VMware vSphere 6.7 vCenter Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2021-04-16

Updated At: 2021-05-02 21:04:41

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-243072r719459_rule VCTR-67-000001 CCI-000200 MEDIUM The vCenter Server must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the
    SV-243073r719462_rule VCTR-67-000002 CCI-001133 MEDIUM The vCenter Server must not automatically refresh client sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-243074r719465_rule VCTR-67-000003 CCI-000199 MEDIUM The vCenter Server must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit
    SV-243075r719468_rule VCTR-67-000004 CCI-001133 MEDIUM The vCenter Server must terminate management sessions after 10 minutes of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-243076r719471_rule VCTR-67-000005 CCI-001082 MEDIUM The vCenter Server users must have the correct roles assigned. Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality, availability, or integrity loss.
    SV-243077r719474_rule VCTR-67-000007 CCI-000366 MEDIUM The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available
    SV-243078r719644_rule VCTR-67-000008 CCI-000139 MEDIUM The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events. It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-243079r719480_rule VCTR-67-000009 CCI-000770 MEDIUM The vCenter Server must implement Active Directory authentication. The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.
    SV-243080r719483_rule VCTR-67-000010 CCI-000770 MEDIUM The vCenter Server must limit the use of the built-in SSO administrative account. Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.
    SV-243081r719486_rule VCTR-67-000012 CCI-000366 MEDIUM The vCenter Server must disable the distributed virtual switch health check. Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting and turned off whe
    SV-243082r719489_rule VCTR-67-000013 CCI-000366 MEDIUM The vCenter Server must set the distributed port group Forged Transmits policy to reject. If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonat
    SV-243083r719492_rule VCTR-67-000014 CCI-000366 MEDIUM The vCenter Server must set the distributed port group MAC Address Change policy to reject. If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by
    SV-243084r719495_rule VCTR-67-000015 CCI-000366 MEDIUM The vCenter Server must set the distributed port group Promiscuous Mode policy to reject. When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group. Promiscuous mode is disa
    SV-243085r719498_rule VCTR-67-000016 CCI-000366 MEDIUM The vCenter Server must only send NetFlow traffic to authorized collectors. The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a MitM attack to be executed successfully. If Ne
    SV-243086r719501_rule VCTR-67-000018 CCI-000366 MEDIUM The vCenter Server must configure all port groups to a value other than that of the native VLAN. ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch.
    SV-243087r719504_rule VCTR-67-000019 CCI-000366 MEDIUM The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached VMs without modifying the VLAN tags. In vSphere, this is referred to as Virtual Guest Tagging (VGT). The VM must process the VLAN inf
    SV-243088r719507_rule VCTR-67-000020 CCI-000366 MEDIUM The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches. Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968
    SV-243089r719510_rule VCTR-67-000023 CCI-000366 MEDIUM The vCenter Server must configure the vpxuser auto-password to be changed every 30 days. By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets site policies; if not, configure to meet password aging policies. Note: It is very important the password aging policy not be shorter than
    SV-243090r719513_rule VCTR-67-000024 CCI-000366 MEDIUM The vCenter Server must configure the vpxuser password meets length policy. The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCente
    SV-243091r719516_rule VCTR-67-000025 CCI-000366 MEDIUM The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects. The MOB was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed enti
    SV-243092r719519_rule VCTR-67-000026 CCI-000366 MEDIUM The vCenter Server must check the privilege reassignment after restarts. Check for privilege reassignment when restarting vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group
    SV-243093r719522_rule VCTR-67-000029 CCI-000366 MEDIUM The vCenter Server must enable all tasks to be shown to Administrators in the Web Client. By default, not all tasks are shown in the Web Client to Administrators, and only that user's tasks will be shown. Enabling all tasks to be shown will allow the Administrator to potentially see any malicious activity they may miss with the view disabled.
    SV-243094r719525_rule VCTR-67-000031 CCI-000366 MEDIUM The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server. The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server.
    SV-243095r719528_rule VCTR-67-000033 CCI-000366 MEDIUM The vCenter Server must use a least-privileges assignment for the vCenter Server database user. Least privileges mitigate attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These
    SV-243096r719531_rule VCTR-67-000034 CCI-000366 MEDIUM The vCenter Server must use unique service accounts when applications connect to vCenter. In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts.
    SV-243097r719534_rule VCTR-67-000035 CCI-000366 MEDIUM vCenter Server plugins must be verified. The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, web-based functionalit
    SV-243098r719537_rule VCTR-67-000036 CCI-002702 MEDIUM The vCenter Server must produce audit records containing information to establish what type of events occurred. Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
    SV-243099r719540_rule VCTR-67-000039 CCI-000205 MEDIUM The vCenter Server passwords must be at least 15 characters in length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-243100r719543_rule VCTR-67-000040 CCI-000192 MEDIUM The vCenter Server passwords must contain at least one uppercase character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-243101r719546_rule VCTR-67-000041 CCI-000193 MEDIUM The vCenter Server passwords must contain at least one lowercase character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-243102r719549_rule VCTR-67-000042 CCI-000194 MEDIUM The vCenter Server passwords must contain at least one numeric character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-243103r719552_rule VCTR-67-000043 CCI-001619 MEDIUM The vCenter Server passwords must contain at least one special character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-243104r719555_rule VCTR-67-000045 CCI-002238 MEDIUM The vCenter Server must limit the maximum number of failed login attempts to three. By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-243105r719558_rule VCTR-67-000046 CCI-002238 MEDIUM The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. By limiting the number of failed login attempts within a specified time period, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-243106r719561_rule VCTR-67-000047 CCI-002238 MEDIUM The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. By requiring that SSO accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, once an account is locked it can only be unlocked m
    SV-243107r719564_rule VCTR-67-000051 CCI-001084 MEDIUM The vCenter Server users must have the correct roles assigned. Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality, availability, or integrity loss.
    SV-243108r719567_rule VCTR-67-000052 CCI-000366 MEDIUM The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based st
    SV-243109r719570_rule VCTR-67-000053 CCI-000366 MEDIUM The vCenter Server must enable the vSAN Health Check. The vSAN Health Check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the vSAN Hardware Compatibility Guide.
    SV-243110r719573_rule VCTR-67-000054 CCI-000366 MEDIUM The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server. The vSAN Health Check is able to download the hardware compatibility list from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet, this functionality m
    SV-243111r719576_rule VCTR-67-000055 CCI-000366 MEDIUM The vCenter Server must configure the vSAN Datastore name to a unique name. A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads.
    SV-243112r719579_rule VCTR-67-000057 CCI-000366 MEDIUM The vCenter Server must enable TLS 1.2 exclusively. TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third party integrations and add-ons to v
    SV-243113r719582_rule VCTR-67-000058 CCI-000366 MEDIUM The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and pr
    SV-243114r719585_rule VCTR-67-000059 CCI-000366 MEDIUM The vCenter Server must enable certificate based authentication. The vSphere Client is capable of CAC authentication. This capability must be enabled and properly configured.
    SV-243115r719588_rule VCTR-67-000060 CCI-000366 MEDIUM The vCenter Server must enable revocation checking for certificate-based authentication. The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking.
    SV-243116r719591_rule VCTR-67-000061 CCI-000366 MEDIUM The vCenter Server must disable Password and Windows integrated authentication. All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.
    SV-243117r719594_rule VCTR-67-000062 CCI-000366 MEDIUM The vCenter Server must enable the login banner for vSphere Client. The required legal notice must be configured for the vCenter Web Client.
    SV-243118r719597_rule VCTR-67-000063 CCI-000366 MEDIUM The vCenter Server must restrict access to the cryptographic role. In vSphere 6.7, the built-in "Administrator" role contains permission to perform cryptographic operations such as KMS functions and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators where VM encry
    SV-243119r719600_rule VCTR-67-000064 CCI-000366 MEDIUM The vCenter Server must restrict access to cryptographic permissions. These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography.
    SV-243120r719603_rule VCTR-67-000065 CCI-000366 MEDIUM The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets. When Mutual CHAP is enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MitM attack when not authenticating both the iSCSI target and host in which an attacker might impersonate either side
    SV-243121r719606_rule VCTR-67-000066 CCI-000366 MEDIUM The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A mustow reke
    SV-243122r719609_rule VCTR-67-000067 CCI-000366 MEDIUM The vCenter Server must disable the Customer Experience Improvement Program (CEIP). The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes, this feature must be disabled.
    SV-243123r719612_rule VCTR-67-000068 CCI-000366 MEDIUM The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source. LDAP is an industry-standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be e
    SV-243124r719615_rule VCTR-67-000069 CCI-000366 MEDIUM The vCenter Server must use a limited privilege account when adding an LDAP identity source. When adding an LDAP identity source to vSphere SSO, the account used to bind to AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other permissions inside or outside of that OU are unnecessary and violat
    SV-243125r719618_rule VCTR-67-000070 CCI-001133 MEDIUM The vCenter Server must not automatically refresh client sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-243126r719621_rule VCTR-67-000071 CCI-001133 MEDIUM The vCenter Server must terminate management sessions after 10 minutes of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-243127r719624_rule VCTR-67-000072 CCI-000366 MEDIUM The vCenter Server services must be ran using a service account instead of a built-in Windows account. You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contr
    SV-243128r719627_rule VCTR-67-000073 CCI-000366 MEDIUM The vCenter Server must minimize access to the vCenter server. After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of admi
    SV-243129r719630_rule VCTR-67-000074 CCI-000366 MEDIUM The vCenter Server Administrators must clean up log files after failed installations. In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this passwo
    SV-243130r719633_rule VCTR-67-000075 CCI-000366 MEDIUM The vCenter Server must enable all tasks to be shown to Administrators in the Web Client. By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown. Enabling all tasks to be shown will allow the administrator to potentially see any malicious activity they may miss with the view disabled.
    SV-243131r719636_rule VCTR-67-000076 CCI-000366 MEDIUM The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator. By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those admini
    SV-243132r719639_rule VCTR-67-000077 CCI-000366 MEDIUM The vCenter Server must enable TLS 1.2 exclusively. TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third party integrations and add-ons to v
    SV-243133r719642_rule VCTR-67-000078 CCI-000366 MEDIUM The vCenter Server must disable Password and Windows integrated authentication. All forms of authentication other than CAC must be disabled. Password authentication can be temporarily reenabled for emergency access to the local SSO domain accounts, but it must be disabled as soon as CAC authentication is functional.