins must be verified.
V-64017 Medium Passwords must contain at least one uppercase character.
V-63951 Medium The system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
V-64015 Medium Passwords must be at least 15 characters in length.
V-64035 Medium The system must alert administrators on permission update operations.
V-64019 Medium Passwords must contain at least one lowercase character.
V-64031 Medium The system must alert administrators on permission creation operations.
V-64037 Medium The vCenter Server users must have the correct roles assigned.
V-64033 Medium The system must alert administrators on permission deletion operations.
V-63969 Medium The system must only send NetFlow traffic to authorized collectors.
V-63949 Medium The vCenter Server users must have the correct roles assigned.
V-63945 Medium The system must enforce a 60-day maximum password lifetime restriction.
V-63947 Medium The system must terminate management sessions after 10 minutes of inactivity.
V-63943 Medium The system must not automatically refresh client sessions.
V-63989 Medium Privilege re-assignment must be checked after the vCenter Server restarts.
V-63981 Medium The vCenter Server services must be ran using a service account instead of a built-in Windows account.
V-63983 Medium The system must ensure the vpxuser auto-password change meets policy.
V-63985 Medium The system must ensure the vpxuser password meets length policy.
V-64005 Medium A least-privileges assignment must be used for the Update Manager database user.
V-64007 Medium A least-privileges assignment must be used for the vCenter Server database user.
V-64023 Medium Passwords must contain at least one special character.
V-64021 Medium Passwords must contain at least one numeric character.
V-64027 Medium The system must set the interval for counting failed login attempts to at least 15 minutes.
V-64029 Medium The system must require an administrator to unlock an account locked due to excessive login failures.
V-64025 Medium The system must limit the maximum number of failed login attempts to three.
V-63979 Medium The system must enable SSL for Network File Copy (NFC).
V-63973 Medium All port groups must be configured to a value other than that of the native VLAN.
V-63959 Medium The system must limit the use of the built-in SSO administrative account.
V-63955 Medium The system must use Active Directory authentication.
V-63977 Medium All port groups must not be configured to VLAN values reserved by upstream physical switches.
V-63999 Medium The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.
V-73137 Medium The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-63993 Medium Log files must be cleaned up after failed installations of the vCenter Server.
V-63995 Medium The system must enable all tasks to be shown to Administrators in the Web Client.
V-63963 Medium The distributed port group Forged Transmits policy must be set to reject.
V-64013 Low The system must produce audit records containing information to establish what type of events occurred.
V-63961 Low The system must disable the distributed virtual switch health check.
V-73141 Low The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.
V-73143 Low The system must configure the VSAN Datastore name to a unique name.
V-63987 Low The system must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
V-64003 Low The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.
V-63971 Low The system must not override port group settings at the port level on distributed switches.
V-63953 Low The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
V-73139 Low The system must enable the VSAN Health Check.