STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide

Version

V1R2

Release Date

Jun 15, 2023

SCAP Benchmark ID

VMW_vSphere_7-0_vCA_STS_STIG

Total Checks

31

Tags

vmware
CAT I: 0CAT II: 31CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (31)

V-256745MEDIUMThe Security Token Service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.V-256746MEDIUMThe Security Token Service must limit the number of concurrent connections permitted.V-256747MEDIUMThe Security Token Service must limit the maximum size of a POST request.V-256748MEDIUMThe Security Token Service must protect cookies from cross-site scripting (XSS).V-256749MEDIUMThe Security Token Service must record user access in a format that enables monitoring of remote access.V-256750MEDIUMThe Security Token Service must generate log records during Java startup and shutdown.V-256751MEDIUMSecurity Token Service log files must only be modifiable by privileged users.V-256752MEDIUMThe Security Token Service application files must be verified for their integrity.V-256753MEDIUMThe Security Token Service must only run one webapp.V-256754MEDIUMThe Security Token Service must not be configured with unused realms.V-256755MEDIUMThe Security Token Service must be configured to limit access to internal packages.V-256756MEDIUMThe Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.V-256757MEDIUMThe Security Token Service must have mappings set for Java servlet pages.V-256758MEDIUMThe Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.V-256759MEDIUMThe Security Token Service must be configured with memory leak protection.V-256760MEDIUMThe Security Token Service must not have any symbolic links in the web content directory tree.V-256761MEDIUMThe Security Token Service directory tree must have permissions in an out-of-the-box state.V-256762MEDIUMThe Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.V-256763MEDIUMThe Security Token Service must limit the number of allowed connections.V-256764MEDIUMThe Security Token Service must set "URIEncoding" to UTF-8.V-256765MEDIUMThe Security Token Service must use the "setCharacterEncodingFilter" filter.V-256766MEDIUMThe Security Token Service must set the welcome-file node to a default web page.V-256767MEDIUMThe Security Token Service must not show directory listings.V-256768MEDIUMThe Security Token Service must be configured to not show error reports.V-256769MEDIUMThe Security Token Service must not enable support for TRACE requests.V-256770MEDIUMThe Security Token Service must have the debug option disabled.V-256771MEDIUMThe Security Token Service must be configured with the appropriate ports.V-256772MEDIUMThe Security Token Service must disable the shutdown port.V-256773MEDIUMThe Security Token Service must set the secure flag for cookies.V-256774MEDIUMThe Security Token Service default servlet must be set to "readonly".V-256775MEDIUMSecurity Token Service log data and records must be backed up onto a different system or media.