Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware NSX Manager Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2016-06-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
c
The NSX vCenter must be configured to use an authentication server to provide automated support for account management functions to centrally control the authentication process for the purpose of granting administrative access.
AC-2 - High - CCI-000015 - V-69161 - SV-83765r1_rule
RMF Control
AC-2
Severity
High
CCI
CCI-000015
Version
VNSX-ND-000006
Vuln IDs
  • V-69161
Rule IDs
  • SV-83765r1_rule
Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations and privilege levels. NSX Manager must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. All accounts used for access to the NSX components are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. With the exception of the account of last resort, all accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the network device.
Checks: C-69599r1_chk

Verify the Windows server hosting vCenter is joined to the domain and access to the server and vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding. If Active Directory is not used in the environment, this is not applicable.

Fix: F-75347r1_fix

If the server hosting vCenter is not joined to the domain, follow the OS-specific procedures to join it to Active Directory. If local accounts are used for normal operations, Active Directory accounts should be created and used.

c
The NSX vCenter must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
AC-3 - High - CCI-000213 - V-69163 - SV-83767r1_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
VNSX-ND-000013
Vuln IDs
  • V-69163
Rule IDs
  • SV-83767r1_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement.
Checks: C-69601r1_chk

Verify the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75349r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

b
The NSX vCenter must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-69165 - SV-83769r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
VNSX-ND-000015
Vuln IDs
  • V-69165
Rule IDs
  • SV-83769r1_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.
Checks: C-69603r1_chk

Verify vCenter Server is configured to a limit of three consecutive invalid logon attempts by a Single Sign-On user and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed logon attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 If any of these account lockout policies are not configured in Single Sign-On and Active Directory as stated, this is a finding.

Fix: F-75351r1_fix

Change vCenter Server configuration to a limit of three consecutive invalid logon attempts by a Single Sign-On and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed logon attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 Ensure Active Directory is configured with these account lockout settings as stated.

c
The NSX Manager must not have any default manufacturer passwords when deployed.
IA-5 - High - CCI-002041 - V-69167 - SV-83771r1_rule
RMF Control
IA-5
Severity
High
CCI
CCI-002041
Version
VNSX-ND-000022
Vuln IDs
  • V-69167
Rule IDs
  • SV-83771r1_rule
Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. Many default vendor passwords are well known or are easily guessed; therefore, not removing them prior to deploying the network device into production provides an opportunity for a malicious user to gain unauthorized access to the device.
Checks: C-69605r1_chk

Verify NSX Manager does not have the default manufacturer password. Log into NSX Manager with built-in administrator account "admin" with the default manufacturer password "default". If the NSX Manager accepts the default manufacturer password, this is a finding.

Fix: F-75353r1_fix

Change the NSX Manager default manufacturer password. Log into NSX Manager with built-in administrator account "admin" and the default manufacturer password "default". Type "configure terminal", hit enter >> type "cli password" [enter new password], hit enter >> type "exit" >> type "exit".

b
The NSX vCenter must protect audit information from any type of unauthorized read access.
AU-9 - Medium - CCI-000162 - V-69171 - SV-83775r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VNSX-ND-000037
Vuln IDs
  • V-69171
Rule IDs
  • SV-83775r1_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could use to his or her advantage. To ensure the veracity of audit data, the information system and/or the network device must protect audit information from any and all unauthorized read access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, network devices with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the device interface. If the device provides access to the audit data, the device becomes accountable for ensuring audit information is protected from unauthorized access.
Checks: C-69607r1_chk

Verify the application must reveal error messages only to authorized individuals. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75355r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

a
The NSX Manager must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Low - CCI-001348 - V-69173 - SV-83777r1_rule
RMF Control
AU-9
Severity
Low
CCI
CCI-001348
Version
VNSX-ND-000043
Vuln IDs
  • V-69173
Rule IDs
  • SV-83777r1_rule
Protection of log data includes verifying log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to verify, in the event of a catastrophic system failure, the audit records will be retained. This helps to verify a compromise of the information system being audited does not also result in a compromise of the audit records.
Checks: C-69613r1_chk

Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and records are being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.

Fix: F-75359r1_fix

Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select "Backup and Restore". To specify the backup location, click "Change" next to "FTP Server Settings". Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. You will need this passphrase to restore the backup. Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to Scheduling (frequency must be when changes occur or weekly, whichever is sooner). From the Backup Frequency drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select "Daily", the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK."

b
The NSX vCenter must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-69175 - SV-83779r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
VNSX-ND-000055
Vuln IDs
  • V-69175
Rule IDs
  • SV-83779r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-69615r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Minimum Length: 15. If this password policy is not configured as stated, this is a finding.

Fix: F-75361r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set the Minimum Length to "15" and click "OK".

b
The NSX vCenter must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-69177 - SV-83781r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
VNSX-ND-000056
Vuln IDs
  • V-69177
Rule IDs
  • SV-83781r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-69617r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Restrict reuse" setting. If the "Restrict reuse" policy is not set to "5" or more, this is a finding.

Fix: F-75363r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit" and enter "5" into the "Restrict reuse" setting. Click "OK".

b
If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-69179 - SV-83783r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
VNSX-ND-000057
Vuln IDs
  • V-69179
Rule IDs
  • SV-83783r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-69619r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Upper-case Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.

Fix: F-75365r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Upper-case Characters to at least "1" and click "OK".

b
If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-69181 - SV-83785r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
VNSX-ND-000058
Vuln IDs
  • V-69181
Rule IDs
  • SV-83785r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-69621r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Lower-case Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.

Fix: F-75367r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Lower-case Characters to at least "1" and click "OK".

b
If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-69183 - SV-83787r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
VNSX-ND-000059
Vuln IDs
  • V-69183
Rule IDs
  • SV-83787r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-69623r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Numeric Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.

Fix: F-75369r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Numeric Characters to at least "1" and click "OK".

b
If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-69185 - SV-83789r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
VNSX-ND-000060
Vuln IDs
  • V-69185
Rule IDs
  • SV-83789r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-69625r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirements should be set at a minimum: Special Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.

Fix: F-75371r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Special Characters to at least "1" and click "OK".

b
The NSX vCenter must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-69187 - SV-83791r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
VNSX-ND-000065
Vuln IDs
  • V-69187
Rule IDs
  • SV-83791r1_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the network device in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Checks: C-69627r1_chk

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Maximum lifetime" setting. If the "Maximum lifetime" policy is not set to "60", this is a finding.

Fix: F-75373r1_fix

From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Enter "60" into the "Maximum lifetime" setting and click "OK".

b
The NSX vCenter must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-69189 - SV-83793r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
VNSX-ND-000071
Vuln IDs
  • V-69189
Rule IDs
  • SV-83793r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-69629r1_chk

Verify the vSphere Web Client sessions terminate after 10 minutes of idle time, requiring the user to log on again to resume using the client. You can view the timeout value by viewing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to 10 in the webclient.properties file, this is a finding.

Fix: F-75375r1_fix

Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where 10 is the timeout value in minutes. Uncomment the line if necessary. After editing the file, the vSphere Web Client service must be restarted.

b
The NSX vCenter must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SI-11 - Medium - CCI-001314 - V-69191 - SV-83795r1_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VNSX-ND-000077
Vuln IDs
  • V-69191
Rule IDs
  • SV-83795r1_rule
Only authorized personnel must be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthorized personnel or their designated representatives.
Checks: C-69631r1_chk

Verify the application must reveal error messages only to authorized individuals. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75377r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

b
The NSX vCenter must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
AC-12 - Medium - CCI-002361 - V-69193 - SV-83797r1_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
VNSX-ND-000083
Vuln IDs
  • V-69193
Rule IDs
  • SV-83797r1_rule
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever an administrator (or process acting on behalf of a user) accesses a network device. Such administrator sessions can be terminated (and thus terminate network administrator access) without terminating network sessions. Session termination terminates all processes associated with an administrator's logical session except those processes that are specifically created by the administrator (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types.
Checks: C-69633r1_chk

Verify the vSphere Web Client sessions terminate after 10 minutes of idle time, requiring the user to log on again to resume using the client. View the timeout value by viewing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to 10 in the webclient.properties file, this is a finding.

Fix: F-75379r1_fix

Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where 10 is the timeout value in minutes. Uncomment the line if necessary. After editing the file, the vSphere Web Client service must be restarted.

b
If the NSX vCenter uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
CM-6 - Medium - CCI-000366 - V-69195 - SV-83799r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-ND-000091
Vuln IDs
  • V-69195
Rule IDs
  • SV-83799r1_rule
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.
Checks: C-69635r1_chk

Verify role-based access control. The network device must enforce organization-defined role-based access control policies over defined subjects and objects. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75381r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

b
The NSX vCenter must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - Medium - CCI-002235 - V-69197 - SV-83801r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
VNSX-ND-000092
Vuln IDs
  • V-69197
Rule IDs
  • SV-83801r1_rule
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.
Checks: C-69637r1_chk

Verify that non-privileged users are prevented from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75383r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

b
The NSX vCenter must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
AC-7 - Medium - CCI-002238 - V-69199 - SV-83803r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
VNSX-ND-000094
Vuln IDs
  • V-69199
Rule IDs
  • SV-83803r1_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-69639r1_chk

Verify vCenter Server is configured to a limit of three consecutive invalid logon attempts by a Single Sign-On user and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed login attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 If any of these account lockout policies are not configured in Single Sign-On and Active Directory as stated, this is a finding.

Fix: F-75385r1_fix

Change vCenter Server configuration to a limit of three consecutive invalid logon attempts by a Single Sign-On and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed login attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 Ensure Active Directory is configured with these account lockout settings as stated.

b
The NSX vCenter must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time.
AU-12 - Medium - CCI-001914 - V-69201 - SV-83805r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-001914
Version
VNSX-ND-000096
Vuln IDs
  • V-69201
Rule IDs
  • SV-83805r1_rule
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near-real-time, within minutes, or within hours.
Checks: C-69641r1_chk

Verify the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-75387r1_fix

To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.

a
The NSX Manager must compare internal information system clocks at least every 24 hours with an authoritative time server.
AU-8 - Low - CCI-001891 - V-69203 - SV-83807r1_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-001891
Version
VNSX-ND-000100
Vuln IDs
  • V-69203
Rule IDs
  • SV-83807r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Checks: C-69643r1_chk

Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

Fix: F-75389r1_fix

Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration. Navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

a
The NSX Manager must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
AU-8 - Low - CCI-002046 - V-69205 - SV-83809r1_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-002046
Version
VNSX-ND-000101
Vuln IDs
  • V-69205
Rule IDs
  • SV-83809r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations must consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations must also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference. The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.
Checks: C-69645r1_chk

Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

Fix: F-75391r1_fix

Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

b
The NSX Manager must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-69207 - SV-83811r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-ND-000102
Vuln IDs
  • V-69207
Rule IDs
  • SV-83811r1_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-69647r1_chk

Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

Fix: F-75393r1_fix

Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.

b
The NSX Manager must off-load audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-69209 - SV-83813r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VNSX-ND-000128
Vuln IDs
  • V-69209
Rule IDs
  • SV-83813r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-69649r1_chk

Verify NSX Manager audit records are off-loaded to a different system. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If audit records are not configured and are not off-loaded to a different system, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.

Fix: F-75395r1_fix

Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol.

b
The NSX Manager must enforce access restrictions associated with changes to the system components.
CM-5 - Medium - CCI-000345 - V-69211 - SV-83815r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-000345
Version
VNSX-ND-000133
Vuln IDs
  • V-69211
Rule IDs
  • SV-83815r1_rule
Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals must be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters.
Checks: C-69651r1_chk

Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.

Fix: F-75397r1_fix

Develop a policy to limit the use of the built-in SSO administrator account.

a
The NSX Manager must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
CM-6 - Low - CCI-000366 - V-69213 - SV-83817r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VNSX-ND-000138
Vuln IDs
  • V-69213
Rule IDs
  • SV-83817r1_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-69653r1_chk

Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and information is being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.

Fix: F-75399r1_fix

Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select "Backup and Restore". To specify the backup location, click "Change" next to FTP Server Settings. Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. (You will need this passphrase to restore the backup.) Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to "Scheduling" (frequency must be when changes occur or weekly, whichever is sooner). From the "Backup Frequency" drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK".

a
The NSX Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
CM-6 - Low - CCI-000366 - V-69215 - SV-83819r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VNSX-ND-000139
Vuln IDs
  • V-69215
Rule IDs
  • SV-83819r1_rule
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-69655r1_chk

Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and information is being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.

Fix: F-75401r1_fix

Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore. To specify the backup location, click "Change" next to FTP Server Settings. Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. (You will need this passphrase to restore the backup.) Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to Scheduling (Frequency must be when changes occur or weekly, whichever is sooner). From the Backup Frequency drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK".

b
The NSX Manager must employ automated mechanisms to assist in the tracking of security incidents.
CM-6 - Medium - CCI-000366 - V-69217 - SV-83821r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-ND-000140
Vuln IDs
  • V-69217
Rule IDs
  • SV-83821r1_rule
Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any network device compromise. Incident response teams can perform root cause analysis, determine how the exploit proliferated, and identify all affected nodes, as well as contain and eliminate the threat. The network device assists in the tracking of security incidents by logging detected security events. The audit log and network device application logs capture different types of events. The audit log tracks audit events occurring on the components of the network device. The application log tracks the results of the network device content filtering function. These logs must be aggregated into a centralized server and can be used as part of the organization's security incident tracking and analysis.
Checks: C-69657r1_chk

Verify NSX Manager logs are sent to a centralized server and can be used as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If logs are not sent to a centralized server, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.

Fix: F-75403r1_fix

Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Login to the NSX Manager Web Interface, using credentials authorized for administration. Navigate from the Home screen >> "Manage Appliance Settings" >> Settings >> General >> Syslog Server Verify a syslog server has been configured with the correct address, port, and protocol. Login to the vCenter with the appropriate credentials for the Network and Security Platform >> Select "Hosts and Clusters" from the inventories panel >> Expand the entire drop-down section on the left panel >> Select a host as indicated by the ESX host icon >> Navigate to the "Manage" section on the newly updated right panel >> Select "Settings" >> "System" >> "Advanced System Settings" >> In the search field within "Advanced System Settings" enter "Syslog.global.logHost" and press enter >> Select the "Syslog.global.logHost" >> Click the pencil icon >> Insert the desired syslog aggregator or SIEM that exists in the customer environment.

b
The NSX vCenter must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-69219 - SV-83823r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-ND-000141
Vuln IDs
  • V-69219
Rule IDs
  • SV-83823r1_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-69659r1_chk

Verify a public key certificate is obtained from an appropriate certificate policy through an approved service provider is used on the vCenter Server. Launch browser and go to the vSphere Web Client URL https://client-hostname/vsphere-client and verify the CA certificate is signed by an approved service provider. If a public key certificate from an appropriate certificate policy through an approved service provider is not used, this is a finding.

Fix: F-75405r1_fix

Configure the vCenter Server to obtain its public key certificates in offline mode from an appropriate certificate policy through an approved service provider. Replace default certificates with certificate authority signed SSL certificates in vSphere 6.0 with KB 2111219.

b
The NSX vCenter must accept multifactor credentials.
CM-6 - Medium - CCI-000366 - V-69221 - SV-83825r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VNSX-ND-000142
Vuln IDs
  • V-69221
Rule IDs
  • SV-83825r1_rule
DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.
Checks: C-69661r1_chk

Verify the Windows server hosting vCenter is joined to the domain and configured for Single Sign-On Identity Source of the Active Directory domain. Access to vCenter must be is done using Active Directory/CAC/PIV certificate accounts. CAC/PIV certificate must be mapped to a privileged Active Directory account and the Windows platform client running the web browser must be CAC/PIV-enabled and must not have external network access. If the vCenter server is not joined to an Active Directory domain and not configured for Single Sign-On Identity Source of the Active Directory domain, and Active Directory/CAC/PIV certificate-based accounts are not used for daily operations of the vCenter server, this is a finding.

Fix: F-75407r1_fix

If local accounts are used for normal operations, Active Directory user accounts/groups must be created and then associated appropriately for normal operations. To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. All local windows accounts must be removed from the vCenter and Windows server. Application service account and user required privileges must be documented.