STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 vCenter Security Technical Implementation Guide

V-256366

CAT II (Medium)

The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.

Rule ID

SV-256366r885709_rule

STIG

VMware vSphere 7.0 vCenter Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000366

Discussion

When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

Check Content

If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.

From the vSphere Client, go to Host and Clusters.

Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.

For each iSCSI target, review the value in the "Authentication" column.

If the Authentication method is not set to "CHAP_Mutual" for any iSCSI target, this is a finding.

Fix Text

From the vSphere Client, go to Host and Clusters. 

Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.

For each iSCSI target, select the item and click "Edit".

Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.