Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware vCenter Server Version 5 Security Technical Implementation Guide

  • Version/Release: V1R7
  • Published: 2016-02-10
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The VMware vCenter Server Version 5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.
CM-6 - Medium - CCI-000366 - V-39544 - SV-51402r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000003
Vuln IDs
  • V-39544
Rule IDs
  • SV-51402r2_rule
The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.
Checks: C-46769r1_chk

Ask the SA if software and system security patches are installed and up-to-date for all ESXi hypervisors/VMs, including the vCenter Server (vCS) and the VMware Update Manager (vUM), if they are also installed as VMs rather than as physical machines. If the vUM's hypervisor host/VM patch, update, and remediation procedure does not include its own hypervisor/VM or that of the vCS (if installed as VMs), this check is not a finding. If the vUM's hypervisor host/VM patch, update, and remediation process also includes its own hypervisor host/VM and/or the vCS's hypervisor host/VM, this is a finding.

Fix: F-44557r2_fix

Determine if both the VMware Update Manager (vUM) and vCenter Server (vCS) are installed as physical or virtual machines. No fix is required for vCS/vUM if the vCS and vUM are both installed as physical machines. If the vCS and vUM are installed as virtual machines, they must both be managed either manually or by a secondary installation of vCS and the vUM. All remaining organization hypervisor hosts/VMs must be configured to receive software and security patch updates, via the vUM, on an organization-defined, regularly scheduled basis.

b
Privilege re-assignment must be checked after the vCenter Server restarts.
CM-6 - Medium - CCI-000366 - V-39545 - SV-51403r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000005
Vuln IDs
  • V-39545
Rule IDs
  • SV-51403r2_rule
During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server defaults the Administrator role to the local Windows administrators group, to act as a new vCenter Server Administrator. This default administrative assignment must be rectified by re-establishing a legitimate vCenter Server account with an Administrator role.
Checks: C-46770r1_chk

After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding.

Fix: F-44558r2_fix

As a Windows Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.

a
The Web datastore browser must be disabled, unless required for normal day-to-day operations.
CM-6 - Low - CCI-000366 - V-39546 - SV-51404r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000006
Vuln IDs
  • V-39546
Rule IDs
  • SV-51404r2_rule
The Web datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the organization-specific, user permissions on vCenter Server.System Administrator
Checks: C-46771r3_chk

If the Web datastore browser is required for normal, daily operational tasks, this check is not applicable. Verify the Web datastore browser is disabled: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the <vpxd> </vpxd> element. Ensure the following element is set. <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess> If the Web datastore browser is not disabled, this is a finding.

Fix: F-44559r3_fix

If the Web datastore browser is enabled and required for normal, daily operational tasks, no fix is required. Disable the Web datastore browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess> Restart the vCenter Service to ensure the config file change(s) are in effect.

a
The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
CM-6 - Low - CCI-000366 - V-39547 - SV-51405r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000007
Vuln IDs
  • V-39547
Rule IDs
  • SV-51405r1_rule
The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.
Checks: C-46772r2_chk

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB : Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the &lt;vpxd&gt; ... &lt;/vpxd&gt; element. Ensure the following element is set. &lt;enableDebugBrowse&gt;false&lt;/enableDebugBrowse&gt; If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the enableDebugBrowse element is enabled (set to true), and object maintenance is not being performed, this is a finding. If the enableDebugBrowse element is enabled (set to true), and object maintenance is being performed, this is not a finding.

Fix: F-44560r2_fix

If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> Restart the vCenter Service to ensure the configuration file change(s) are in effect.

a
The vCenter Server must be installed using a service account instead of a built-in Windows account.
CM-6 - Low - CCI-000366 - V-39548 - SV-51406r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000008
Vuln IDs
  • V-39548
Rule IDs
  • SV-51406r1_rule
The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. A local user, administrative level account with limited permissions and rights must be set up for the vCenter Server system.
Checks: C-46773r1_chk

Verify vCenter Server was installed using a special-purpose user account on the Windows host with a local-only administrator role. This account should have the "Act as part of the operating system" privilege, and write access to the local file system with a local-only administrator role. If the vCenter Server was not installed with a special-purpose, local-only administrator role with the "Act as part of the operating system" privilege, this is a finding.

Fix: F-44561r1_fix

Re-install the vCenter Server with a special-purpose, local-only administrator role with the "Act as part of the operating system" privilege.

a
The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.
CM-6 - Low - CCI-000366 - V-39549 - SV-51407r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000009
Vuln IDs
  • V-39549
Rule IDs
  • SV-51407r1_rule
The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.
Checks: C-46774r1_chk

Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies. If all of the above conditions are not met, this is a finding.

Fix: F-44562r1_fix

Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet.

b
The vCenter Server administrative users must have the correct roles assigned.
CM-5 - Medium - CCI-001499 - V-39550 - SV-51408r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VCENTER-000012
Vuln IDs
  • V-39550
Rule IDs
  • SV-51408r1_rule
Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Checks: C-46775r2_chk

Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users: Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home&gt;&gt; Administration&gt;&gt; Roles" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. Right click on each Role name and select "Edit". Verify under "All Privileges&gt;&gt; Virtual Machines" that only site-specific, required checkboxes are selected. If the organization does not require roles for administrator privilege sets, this is a finding. If a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.

Fix: F-44563r2_fix

Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. Go to "Home>> Administration>> Roles" and create a role for each of the administrator privilege sets the organization requires and allows. Right click on each role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.

b
Access to SSL certificates must be monitored.
CM-6 - Medium - CCI-000366 - V-39551 - SV-51409r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000013
Vuln IDs
  • V-39551
Rule IDs
  • SV-51409r1_rule
The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes. The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.
Checks: C-46776r1_chk

Ask the SA if event log monitoring is used to alert on non-service account access to the certificates directory. If event log monitoring is not used, this is a finding.

Fix: F-44564r1_fix

Set up Windows event log monitoring to alert on nonservice account access to the certificates directory.

b
Expired certificates must be removed from the vCenter Server.
CM-6 - Medium - CCI-000366 - V-39553 - SV-51411r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000015
Vuln IDs
  • V-39553
Rule IDs
  • SV-51411r1_rule
If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.
Checks: C-46778r1_chk

To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of expired certificates. If a procedure does not exist and/or expired certificates are found, this is a finding.

Fix: F-44566r1_fix

If a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of expired certificates. Remove all expired certificates.

b
Log files must be cleaned up after failed installations of the vCenter Server.
CM-6 - Medium - CCI-000366 - V-39554 - SV-51412r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000016
Vuln IDs
  • V-39554
Rule IDs
  • SV-51412r1_rule
If the vCenter installation fails, a log file (with a name of the form "hs_err_pidXXXX") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.
Checks: C-46779r1_chk

If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid...." should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid". If a file name of the format "hs_err_pid" is found, this is a finding. If a site policy does not exist and/or is not followed, this is a finding.

Fix: F-44567r1_fix

Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid and remove them.

b
Revoked certificates must be removed from the vCenter Server.
CM-6 - Medium - CCI-000366 - V-39555 - SV-51413r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000017
Vuln IDs
  • V-39555
Rule IDs
  • SV-51413r1_rule
If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.
Checks: C-46780r1_chk

To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of revoked certificates. If a procedure does not exist and/or revoked certificates are found, this is a finding.

Fix: F-44568r1_fix

If a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of revoked certificates. Remove all revoked certificates.

b
The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.
CM-6 - Medium - CCI-000366 - V-39556 - SV-51414r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000018
Vuln IDs
  • V-39556
Rule IDs
  • SV-51414r1_rule
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.
Checks: C-46781r1_chk

Check the permissions assigned in vSphere. Verify that a non-Windows administrative user account is used to manage vCenter. Ensure the user does not belong to any local groups, such as administrator. If a Windows administrative account is used to manage vCenter, this is a finding. If the account used to manage vCenter belongs to a local Windows or administrative group, this is a finding.

Fix: F-44569r1_fix

Ensure "Administrator" or any other account or group does not have any privileges except users created as follows: Create an ordinary user account that will be used to manage vCenter (example vi-admin). Make sure the user does not belong to any local groups, such as administrator. On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the created account. Log out of vCenter and log into vCenter with the account created. Verify user is able to perform all tasks available to a vCenter administrator. Remove the permissions in the vCenter for the local administrator group.

b
Access to SSL certificates must be restricted.
CM-6 - Medium - CCI-000366 - V-39557 - SV-51415r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000019
Vuln IDs
  • V-39557
Rule IDs
  • SV-51415r1_rule
The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.
Checks: C-46782r1_chk

Check the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Verify the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl. If the SSL certificate directory/files are not set so that only the vCenter service account and authorized vCenter Server Administrators can access them, this is a finding.

Fix: F-44570r1_fix

Ensure the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Ensure the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.

b
The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.
CM-6 - Medium - CCI-000366 - V-39558 - SV-51416r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000020
Vuln IDs
  • V-39558
Rule IDs
  • SV-51416r1_rule
By default, vCenter Server "Administrator" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.
Checks: C-46783r2_chk

Check that a role is used to manage the vCenter Server without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home&gt;&gt; Administration&gt;&gt; Roles" and verify that a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges&gt;&gt; Virtual Machines" the "Guest Operations" checkbox is unchecked. Verify users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role. Ask the SA for a list of users that require administrator privileges without Guest access privileges and verify their role assignments. If users requiring administrator privileges without Guest access privileges are assigned to the default Administrator role, this is a finding.

Fix: F-44571r2_fix

Create a role to manage vCenter without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges>> Virtual Machines" the "Guest Operations" checkbox is unchecked. Create account(s) requiring administrator privileges without Guest access privileges.

a
The use of Linux-based clients must be restricted.
CM-6 - Low - CCI-000366 - V-39559 - SV-51417r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000021
Vuln IDs
  • V-39559
Rule IDs
  • SV-51417r1_rule
Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks.
Checks: C-46784r1_chk

Verify all client operating systems connecting to the vCenter Server are not Linux. If any client operating system connecting to the vCenter Server is Linux-based, this is a finding.

Fix: F-44572r1_fix

Replace all Linux-based clients connecting to the vCenter Server with non-Linux-based clients.

a
Network access to the vCenter Server system must be restricted.
CM-6 - Low - CCI-000366 - V-39560 - SV-51418r1_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCENTER-000022
Vuln IDs
  • V-39560
Rule IDs
  • SV-51418r1_rule
Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.
Checks: C-46785r1_chk

The vCenter Server must be protected by a network and/or local firewall on the vCenter Server Windows system. This protection must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system. If the vCenter Server Windows system is not protected by a network and/or local firewall, this is a finding.

Fix: F-44573r1_fix

The vCenter Server Windows system must be protected by utilizing a network and/or local firewall. Install the vCenter Server Windows system behind the firewall and/or install a firewall application on the Windows system. Firewall protections must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.

b
A least-privileges assignment must be used for the vCenter Server database user.
CM-6 - Medium - CCI-000366 - V-39561 - SV-51419r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000023
Vuln IDs
  • V-39561
Rule IDs
  • SV-51419r1_rule
Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.
Checks: C-46786r2_chk

Verify only the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server, is assigned. Verify that the following permissions are granted to the vCenter user in the vCenter database. GRANT ALTER ON SCHEMA :: &lt;schema&gt; to &lt;user&gt;; GRANT REFERENCES ON SCHEMA :: &lt;schema&gt; to &lt;user&gt;; GRANT INSERT ON SCHEMA :: &lt;schema&gt; to &lt;user&gt;; GRANT CREATE TABLE to &lt;user&gt;; GRANT CREATE VIEW to &lt;user&gt;; GRANT CREATE Procedure to &lt;user&gt;; For SQL, verify that the following permissions are granted to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs. GRANT SELECT on msdb.dbo.syscategories to &lt;user&gt;; GRANT SELECT on msdb.dbo.sysjobsteps to &lt;user&gt;; GRANT SELECT ON msdb.dbo.sysjobs to &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_add_job TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_delete_job TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_update_job TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_add_category TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO &lt;user&gt;; GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO &lt;user&gt;; For Oracle, verify that the following permissions (or DBA role) are granted to the user. grant connect to &lt;user&gt; grant resource to &lt;user&gt; grant create view to &lt;user&gt; grant create materialized view to &lt;user&gt; grant execute on dbms_job to &lt;user&gt; grant execute on dbms_lock to &lt;user&gt; grant unlimited tablespace to &lt;user&gt; If the runtime privileges are not configured per the above guidelines, this is a finding.

Fix: F-44574r2_fix

Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below. Grant the following permissions to the vCenter user in the vCenter database: GRANT ALTER ON SCHEMA :: <schema> to <user>; GRANT REFERENCES ON SCHEMA :: <schema> to <user>; GRANT INSERT ON SCHEMA :: <schema> to <user>; GRANT CREATE TABLE to <user>; GRANT CREATE VIEW to <user>; GRANT CREATE Procedure to <user>; Grant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs. GRANT SELECT on msdb.dbo.syscategories to <user>; GRANT SELECT on msdb.dbo.sysjobsteps to <user>; GRANT SELECT ON msdb.dbo.sysjobs to <user>; GRANT EXECUTE ON msdb.dbo.sp_add_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_delete_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO <user>; GRANT EXECUTE ON msdb.dbo.sp_update_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_category TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO <user>; For Oracle, either assign the DBA role or grant the following permissions to the user. grant connect to <user> grant resource to <user> grant create view to <user> grant create materialized view to <user> grant execute on dbms_job to <user> grant execute on dbms_lock to <user> grant unlimited tablespace to <user>

b
A least-privileges assignment must be used for the Update Manager database user.
CM-6 - Medium - CCI-000366 - V-39562 - SV-51420r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000024
Vuln IDs
  • V-39562
Rule IDs
  • SV-51420r2_rule
Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.
Checks: C-46787r3_chk

Verify only the following permissions are allowed to the VUM DB user after installation. For Oracle DB normal operation, only the following permissions are required. Create session create any table drop any table For SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Fix: F-44575r3_fix

For Oracle DB normal runtime operation, set the following permissions. Create session create any table drop any table For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

b
The system must set a timeout for all thick-client logins without activity.
CM-6 - Medium - CCI-000366 - V-39563 - SV-51421r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000027
Vuln IDs
  • V-39563
Rule IDs
  • SV-51421r1_rule
An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.
Checks: C-46788r2_chk

On each Windows computer with the vSphere Client installed, verify: A 15 minute (maximum) timeout is set in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the &lt;cmdlineFallback&gt;... &lt;/cmdlineFallback&gt; section, verify the setting &lt;inactivityTimeout&gt;X&lt;/inactivityTimeout&gt; where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Verify the timeout that the vSphere Client executable is started with is an execution flag: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of "-inactivityTimeout 15" in the command. If either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.

Fix: F-44576r2_fix

On each Windows computer with the vSphere Client installed: Set a 15 minute (maximum) timeout in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the <cmdlineFallback>... </cmdlineFallback> section, modify the <inactivityTimeout>X</inactivityTimeout> where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file. Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add "-inactivityTimeout X", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.

b
vSphere Client plugins must be verified.
CM-6 - Medium - CCI-000366 - V-39564 - SV-51422r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000029
Vuln IDs
  • V-39564
Rule IDs
  • SV-51422r1_rule
The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.
Checks: C-46789r2_chk

Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources: From the vSphere Client, "Plug-ins&gt;&gt; Manage Plug-ins" and click the Installed Plug-ins tab. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.

Fix: F-44577r2_fix

Disable/remove all listed plug-ins that cannot be verified as distributed from trusted sources: From the vSphere client, connect to the vCenter server. On the menu bar, go to "Plug-ins >> Manage Plug-ins". Under Installed Plug-ins, right-click the plug-in of choice and select Disable.

c
The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.
CM-6 - High - CCI-000366 - V-39566 - SV-51424r2_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
VCENTER-000031
Vuln IDs
  • V-39566
Rule IDs
  • SV-51424r2_rule
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.System Administrator
Checks: C-46791r4_chk

Connect to the vCenter Server via the vSphere Client. Highlight the data center name and navigate to the Permissions tab. Observe the list of users and/or groups. If any local administrator group permissions appear in the displayed list, this is a finding. If a vCenter Administrator account (must be an ordinary user assigned the administrator role) does not appear in the displayed list, this is a finding. If a vCenter Administrator account (must be an ordinary user assigned the administrator role) does appear in the displayed list, this is not a finding.

Fix: F-44579r6_fix

Log into the Windows server as the Windows administrative user and create an ordinary user account that will be used to manage vCenter Server (example user: vAdmin). Ensure the ordinary user account (created above) does not belong to any local groups (example group: administrators). As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Grant the role of administrator (global vCenter Server administrator) to the ordinary user account (created above). Log into the vCenter Server (using the vSphere Client) with the ordinary user account (created above) and verify that the user is able to perform all vCenter Server administrative tasks. As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Delete the local administrator group from the permissions tab in the vSphere Client. Close the vSphere Client connection and attempt to reconnect to the Windows server as the Windows administrative user. The connection should now fail due to lack of administrator access/permissions.

b
The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.
CM-6 - Medium - CCI-000366 - V-39568 - SV-51426r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000033
Vuln IDs
  • V-39568
Rule IDs
  • SV-51426r1_rule
In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to prevent access from the outside to the Update Manager Download Server. Any direct channel to the Internet represents a threat.
Checks: C-46793r1_chk

If the Update Manager Download Server does not connect to the Internet to source vendor patches, this check is not applicable. Verify there is a Web proxy between Update Manager Download Server and the Internet. Check the proxy settings for the Update Manager Download Server to ensure correct configuration. To verify proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select properties and view the proxy information. If a web proxy between Update Manager Download Server and the Internet is not configured, this is a finding.

Fix: F-44581r1_fix

If the Update Manager Download Server does not connect to the Internet to source vendor patches, no fix is required. To configure proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select Use proxy and change the proxy information. Optional: If the proxy requires authentication, select Proxy requires authentication and provide a user name and password. Optional: Click Test Connection at any time to test a connection to the Internet through the proxy is possible. Click Apply.

b
The Update Manager must not directly connect to public patch repositories on the Internet.
CM-6 - Medium - CCI-000366 - V-39569 - SV-51427r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCENTER-000034
Vuln IDs
  • V-39569
Rule IDs
  • SV-51427r1_rule
In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet.
Checks: C-46794r1_chk

Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding.

Fix: F-44582r2_fix

To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the <site-specific> path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.