11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"VMware vSphere 7.0 vCenter Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 21, 2023"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"VMW_vSphere_7-0_vCenter_STIG","children":"VMW_vSphere_7-0_vCenter_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":57}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","vmware",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"vmware"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",2]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",53]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=VMware%20vSphere%207.0%20vCenter%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y25M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"e8d1f94e-7919-4cc6-b08f-e3f1624162e5","vulnId":"V-256318","severity":"high","ruleTitle":"The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.","description":"Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nSatisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP-000157, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000625","checkContent":"At the command prompt on the vCenter Server Appliance, run the following command:\n\n# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan\n\nIf the output indicates versions of TLS other than 1.2 are enabled, this is a finding.","fixText":"At the command prompt on the vCenter Server Appliance, run the following commands:\n\n# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup\n\n# /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2\n\nvCenter services will be restarted as part of the reconfiguration. The operating system will not be restarted.\n\nThe \"--no-restart\" flag can be added to restart services at a later time.\n\nChanges will not take effect until all services are restarted or the appliance is rebooted.\n\nNote: This change should be performed on vCenter prior to ESXi."},{"id":"2de9e383-734c-4305-8675-a4e177a56bce","vulnId":"V-256319","severity":"medium","ruleTitle":"The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. \n\nThe lockout policy should be set as follows:\n\nMaximum number of failed login attempts: 3 \n\nIf this account lockout policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.\n\nClick \"Edit\".\n\nSet the \"Maximum number of failed login attempts\" to \"3\" and click \"Save\"."},{"id":"14346991-536a-412b-a3f4-cad26bcbb681","vulnId":"V-256320","severity":"medium","ruleTitle":"The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.","description":"$1d","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Login Message.\n\nIf the selection box next to \"Show login message\" is disabled, \"Details of login message\" is not configured to the standard DOD User Agreement, or the \"Consent checkbox\" is disabled, this is a finding.\n\nNote: Refer to vulnerability discussion for user agreement language.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Login Message.\n\nClick \"Edit\".\n\nClick the \"Show login message\" slider to enable.\n\nConfigure the \"Login message\" to \"DOD User Agreement\".\n\nClick the \"Consent checkbox\" slider to enable.\n\nSet the \"Details of login message\" to the Standard Mandatory DOD Notice and Consent Banner text.\n\nClick \"Save\"."},{"id":"44aaa160-e088-4555-bdd0-5da8dc829e4e","vulnId":"V-256321","severity":"medium","ruleTitle":"The vCenter Server must produce audit records containing information to establish what type of events occurred.","description":"Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nVerify the \"config.log.level\" value is set to \"info\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name config.log.level and verify it is set to \"info\".\n\nIf the \"config.log.level\" value is not set to \"info\" or does not exist, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nClick \"Edit Settings\" and configure the \"config.log.level\" setting to \"info\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name config.log.level | Set-AdvancedSetting -Value info"},{"id":"169e7f1e-4336-4953-998e-ce456fc6dd76","vulnId":"V-256322","severity":"medium","ruleTitle":"vCenter Server plugins must be verified.","description":"The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, web-based functionality.\n\nvSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.\n\nAdditionally, vCenter comes with a number of plugins preinstalled that may or may not be necessary for proper operation.","checkContent":"From the vSphere Client, go to Administration >> Solutions >> Client Plug-Ins.\n\nView the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, third-party (partner), and/or site-specific approved plug-ins.\n\nIf any installed/available plug-ins in the viewable list cannot be verified as allowed vSphere Client plug-ins from trusted sources or are not in active use, this is a finding.","fixText":"$1e"},{"id":"f807fa82-8322-4ac6-af51-4b36c0c7afb5","vulnId":"V-256323","severity":"medium","ruleTitle":"The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.","description":"$1f","checkContent":"From the vSphere Web Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider. \n\nIf the identity provider type is \"embedded\" and there is no identity source of type \"Active Directory\" (either Windows Integrated Authentication or LDAP), this is a finding.\n\nIf the identity provider type is \"Microsoft ADFS\" or another supported identity provider, this is NOT a finding.","fixText":"$20"},{"id":"be5fd2f4-be61-4569-b89c-36a0a01dccb6","vulnId":"V-256324","severity":"medium","ruleTitle":"The vCenter Server must require multifactor authentication.","description":"Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. \n\nMultifactor authentication requires using two or more factors to achieve authentication. \n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric).\n\nSatisfies: SRG-APP-000149, SRG-APP-000080, SRG-APP-000150, SRG-APP-000391, SRG-APP-000402","checkContent":"From the vSphere Web Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.\n\nIf the embedded identity provider is used, click on \"Smart Card Authentication\".\n\nIf the embedded identity provider is used and \"Smart Card Authentication\" is not enabled, this is a finding.\n\nIf a third-party identity provider is used, such as Microsoft ADFS, and it does not require multifactor authentication to log on to vCenter, this is a finding.","fixText":"To configure smart card authentication for vCenter when using the embedded identity provider, refer to the supplemental document. \n\nFor vCenter Servers using a third-party identity provider, consult the product's documentation for enabling multifactor authentication."},{"id":"dccfba4f-b97a-4a11-810c-2e3b0cb3c9a3","vulnId":"V-256325","severity":"medium","ruleTitle":"The vCenter Server passwords must be at least 15 characters in length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy. \n\nThe following password requirement should be set with at least the stated value: \n\nMinimum Length: 15 \n\nIf this password policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\".\n\nSet the \"Minimum Length\" to \"15\" and click \"Save\"."},{"id":"a3578880-d299-4677-aa24-135a80b97082","vulnId":"V-256326","severity":"medium","ruleTitle":"The vCenter Server must prohibit password reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords must be changed at specific policy-based intervals. \n\nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed per policy requirements.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nView the value of the \"Restrict reuse\" setting.\n\nIf the \"Restrict reuse\" policy is not set to \"5\" or more, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\", enter \"5\" as the \"Restrict reuse\" setting, and click \"OK\"."},{"id":"7cc0f914-a6d7-4125-969d-5bfadda5e838","vulnId":"V-256327","severity":"medium","ruleTitle":"The vCenter Server passwords must contain at least one uppercase character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy. \n\nSet the following password requirement with at least the stated value: \n\nUpper-case Characters: At least 1 \n\nIf this password complexity policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\".\n\nSet \"Upper-case Characters\" to at least \"1\" and click \"Save\"."},{"id":"b6d5f5ca-2c29-4c7e-a94d-b874d089b25c","vulnId":"V-256328","severity":"medium","ruleTitle":"The vCenter Server passwords must contain at least one lowercase character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy. \n\nSet the following password requirement with at least the stated value: \n\nLower-case Characters: At least 1 \n\nIf this password complexity policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\".\n\nSet \"Lower-case Characters\" to at least \"1\" and click \"Save\"."},{"id":"031ce4c5-5bff-4696-a785-c30f91212c73","vulnId":"V-256329","severity":"medium","ruleTitle":"The vCenter Server passwords must contain at least one numeric character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy. \n\nSet the following password requirement with at least the stated value: \n\nNumeric Characters: At least 1 \n\nIf this password complexity policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\".\n\nSet \"Numeric Characters\" to at least \"1\" and click \"Save\"."},{"id":"8db4beae-eb7a-425c-83fc-67d345c3951c","vulnId":"V-256330","severity":"medium","ruleTitle":"The vCenter Server passwords must contain at least one special character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy. \n\nSet the following password requirements with at least the stated value: \n\nSpecial Characters: At least 1 \n\nIf this password complexity policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\".\n\nSet \"Special Characters\" to at least \"1\" and click \"Save\"."},{"id":"32fb53b4-a1bf-4ecc-80eb-71166f10fb05","vulnId":"V-256331","severity":"high","ruleTitle":"The vCenter Server must enable FIPS-validated cryptography.","description":"FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements.\n\nIn vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA).\n\nvSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled.\n\nSatisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635","checkContent":"From the vSphere Web Client, go to Developer Center >> API Explorer.\n\nFrom the \"Select API\" drop-down menu, select appliance.\n\nExpand system/security/global_fips >> GET.\n\nClick \"Execute\" and then \"Copy Response\" to view the results.\n\nExample response:\n\n{\n \"enabled\": true\n}\n\nIf global FIPS mode is not enabled, this is a finding.","fixText":"From the vSphere Web Client, go to Developer Center >> API Explorer.\n\nFrom the \"Select API\" drop-down menu, select appliance.\n\nExpand system/security/global_fips >> PUT.\n\nIn the response body under \"Try it out\", paste the following:\n\n{\n \"enabled\": true\n}\n\nClick \"Execute\".\n\nNote: The vCenter server reboots after FIPS is enabled or disabled."},{"id":"c7f076a3-f872-4cbc-a104-b307ffbb8c6b","vulnId":"V-256332","severity":"medium","ruleTitle":"The vCenter Server must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nView the value of the \"Maximum lifetime\" setting.\n\nIf the \"Maximum lifetime\" policy is not set to \"60\", this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.\n\nClick \"Edit\", enter \"60\" into the \"Maximum lifetime\" setting, and click \"OK\"."},{"id":"10c46faa-bc49-4fe8-814e-aaf10c69a154","vulnId":"V-256333","severity":"medium","ruleTitle":"The vCenter Server must enable revocation checking for certificate-based authentication.","description":"The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking.\n\nSatisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG-APP-000403","checkContent":"If a federated identity provider is configured and used for an identity source and supports Smartcard authentication, this is not applicable.\n\nFrom the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.\n\nUnder Smart card authentication settings >> Certificate revocation, verify \"Revocation check\" does not show as disabled.\n\nIf \"Revocation check\" shows as disabled, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.\n\nUnder Smart card authentication settings >> Certificate revocation, click the \"Edit\" button.\n\nConfigure revocation checking per site requirements. OCSP with CRL failover is recommended.\n\nBy default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. Refer to the supplemental document for more information.\n\nNote: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL used instead."},{"id":"e20e928a-e8fc-41b1-8e7b-4fe78e136a16","vulnId":"V-256334","severity":"medium","ruleTitle":"The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free resources committed by the managed network element.\n\nSatisfies: SRG-APP-000190, SRG-APP-000295, SRG-APP-000389","checkContent":"From the vSphere Client, go to Administration >> Deployment >> Client Configuration.\n\nView the value of the \"Session timeout\" setting.\n\nIf \"Session timeout\" is not set to \"10 minute(s)\" or below, this is a finding.\n\nNote: If vCenter is not 7.0 U2 or newer, this setting is not available through the UI and must be checked with the \"session.timeout\" setting in the \"/etc/vmware/vsphere-ui/webclient.properties file\".","fixText":"From the vSphere Client, go to Administration >> Deployment >> Client Configuration.\n\nClick \"Edit\" and enter \"10\" minutes into the \"Session timeout\" setting. Click \"Save\".\n\nNote: If vCenter is not 7.0 U2 or newer, this setting is not available through the UI and must be checked with the \"session.timeout\" setting in the \"/etc/vmware/vsphere-ui/webclient.properties file\"."},{"id":"1452fe07-a934-48dd-8543-f19b5b8f8605","vulnId":"V-256335","severity":"medium","ruleTitle":"The vCenter Server users must have the correct roles assigned.","description":"Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality, availability, or integrity loss.\n\nSatisfies: SRG-APP-000211, SRG-APP-000233, SRG-APP-000380","checkContent":"From the vSphere Client, go to Administration >> Access Control >> Roles.\n\nView each role and verify the users and/or groups assigned to it by clicking \"Usage\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto\n\nApplication service account and user required privileges should be documented.\n\nIf any user or service account has more privileges than required, this is a finding.","fixText":"To update a user's or group's permissions to an existing role with reduced permissions, do the following:\n\nFrom the vSphere Client, go to Administration >> Access Control >> Global Permissions.\n\nSelect the user or group, click the pencil button, change the assigned role, and click \"OK\".\n\nNote: If permissions are assigned on a specific object, the role must be updated where it is assigned (for example, at the cluster level).\n\nTo create a new role with reduced permissions, do the following:\n\nFrom the vSphere Client, go to Administration >> Access Control >> Roles.\n\nClick the green plus sign and enter a name for the role and select only the specific permissions required.\n\nUsers can then be assigned to the newly created role."},{"id":"b24e8d31-1423-4b88-983e-1dcfa7df26d3","vulnId":"V-256336","severity":"medium","ruleTitle":"The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nManaging excess capacity ensures sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to Networking.\n\nSelect a distributed switch >> Configure >> Settings >> Properties.\n\nView the \"Properties\" pane and verify \"Network I/O Control\" is \"Enabled\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDSwitch | select Name,@{N=\"NIOC Enabled\";E={$_.ExtensionData.config.NetworkResourceManagementEnabled}}\n\nIf \"Network I/O Control\" is disabled, this is a finding.","fixText":"From the vSphere Client, go to Networking.\n\nSelect a distributed switch >> Configure >> Settings >> Properties.\n\nIn the \"Properties\" pane, click \"Edit\". Change \"Network I/O Control\" to \"Enabled\". Click \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\n(Get-VDSwitch \"VDSwitch Name\" | Get-View).EnableNetworkResourceManagement($true)"},{"id":"b247b6ab-0754-41d6-942a-c5cbe27322e3","vulnId":"V-256337","severity":"medium","ruleTitle":"The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.","description":"Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well.\n\nTo ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the \"com.vmware.sso.PrincipalManagement\" event ID and configure the alert mechanisms appropriately.\n\nSatisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Security >> Alarm Definitions.\n\nVerify an alarm has been created to alert upon all SSO account actions.\n\nThe alarm name may vary, but it is suggested to name it \"SSO account actions - com.vmware.sso.PrincipalManagement\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq \"com.vmware.sso.PrincipalManagement\"} | Select Name,Enabled,@{N=\"EventTypeId\";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}\n\nIf an alarm is not created to alert on SSO account actions, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Security >> Alarm Definitions.\n\nClick \"Add\".\n\nProvide the alarm name of \"SSO account actions - com.vmware.sso.PrincipalManagement\" and an optional description.\n\nFrom the \"Target type\" drop-down menu, select \"vCenter Server\".\n\nClick \"Next\".\n\nPaste \"com.vmware.sso.PrincipalManagement\" (without quotes) in the line after \"IF\" and press \"Enter\".\n\nNext to \"Trigger the alarm and\", select \"Show as Warning\".\n\nConfigure the desired notification actions that will inform the SA and ISSO of the event.\n\nClick \"Next\". Click \"Next\" again. Click \"Create\"."},{"id":"c634b766-01c7-4482-9e61-8afa990dfd88","vulnId":"V-256338","severity":"medium","ruleTitle":"The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. \n\nVerify the following lockout policy is set as follows: \n\nTime interval between failures: 900 seconds \n\nIf this lockout policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.\n\nClick \"Edit\".\n\nSet \"Time interval between failures\" to \"900\" and click \"Save\"."},{"id":"dc26751e-0be4-4beb-ba33-b94ccf3cca3b","vulnId":"V-256339","severity":"medium","ruleTitle":"The vCenter Server must be configured to send logs to a central log server.","description":"vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a security incident or to assist in troubleshooting.","checkContent":"Open the Virtual Appliance Management Interface (VAMI) by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with a Single Sign-On (SSO) account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Syslog\" on the left navigation pane.\n\nOn the resulting pane on the right, verify at least one site-specific syslog receiver is configured and is listed as \"Reachable\".\n\nIf no valid syslog collector is configured or if the collector is not listed as \"Reachable\", this is a finding.","fixText":"Open the VAMI by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with an SSO account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Syslog\" on the left navigation pane.\n\nOn the resulting pane on the right, click \"Edit\" or \"Configure\".\n\nEdit or add the address and port of a site-specific syslog aggregator or Security Information Event Management (SIEM) system with the appropriate protocol.\n\nUser Datagram Protocol (UDP) is discouraged due to its stateless and unencrypted nature. Transport Layer Security (TLS) is preferred. \n\nClick \"Save\"."},{"id":"44eae223-0a8a-4437-ae9e-80335c21e2f3","vulnId":"V-256340","severity":"medium","ruleTitle":"vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nSatisfies: SRG-APP-000360, SRG-APP-000379, SRG-APP-000510","checkContent":"Review the Central Logging Server being used to verify it is configured to alert the SA and ISSO, at a minimum, on any AO-defined events. Otherwise, this is a finding.\n\nIf there are no AO-defined events, this is not a finding.","fixText":"Configure the Central Logging Server being used to alert the SA and ISSO, at a minimum, on any AO-defined events."},{"id":"7574c0bd-445a-4fab-9c6a-682f30eb0fe6","vulnId":"V-256341","severity":"medium","ruleTitle":"The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity.\n\nSynchronizing internal information system clocks to an authoritative time server provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.","checkContent":"Open the Virtual Appliance Management Interface (VAMI) by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with a Single Sign-On (SSO) account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Time\" on the left navigation pane.\n\nOn the resulting pane on the right, verify at least one authorized time server is configured and is listed as \"Reachable\".\n\nIf \"NTP\" is not enabled and at least one authorized time server configured, this is a finding.","fixText":"Open the VAMI by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with an SSO account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Time\" on the left navigation pane.\n\nOn the resulting pane on the right, click \"Edit\" under \"Time Synchronization\".\n\nSelect \"NTP\" for \"Mode\" and enter a list of authorized time servers separated by commas. Click \"Save\"."},{"id":"fd4e73cc-c1c6-482b-8704-349f49da0ead","vulnId":"V-256342","severity":"medium","ruleTitle":"The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.","description":"Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates.\n\nThe default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.","checkContent":"From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.\n\nClick \"View Details\" and examine the \"Issuer Information\" block.\n\nIf the issuer specified is not a DOD-approved certificate authority, this is a finding.","fixText":"Obtain a DOD-issued certificate and private key for each vCenter in the system following the requirements below:\n\nKey size: 2048 bits or more (PEM encoded)\nCRT format (Base-64)\nx509 version 3\nSubjectAltName must contain DNS Name=\nContains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment\n\nExport the entire certificate issuing chain up to the root in Base-64 format. Concatenate the individual certificates into one file with the \".cer\" extension.\n\nFrom the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.\n\nClick Actions >> Import and Replace Certificate.\n\nSelect the \"Replace with external CA certificate\" radio button and click \"Next\".\n\nSupply the CA-issued certificate , the exported roots file, and the private key.\n\nClick \"Replace\"."},{"id":"8fafc776-8900-4ea6-ad18-eed6a238315f","vulnId":"V-256343","severity":"medium","ruleTitle":"The vCenter Server must disable the Customer Experience Improvement Program (CEIP).","description":"The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes this feature must be disabled.","checkContent":"From the vSphere Client, go to Administration >> Deployment >> Customer Experience Improvement Program.\n\nIf Customer Experience Improvement \"Program Status\" is \"Joined\", this is a finding.","fixText":"From the vSphere Client, go to Administration >> Deployment >> Customer Experience Improvement Program.\n\nClick \"Leave Program\"."},{"id":"0c28f178-505c-4b1b-b51a-429dfc79bd7f","vulnId":"V-256344","severity":"medium","ruleTitle":"The vCenter server must enforce SNMPv3 security features where SNMP is required.","description":"SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. \n\nSNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection.\n\nSNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.","checkContent":"At the command prompt on the vCenter Server Appliance, run the following commands:\n\n# appliancesh\n# snmp.get\n\nNote: The \"appliancesh\" command is not needed if the default shell has not been changed for root.\n\nIf \"Enable\" is set to \"False\", this is not a finding.\n\nIf \"Enable\" is set to \"True\" and \"Authentication\" is not set to \"SHA1\", this is a finding.\n\nIf \"Enable\" is set to \"True\" and \"Privacy\" is not set to \"AES128\", this is a finding.\n\nIf any \"Users\" are configured with a \"Sec_level\" that does not equal \"priv\", this is a finding.","fixText":"At the command prompt on the vCenter Server Appliance, run the following commands:\n\n# appliancesh\n# snmp.set --authentication SHA1\n# snmp.set --privacy AES128\n\nTo change the security level of a user, run the following command:\n\n# snmp.set --users / /priv"},{"id":"e08117b9-b849-4ab7-83a8-061cfc31b61b","vulnId":"V-256345","severity":"medium","ruleTitle":"The vCenter server must disable SNMPv1/2 receivers.","description":"SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. Therefore, SNMPv1/2 receivers must be disabled, while SNMPv3 is configured in another control. vCenter exposes SNMP v1/2 in the UI and SNMPv3 in the CLI.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> General.\n\nClick \"Edit\".\n\nOn the \"SNMP receivers\" tab, note the presence of any enabled receiver.\n\nIf there are any enabled receivers, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> General.\n\nClick \"Edit\".\n\nOn the \"SNMP receivers\" tab, ensure all receivers are disabled."},{"id":"52cc7ca1-3e7f-4d21-aab5-22779882a387","vulnId":"V-256346","severity":"medium","ruleTitle":"The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.","description":"By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, once an account is locked it can only be unlocked manually by an administrator.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. \n\nVerify the following lockout policy is set as follows:\n\nUnlock time: 0 \n\nIf this account lockout policy is not configured as stated, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.\n\nClick \"Edit\".\n\nSet the \"Unlock time\" to \"0\" and click \"Save\"."},{"id":"4f9d7384-ebf1-4d5e-8d54-8ace87d95ebd","vulnId":"V-256347","severity":"low","ruleTitle":"The vCenter Server must disable the distributed virtual switch health check.","description":"Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off when troubleshooting is finished.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> Configure >> Settings >> Health Check.\n\nView the health check pane and verify the \"VLAN and MTU\" and \"Teaming and failover\" checks are \"Disabled\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\n$vds = Get-VDSwitch\n$vds.ExtensionData.Config.HealthCheckConfig\n\nIf the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> Configure >> Settings >> Health Check.\n\nClick \"Edit\".\n\nDisable the \"VLAN and MTU\" and \"Teaming and failover\" checks.\n\nClick \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch \"False\"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}"},{"id":"c445656a-0170-4d54-bba4-1071049b0be6","vulnId":"V-256348","severity":"medium","ruleTitle":"The vCenter Server must set the distributed port group Forged Transmits policy to \"Reject\".","description":"If the virtual machine operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.\n\nWhen the \"Forged Transmits\" option is set to \"Accept\", ESXi does not compare source and effective MAC addresses.\n\nTo protect against MAC impersonation, set the \"Forged Transmits\" option to \"Reject\". The host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to determine if they match. If the addresses do not match, the ESXi host drops the packet.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group.\n\nSelect Configure >> Settings >> Policies.\n\nVerify \"Forged Transmits\" is set to \"Reject\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy\n\nIf the \"Forged Transmits\" policy is set to accept for a nonuplink port, and is not documented as an exception, this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group.\n\nSelect Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"Security\" tab.\n\nSet \"Forged Transmits\" to \"Reject\".\n\nClick \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false"},{"id":"d2ad3d05-100f-49a7-9cb6-e9eb9e874b0e","vulnId":"V-256349","severity":"medium","ruleTitle":"The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to \"Reject\".","description":"If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.\n\nThis will prevent virtual machines from changing their effective MAC address and will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate and will affect applications that require a specific MAC address for licensing.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group.\n\nSelect Configure >> Settings >> Policies.\n\nVerify \"MAC Address Changes\" is set to \"Reject\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy\n\nIf the \"MAC Address Changes\" policy is set to \"Accept\", this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group.\n\nSelect Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"Security\" tab.\n\nSet \"MAC Address Changes\" to \"Reject\".\n\nClick \"OK\".\n \nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false"},{"id":"43810f41-bde1-4c8f-850b-a9aace1b1154","vulnId":"V-256350","severity":"medium","ruleTitle":"The vCenter Server must set the distributed port group Promiscuous Mode policy to \"Reject\".","description":"When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group.\n\nPromiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group. \n\nSelect Configure >> Settings >> Policies.\n\nVerify \"Promiscuous Mode\" is set to \"Reject\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy\n\nIf the \"Promiscuous Mode\" policy is set to \"Accept\", and is not documented as an exception, this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch and then select a port group. \n\nSelect Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"Security\" tab.\n\nSet \"Promiscuous Mode\" to \"Reject\".\n\nClick \"OK\".\n \nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nGet-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false\nGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false"},{"id":"088e005d-b8b5-4116-bd54-83b8ec8a7186","vulnId":"V-256351","severity":"medium","ruleTitle":"The vCenter Server must only send NetFlow traffic to authorized collectors.","description":"The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a man-in-the-middle attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target Internet Protocols (IPs) are correct.","checkContent":"$21","fixText":"$22"},{"id":"548a9a74-e8da-4785-b909-34671ea94c6d","vulnId":"V-256352","severity":"medium","ruleTitle":"The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).","description":"ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up belonging to native VLAN of the physical switch.\n\nFor example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a \"1\"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a \"1\" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged).\n\nIf the ESXi virtual switch port group uses the native VLAN ID, traffic from those virtual machines will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies. \n\nReview the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch.\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDPortgroup | select Name, VlanConfiguration\n\nIf any port group is configured with the native VLAN of the ESXi host's attached physical switch, this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"VLAN\" tab.\n\nChange the VLAN ID to a non-native VLAN.\n\nClick \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDPortgroup \"portgroup name\" | Set-VDVlanConfiguration -VlanId \"New VLAN#\""},{"id":"5b3dbd54-631f-43cf-9c53-280abddb8acc","vulnId":"V-256353","severity":"medium","ruleTitle":"The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.","description":"When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modifying the virtual local area network (VLAN) tags. In vSphere, this is referred to as VGT.\n\nThe virtual machine must process the VLAN information itself via an 802.1Q driver in the operating system. VLAN Trunking must only be implemented if the attached virtual machines have been specifically authorized and are capable of managing VLAN tags themselves.\n\nIf VLAN Trunking is enabled inappropriately, it may cause a denial of service or allow a virtual machine to interact with traffic on an unauthorized VLAN.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies. \n\nReview the port group \"VLAN Type\" and \"VLAN trunk range\", if present.\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne \"True\"} | Select Name,VlanConfiguration\n\nIf any port group is configured with \"VLAN trunking\" and is not documented as a needed exception (such as NSX appliances), this is a finding.\n\nIf any port group is authorized to be configured with \"VLAN trunking\" but is not configured with the most limited range necessary, this is a finding.","fixText":"From the vSphere Client, go to \"Networking\".\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"VLAN\" tab.\n\nIf \"VLAN trunking\" is not authorized, remove it by setting \"VLAN type\" to \"VLAN\" and configure an appropriate VLAN ID. Click \"OK\".\n\nIf \"VLAN trunking\" is authorized but the range is too broad, modify the range in the \"VLAN trunk range\" field to the minimum necessary and authorized range. An example range would be \"1,3-5,8\". Click \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command to configure trunking:\n\nGet-VDPortgroup \"Portgroup Name\" | Set-VDVlanConfiguration -VlanTrunkRange \"\"\n\nor\n\nRun this command to configure a single VLAN ID:\n\nGet-VDPortgroup \"Portgroup Name\" | Set-VDVlanConfiguration -VlanId \"\""},{"id":"3a200a03-c7b0-429f-898a-82f99c79699b","vulnId":"V-256354","severity":"medium","ruleTitle":"The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.","description":"Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001 to 1024 and 4094, while Nexus switches typically reserve 3968 to 4094.\n\nCheck with the documentation for the organization's specific switch. Using a reserved VLAN might result in a denial of service on the network.","checkContent":"If distributed switches are not used, this is not applicable.\n\nFrom the vSphere Client, go to Networking.\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies. \n\nReview the port group VLAN tags and verify they are not set to a reserved VLAN ID.\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDPortgroup | select Name, VlanConfiguration\n\nIf any port group is configured with a reserved VLAN ID, this is a finding.","fixText":"From the vSphere Client, go to Networking.\n\nSelect a distributed switch >> distributed port group >> Configure >> Settings >> Policies.\n\nClick \"Edit\".\n\nClick the \"VLAN\" tab. Change the VLAN ID to an unreserved VLAN ID.\n\nClick \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VDPortgroup \"portgroup name\" | Set-VDVlanConfiguration -VlanId \"New VLAN#\""},{"id":"015625b1-20a0-4234-83ee-068134322ad2","vulnId":"V-256355","severity":"medium","ruleTitle":"The vCenter Server must configure the \"vpxuser\" auto-password to be changed every 30 days.","description":"By default, vCenter will change the \"vpxuser\" password automatically every 30 days. Ensure this setting meets site policies. If it does not, configure it to meet password aging policies. \n\nNote: It is very important the password aging policy is not shorter than the default interval that is set to automatically change the \"vpxuser\" password to preclude the possibility that vCenter might be locked out of an ESXi host.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings. \n\nVerify \"VirtualCenter.VimPasswordExpirationInDays\" is set to \"30\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays\n\nIf the \"VirtualCenter.VimPasswordExpirationInDays\" is set to a value other than \"30\" or does not exist, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nClick \"Edit Settings\" and configure the \"VirtualCenter.VimPasswordExpirationInDays\" value to \"30\", or if the value does not exist, create it by entering the values in the \"Key\" and \"Value\" fields and clicking \"Add\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nIf the setting already exists:\n\nGet-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30\n\nIf the setting does not exist:\n\nNew-AdvancedSetting -Entity -Name VirtualCenter.VimPasswordExpirationInDays -Value 30"},{"id":"c696d51c-3866-40aa-998f-41d1f56e5d3e","vulnId":"V-256356","severity":"medium","ruleTitle":"The vCenter Server must configure the \"vpxuser\" password to meet length policy.","description":"The \"vpxuser\" password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies.\n\nLonger passwords make brute-force password attacks more difficult. The \"vpxuser\" password is added by vCenter, meaning no manual intervention is normally required. The \"vpxuser\" password length must never be modified to less than the default length of 32 characters.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings. \n\nVerify \"config.vpxd.hostPasswordLength\" is set to \"32\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name config.vpxd.hostPasswordLength and verify it is set to 32.\n\nIf the \"config.vpxd.hostPasswordLength\" is set to a value other than \"32\", this is a finding.\n\nIf the setting does not exist, this is not a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nClick \"Edit Settings\" and configure the \"config.vpxd.hostPasswordLength\" value to \"32\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name config.vpxd.hostPasswordLength | Set-AdvancedSetting -Value 32"},{"id":"ecc4fb3f-af4c-4e9b-8ec1-4aa23b557188","vulnId":"V-256357","severity":"medium","ruleTitle":"The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.","description":"vCenter and the embedded Lifecycle Manager system must never have a direct route to the internet. Despite this, updates and patches sourced from VMware on the internet must be delivered in a timely manner.\n\nThere are two methods to accomplish this: a proxy server and the Update Manager Download Service (UMDS). UMDS is an optional module for Lifecycle Manager that fetches upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to an isolated Lifecycle Manager directly.\n\nAlternatively, a proxy for Lifecycle Manager can be configured to allow controlled, limited access to the public internet for the sole purpose of patch gathering. Either solution mitigates the risk of internet connectivity by limiting its scope and use.","checkContent":"$23","fixText":"Option 1:\n\nFrom the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.\n\nClick the \"Change Download Source\" button.\n\nSelect the \"Download patches from a UMDS shared repository\" radio button and supply a valid UMDS repository.\n\nClick \"Save\".\n\nOption 2:\n\nFrom the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Setup.\n\nClick the \"Change Download Source\" button.\n\nSelect the \"Download patches directly from the internet\" radio button.\n\nClick \"Save\".\n\nNavigate to the vCenter Server Management interface at https://:5480 >> Networking >> Proxy Settings.\n\nClick \"Edit\".\n\nSlide \"HTTPS\" to \"Enabled\".\n\nSupply the appropriate proxy server configuration.\n\nClick \"Save\".\n\nOption 3:\n\nFrom the vSphere Client, go to Lifecycle Manager >> Settings >> Patch Downloads.\n\nClick \"Edit\" and uncheck \"Download patches\". \n\nUnder \"Patch Setup\", select each download source and click \"Disable\"."},{"id":"0c565454-ef61-40b8-bc90-c52dd2eebe36","vulnId":"V-256358","severity":"medium","ruleTitle":"The vCenter Server must use unique service accounts when applications connect to vCenter.","description":"To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts.","checkContent":"Verify each external application that connects to vCenter has a unique service account dedicated to that application.\n\nFor example, there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter.\n\nIf any application shares a service account that is used to connect to vCenter, this is a finding.","fixText":"For applications sharing service accounts, create a new service account to assign to the application so that no application shares a service account with another.\n\nWhen standing up a new application that requires access to vCenter, always create a new service account prior to installation and grant only the permissions needed for that application."},{"id":"91fd0f23-8f45-4418-9393-a86a3d82edd2","vulnId":"V-256359","severity":"medium","ruleTitle":"The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.","description":"Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations. \n\nIP-based storage includes vSAN, Internet Small Computer System Interface (iSCSI), and Network File System (NFS). This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network.\n\nTo restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and virtual machines will limit unauthorized users from viewing the traffic.","checkContent":"$24","fixText":"$25"},{"id":"45599eed-74fa-447c-8ea8-2e7849511800","vulnId":"V-256360","severity":"medium","ruleTitle":"The vCenter server must be configured to send events to a central log server.","description":"vCenter server generates volumes of security-relevant application-level events. Examples include logins, system reconfigurations, system degradation warnings, and more. To ensure these events are available for forensic analysis and correlation, they must be sent to the syslog and forwarded on to the configured Security Information and Event Management (SIEM) system and/or central log server.\n\nThe vCenter server sends events to syslog by default, but this configuration must be verified and maintained.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nVerify the \"vpxd.event.syslog.enabled\" value is set to \"true\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name vpxd.event.syslog.enabled\n\nIf the \"vpxd.event.syslog.enabled\" value is not set to \"true\", this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> Advanced Settings.\n\nClick \"Edit Settings\" and configure the \"vpxd.event.syslog.enabled\" setting to \"true\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-AdvancedSetting -Entity -Name vpxd.event.syslog.enabled | Set-AdvancedSetting -Value true"},{"id":"1b771b5f-36e9-4e6a-88d1-1640cce2f47e","vulnId":"V-256361","severity":"medium","ruleTitle":"The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.","description":"The vSAN Health Check is able to download the HCL from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet, this functionality must be disabled. If this feature is necessary, an external proxy server must be configured.","checkContent":"If no clusters are enabled for vSAN, this is not applicable.\n\nFrom the vSphere Client, go to Host and Clusters.\n\nSelect the vCenter Server >> Configure >> vSAN >> Internet Connectivity.\n\nIf the HCL internet download is not required, verify \"Status\" is \"Disabled\". \n\nIf the \"Status\" is \"Enabled\", this is a finding.\n\nIf the HCL internet download is required, verify \"Status\" is \"Enabled\" and a proxy host is configured. \n\nIf \"Status\" is \"Enabled\" and a proxy is not configured, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect the vCenter Server >> Configure >> vSAN >> Internet Connectivity.\n\nClick \"Edit\".\n\nIf the HCL internet download is not required, ensure \"Status\" is \"Disabled\".\n\nIf the HCL internet download is required, ensure \"Status\" is \"Enabled\" and a proxy host is appropriately configured."},{"id":"6e5c7d5c-269f-48a7-980d-6932ba5ac90e","vulnId":"V-256362","severity":"medium","ruleTitle":"The vCenter Server must configure the vSAN Datastore name to a unique name.","description":"A vSAN Datastore name by default is \"vsanDatastore\". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads.","checkContent":"If no clusters are enabled for vSAN, this is not applicable.\n\nFrom the vSphere Client, go to Host and Clusters.\n\nSelect a vSAN Enabled Cluster >> Datastores.\n\nReview the datastores and identify any datastores with \"vSAN\" as the datastore type.\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nIf($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){\nWrite-Host \"vSAN Enabled Cluster found\"\nGet-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match \"vsan\"}\n}\nelse{\nWrite-Host \"vSAN is not enabled, this finding is not applicable\"\n}\n\nIf vSAN is enabled and a datastore is named \"vsanDatastore\", this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vSAN Enabled Cluster >> Datastores.\n\nRight-click on the datastore named \"vsanDatastore\" and select \"Rename\".\n\nRename the datastore based on site-specific naming standards.\n\nClick \"OK\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:\n\nIf($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){\nWrite-Host \"vSAN Enabled Cluster found\"\n$Clusters = Get-Cluster | where {$_.VsanEnabled} \nForeach ($clus in $clusters){\n $clus | Get-Datastore | where {$_.type -match \"vsan\"} | Set-Datastore -Name $(($clus.name) + \"_vSAN_Datastore\")\n}\n}\nelse{\nWrite-Host \"vSAN is not enabled, this finding is not applicable\"\n}"},{"id":"168b6b0b-57ec-44e2-999e-98c1aa7fc72b","vulnId":"V-256363","severity":"low","ruleTitle":"The vCenter Server must disable Username/Password and Windows Integrated Authentication.","description":"All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be disabled as soon as CAC authentication is functional.","checkContent":"If a federated identity provider is configured and used for an identity source, this is not applicable.\n\nFrom the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.\n\nUnder \"Authentication method\", examine the allowed methods.\n\nIf \"Smart card authentication\" is not enabled and \"Password and windows session authentication\" is not disabled , this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.\n\nNext to \"Authentication method\", click \"Edit\".\n\nSelect the radio button to \"Enable smart card authentication\".\n\nClick \"Save\".\n\nTo reenable password authentication for troubleshooting purposes, run the following command on the vCenter Server Appliance:\n\n# /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local"},{"id":"a4163006-04cd-4acc-87b5-51137d16820f","vulnId":"V-256364","severity":"medium","ruleTitle":"The vCenter Server must restrict access to the default roles with cryptographic permissions.","description":"In vSphere, a number of default roles contain permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. These roles must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use.\n\nA new built-in role called \"No Cryptography Administrator\" exists to provide all administrative permissions except cryptographic operations. Permissions must be restricted such that normal vSphere administrators are assigned the \"No Cryptography Administrator\" role or more restrictive.\n\nThese default roles must be tightly controlled and must not be applied to administrators who will not be doing cryptographic work. Catastrophic data loss can result from poorly administered cryptography.","checkContent":"By default, there are four roles that contain cryptographic-related permissions: Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager.\n\nFrom the vSphere Client, go to Administration >> Access Control >> Roles.\n\nor\n\nFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:\n\nGet-VIPermission | Where {$_.Role -eq \"Admin\" -or $_.Role -eq \"NoTrustedAdmin\" -or $_.Role -eq \"vCLSAdmin\" -or $_.Role -eq \"vSphereKubernetesManager\"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto\n\nIf there are any users or groups assigned to the default roles with cryptographic permissions and are not explicitly designated to perform cryptographic operations, this is a finding.\n\nThe built-in solution users assigned to the administrator role are NOT a finding.","fixText":"From the vSphere Client, go to Administration >> Access Control >> Roles.\n\nMove any accounts not explicitly designated for cryptographic operations, other than Solution Users, to other roles such as \"No Cryptography Administrator\"."},{"id":"e5b6713d-341c-4383-9b20-002dd446eb0f","vulnId":"V-256365","severity":"medium","ruleTitle":"The vCenter Server must restrict access to cryptographic permissions.","description":"These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography.","checkContent":"$26","fixText":"From the vSphere Client, go to Administration >> Access Control >> Roles.\n\nHighlight the target custom role and click \"Edit\".\n\nRemove the following permissions from any custom role that is not authorized to perform cryptographic-related operations:\n\nCryptographic Operations privileges\nGlobal.Diagnostics\nHost.Inventory.Add host to cluster\nHost.Inventory.Add standalone host\nHost.Local operations.Manage user groups"},{"id":"711d302b-0c6c-4cd3-aaf8-dcf75596d1ef","vulnId":"V-256366","severity":"medium","ruleTitle":"The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.","description":"When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.","checkContent":"If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.\n\nFrom the vSphere Client, go to Host and Clusters.\n\nSelect a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.\n\nFor each iSCSI target, review the value in the \"Authentication\" column.\n\nIf the Authentication method is not set to \"CHAP_Mutual\" for any iSCSI target, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters. \n\nSelect a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.\n\nFor each iSCSI target, select the item and click \"Edit\".\n\nChange the \"Authentication\" field to \"Mutual CHAP\" and configure the incoming and outgoing users and secrets appropriately."},{"id":"2bb8c164-6044-40b7-94e5-5b43c015438c","vulnId":"V-256367","severity":"medium","ruleTitle":"The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).","description":"The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow rekey is a procedure in which the KMS issues a new KEK to the ESXi host, which rewraps the DEK but does not change the DEK or any data on disk.\n\nThis operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data.","checkContent":"If vSAN is not in use, this is not applicable.\n\nInterview the system administrator (SA) to determine that a procedure has been put in place to perform a shallow rekey of all vSAN encrypted datastores at regular, site-defined intervals.\n\nVMware recommends a 60-day rekey task, but this interval must be defined by the SA and the information system security officer (ISSO).\n\nIf vSAN encryption is not in use, this is not a finding.\n\nIf vSAN encryption is in use and a regular rekey procedure is not in place, this is a finding.","fixText":"If vSAN encryption is in use, ensure a regular rekey procedure is in place."},{"id":"4d1f99c9-d956-477e-ae22-5a5a989d9e5f","vulnId":"V-256368","severity":"medium","ruleTitle":"The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.","description":"LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encrypted tunnel. To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere Single Sign-On (SSO).\n\nWhen configuring an identity source and supplying an SSL certificate, vCenter will enforce LDAPS. The server URLs do not need to be explicitly provided if an SSL certificate is uploaded.","checkContent":"If LDAP is not used as an identity provider, this is not applicable.\n\nFrom the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.\n\nClick the \"Identity Sources\" tab.\n\nFor each identity source of type \"Active Directory over LDAP\", if the \"Server URL\" does not indicate \"ldaps://\", this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider. \n\nClick the \"Identity Sources\" tab.\n\nFor each identity source of type \"Active Directory over LDAP\" where LDAPS is not configured, highlight the item and click \"Edit\".\n\nEnsure the primary and secondary server URLs, if specified, are configured for \"ldaps://\".\n\nAt the bottom, click the \"Browse\" button, select the AD LDAP cert previously exported to the local computer, click \"Open\", and \"Save\" to complete modifications.\n\nNote: With LDAPS, the server must be a specific domain controller and its specific certificate or the domain alias with a certificate that is valid for that URL."},{"id":"f3f4c6bb-e375-46dd-8b8f-90e55433a7c3","vulnId":"V-256369","severity":"medium","ruleTitle":"The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.","description":"When adding an LDAP identity source to vSphere Single Sign-On (SSO), the account used to bind to Active Directory must be minimally privileged. This account only requires read rights to the base domain name specified. Any other permissions inside or outside of that organizational unit are unnecessary and violate least privilege.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.\n\nClick the \"Identity Sources\" tab.\n\nFor each identity source with a type of \"Active Directory over LDAP\", highlight the item and click \"Edit\". \n\nIf the account that is configured to bind to the LDAP server is not one with minimal privileges, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.\n\nClick the \"Identity Sources\" tab.\n\nFor each identity source that has been configured with a highly privileged Active Directory account, highlight the item and click \"Edit\".\n\nChange the username and password to one with read-only rights to the base DN and complete the dialog."},{"id":"1b6fd8a0-eb3e-4575-970a-1df530e271c7","vulnId":"V-256370","severity":"medium","ruleTitle":"The vCenter Server must limit membership to the \"SystemConfiguration.BashShellAdministrators\" Single Sign-On (SSO) group.","description":"vCenter SSO integrates with PAM in the underlying Photon operating system so members of the \"SystemConfiguration.BashShellAdministrators\" SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named \"sso-user\" as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process.\n\nTo force accountability and nonrepudiation, the SSO group \"SystemConfiguration.BashShellAdministrators\" must be severely restricted.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.\n\nClick the next page arrow until the \"SystemConfiguration.BashShellAdministrators\" group appears.\n\nClick \"SystemConfiguration.BashShellAdministrators\".\n\nReview the members of the group and ensure that only authorized accounts are present.\n\nNote: These accounts act as root on the Photon operating system and have the ability to severely damage vCenter, inadvertently or otherwise.\n\nIf there are any accounts present as members of SystemConfiguration.BashShellAdministrators that are not authorized, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.\n\nClick the next page arrow until the \"SystemConfiguration.BashShellAdministrators\" group appears.\n\nClick \"SystemConfiguration.BashShellAdministrators\".\n\nClick the three vertical dots next to the name of each unauthorized account.\n\nSelect \"Remove Member\"."},{"id":"fbf98331-d915-400d-a673-44551689d57f","vulnId":"V-256371","severity":"medium","ruleTitle":"The vCenter Server must limit membership to the \"TrustedAdmins\" Single Sign-On (SSO) group.","description":"The vSphere \"TrustedAdmins\" group grants additional rights to administer the vSphere Trust Authority feature.\n\nTo force accountability and nonrepudiation, the SSO group \"TrustedAdmins\" must be severely restricted.","checkContent":"From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.\n\nClick the next page arrow until the \"TrustedAdmins\" group appears.\n\nClick \"TrustedAdmins\".\n\nReview the members of the group and verify only authorized accounts are present.\n\nNote: These accounts act as root on the Photon operating system and have the ability to severely damage vCenter, inadvertently or otherwise.\n\nIf any accounts are present as members of \"TrustedAdmins\" that are not authorized, this is a finding.","fixText":"From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.\n\nClick the next page arrow until the \"TrustedAdmins\" group appears.\n\nClick \"TrustedAdmins\".\n\nClick the three vertical dots next to the name of each unauthorized account.\n\nSelect \"Remove Member\"."},{"id":"9ff48df0-730e-449c-b9d1-706e2c757ebb","vulnId":"V-256372","severity":"medium","ruleTitle":"The vCenter server configuration must be backed up on a regular basis.","description":"vCenter server is the control plane for the vSphere infrastructure and all the workloads it hosts. As such, vCenter is usually a highly critical system in its own right. Backups of vCenter can now be made at a data and configuration level versus traditional storage/image-based backups. This reduces recovery time by letting the system administrator (SA) spin up a new vCenter while simultaneously importing the backed-up data.\n\nFor sites that implement the Native Key Provider (NKP), introduced in 7.0 Update 2, regular vCenter backups are critical. In a recovery scenario where the virtual machine files are intact but vCenter was lost, the encrypted virtual machines will not be able to boot as their private keys were stored in vCenter after it was last backed up. When using the NKP, vCenter becomes critical to the virtual machine workloads and ceases to be just the control plane.","checkContent":"Option 1:\n\nIf vCenter is backed up in a traditional manner, at the storage array level, interview the SA to determine configuration and schedule.\n\nOption 2:\n\nFor vCenter native backup functionality, open the Virtual Appliance Management Interface (VAMI) by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with a Single Sign-On (SSO) account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Backup\" on the left navigation pane.\n\nOn the resulting pane on the right, verify the \"Status\" is \"Enabled\".\n\nClick \"Status\" to expand the backup details.\n\nIf vCenter server backups are not configured and there is no other vCenter backup system, this is a finding.\n\nIf the backup configuration is not set to a proper, reachable location or if the schedule is anything less frequent than \"Daily\", this is a finding.","fixText":"Option 1:\n\nImplement and document a VMware-supported storage/image-based backup schedule.\n\nOption 2:\n\nTo configure vCenter native backup functionality, open the VAMI by navigating to https://:5480.\n\nLog in with local operating system administrative credentials or with an SSO account that is a member of the \"SystemConfiguration.BashShellAdministrator\" group.\n\nSelect \"Backup\" on the left navigation pane.\n\nOn the resulting pane on the right, click \"Configure\" (or \"Edit\" for an existing configuration).\n\nEnter site-specific information for the backup job.\n\nEnsure \"Schedule\" is set to \"Daily\". Limiting the number of retained backups is recommended but not required.\n\nClick \"Create\"."},{"id":"09bc7982-fe8f-4d58-95c6-c9c2038eed03","vulnId":"V-256373","severity":"medium","ruleTitle":"vCenter task and event retention must be set to at least 30 days.","description":"vCenter tasks and events contain valuable historical actions, useful in troubleshooting availability issues and for incident forensics. While vCenter events are sent to central log servers in real time, it is important that administrators have quick access to this information when needed.\n\nvCenter retains 30 days of tasks and events by default, and this is sufficient for most purposes. The vCenter disk partitions are also sized with this in mind. Decreasing is not recommended for operational reasons, while increasing is not recommended unless guided by VMware support due to the partition sizing concerns.","checkContent":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> General.\n\nClick to expand the \"Database\" section.\n\nNote the \"Task retention\" and \"Event retention\" values.\n\nIf either value is configured to less than \"30\" days, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Settings >> General.\n\nClick \"Edit\".\n\nOn the \"Database\" tab, set the value for both \"Task retention\" and \"Event retention\" to \"30\" days (default) or greater, as required by the site.\n\nClick \"Save\"."},{"id":"bb2f8ead-8591-4f66-b235-4e700ab340d9","vulnId":"V-256374","severity":"medium","ruleTitle":"vCenter Native Key Providers must be backed up with a strong password.","description":"The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken that is a PKCS#12 formatted file. If no password is provided during the backup process, this presents the opportunity for this to be used maliciously and compromise the environment.","checkContent":"If the vCenter Native Key Provider feature is not in use, this is not applicable.\n\nInterview the system administrator and determine if a password was provided for any backups taken of the Native Key Provider.\n\nIf backups exist for the Native Key Provider that are not password protected, this is a finding.","fixText":"From the vSphere Client, go to Host and Clusters.\n\nSelect a vCenter Server >> Configure >> Security >> Key Providers.\n\nSelect the Native Key Provider, click \"Back-up\", and check the box \"Protect Native Key Provider data with password\".\n\nProvide a strong password and click \"Back up key provider\".\n\nDelete any previous backups that were not protected with a password."}]}]]}]

VMware vSphere 7.0 vCenter Security Technical Implementation Guide

Checks (57)