VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- VCWN-65-000001
- Vuln IDs
-
- V-216825
- V-94715
- Rule IDs
-
- SV-216825r612237_rule
- SV-104545
Checks: C-18056r366189_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Restrict reuse" setting. If the "Restrict reuse" policy is not set to "5" or more, this is a finding.
Fix: F-18054r366190_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit and enter "5" into the "Restrict reuse" setting and click "OK".
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- VCWN-65-000002
- Vuln IDs
-
- V-216826
- V-94717
- Rule IDs
-
- SV-216826r612237_rule
- SV-104547
Checks: C-18057r366192_chk
On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Find the "refresh.rate =" line in the "webclient.properties" file. If the refresh rate is not set to "-1" in the "webclient.properties" file, this is a finding.
Fix: F-18055r366193_fix
Change the refresh rate value by editing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Edit the file to include the line "refresh.rate = -1" where "-1" indicates sessions are not automatically refreshed. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- VCWN-65-000003
- Vuln IDs
-
- V-216827
- V-94721
- Rule IDs
-
- SV-216827r612237_rule
- SV-104551
Checks: C-18058r366195_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Maximum lifetime" setting. If the "Maximum lifetime" policy is not set to "60", this is a finding.
Fix: F-18056r366196_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit and enter "60" into the "Maximum lifetime" setting and click "OK".
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- VCWN-65-000004
- Vuln IDs
-
- V-216828
- V-94723
- Rule IDs
-
- SV-216828r612237_rule
- SV-104553
Checks: C-18059r366198_chk
By default, vSphere Web Client sessions terminate after "120" minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Find the "session.timeout =" line in the "webclient.properties" file. If the session timeout is not set to "10" in the "webclient.properties" file, this is a finding.
Fix: F-18057r366199_fix
Change the timeout value by editing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where "10" is the timeout value in minutes. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.
- RMF Control
- SC-2
- Severity
- M
- CCI
- CCI-001082
- Version
- VCWN-65-000005
- Vuln IDs
-
- V-216829
- V-94725
- Rule IDs
-
- SV-216829r612237_rule
- SV-104555
Checks: C-18060r366201_chk
From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.
Fix: F-18058r366202_fix
To update a user or groups permissions to an existing role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Global Permissions. Select the user or group and click "Edit" and change the assigned role and click "OK". If permissions are assigned on a specific object then the role must be updated where it is assigned for example at the cluster level. To create a new role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000007
- Vuln IDs
-
- V-216830
- V-94727
- Rule IDs
-
- SV-216830r612237_rule
- SV-104557
Checks: C-18061r366204_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Properties. View the Properties pane and verify Network I/O Control is enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NIOC Enabled";E={$_.ExtensionData.config.NetworkResourceManagementEnabled}} If Network I/O Control is disabled, this is a finding.
Fix: F-18059r366205_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Properties. In the Properties pane click "Edit" and change Network I/O Control to enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: (Get-VDSwitch "DVSwitch Name" | Get-View).EnableNetworkResourceManagement($true)
- RMF Control
- AU-5
- Severity
- L
- CCI
- CCI-000139
- Version
- VCWN-65-000008
- Vuln IDs
-
- V-216831
- V-94729
- Rule IDs
-
- SV-216831r612237_rule
- SV-104559
Checks: C-18062r366207_chk
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions. Verify there is an alarm created to alert when an ESXi host can no longer reach its syslog server. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "esx.problem.vmsyslogd.remote.failure"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert when syslog failures occur, this is a finding.
Fix: F-18060r366208_fix
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions >> Click the green plus icon. Provide an alarm name and description, Select "Hosts" from the "Monitor" dropdown menu. Select "specific event" next to "Monitor for". Enable the alarm. Click "Next". Add a new Trigger and paste in "esx.problem.vmsyslogd.remote.failure" for the Event. Select "Alert" for the Status. Click "Next". Add an action to send an email or a trap for "green to yellow" and "yellow to red" categories, configure appropriately. Click "Finish". Note - This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- VCWN-65-000009
- Vuln IDs
-
- V-216832
- V-94731
- Rule IDs
-
- SV-216832r612237_rule
- SV-104561
Checks: C-18063r366210_chk
If Active Directory is not used in the environment, this is not applicable. Verify the Windows server hosting vCenter is joined to the domain and access to the server and to vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding.
Fix: F-18061r366211_fix
If the server hosting vCenter is not joined to the domain follow the OS specific procedures to join it to Active Directory. If local accounts are used for normal operations then Active Directory accounts should be created and used.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000770
- Version
- VCWN-65-000010
- Vuln IDs
-
- V-216833
- V-94733
- Rule IDs
-
- SV-216833r612237_rule
- SV-104563
Checks: C-18064r366213_chk
Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.
Fix: F-18062r366214_fix
A policy should be developed to limit the use of the built-in SSO administrator account.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000012
- Vuln IDs
-
- V-216834
- V-94735
- Rule IDs
-
- SV-216834r612237_rule
- SV-104565
Checks: C-18065r366216_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify both checks are disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.
Fix: F-18063r366217_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. Click the "Edit" button and disable both health checks. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000013
- Vuln IDs
-
- V-216835
- V-94737
- Rule IDs
-
- SV-216835r612237_rule
- SV-104567
Checks: C-18066r366219_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "Forged Transmits" policy is set to accept for a non-uplink port, this is a finding.
Fix: F-18064r366220_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "Forged Transmits" to reject. Click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- VCWN-65-000014
- Vuln IDs
-
- V-216836
- V-94739
- Rule IDs
-
- SV-216836r612237_rule
- SV-104569
Checks: C-18067r366222_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.
Fix: F-18065r366223_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "MAC Address Changes" to reject. Click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000015
- Vuln IDs
-
- V-216837
- V-94741
- Rule IDs
-
- SV-216837r612237_rule
- SV-104571
Checks: C-18068r366225_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.
Fix: F-18066r366226_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "Promiscuous Mode" to reject. Click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000016
- Vuln IDs
-
- V-216838
- V-94743
- Rule IDs
-
- SV-216838r612237_rule
- SV-104573
Checks: C-18069r366228_chk
To view NetFlow Collector IPs configured on distributed switches: From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}} ---- To view if NetFlow is enabled on any distributed port groups: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}} If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.
Fix: F-18067r366229_fix
To remove collector IPs do the following: From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. Click edit and remove any unknown collector IPs. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $dvs = Get-VDSwitch dvswitch | Get-View ForEach($vs in $dvs){ $spec = New-Object VMware.Vim.VMwareDVSConfigSpec $spec.configversion = $vs.Config.ConfigVersion $spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig $spec.IpfixConfig.CollectorIpAddress = "" $spec.IpfixConfig.CollectorPort = "0" $spec.IpfixConfig.ActiveFlowTimeout = "60" $spec.IpfixConfig.IdleFlowTimeout = "15" $spec.IpfixConfig.SamplingRate = "0" $spec.IpfixConfig.InternalFlowsOnly = $False $vs.ReconfigureDvs_Task($spec) } Note: This will reset the NetFlow collector configuration back to the defaults. To disable NetFlow on a distributed port group do the following: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy $spec.defaultPortConfig.ipfixEnabled.inherited = $false $spec.defaultPortConfig.ipfixEnabled.value = $false $pg.ReconfigureDVPortgroup_Task($spec) }
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000017
- Vuln IDs
-
- V-216839
- V-94745
- Rule IDs
-
- SV-216839r612237_rule
- SV-104575
Checks: C-18070r366231_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties. View the Properties pane and verify all Override port policies are set to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Get-View | Select Name, @{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}}, @{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}}, @{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}}, @{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}}, @{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}}, @{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}}, @{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}}, @{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}}, @{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run. This does not apply to the reset port configuration on disconnect policy. If any port level overrides are enabled and not documented, this is a finding.
Fix: F-18068r366232_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties. Click "Edit" and change all Override port policies to disabled. From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.VlanOverrideAllowed = $False $spec.Policy.UplinkTeamingOverrideAllowed = $False $spec.Policy.SecurityPolicyOverrideAllowed = $False $spec.Policy.IpfixOverrideAllowed = $False $spec.Policy.BlockOverrideAllowed = $False $spec.Policy.ShapingOverrideAllowed = $False $spec.Policy.VendorConfigOverrideAllowed = $False $spec.Policy.TrafficFilterOverrideAllowed = $False $spec.Policy.PortConfigResetAtDisconnect = $True $pg.ReconfigureDVPortgroup_Task($spec) }
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000018
- Vuln IDs
-
- V-216840
- V-94747
- Rule IDs
-
- SV-216840r612237_rule
- SV-104577
Checks: C-18071r366234_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.
Fix: F-18069r366235_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section change the VLAN ID to a non-native VLAN and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000019
- Vuln IDs
-
- V-216841
- V-94749
- Rule IDs
-
- SV-216841r612237_rule
- SV-104579
Checks: C-18072r366237_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
Fix: F-18070r366238_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section change the VLAN ID to an appropriate VLAN ID other than "4095" and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000020
- Vuln IDs
-
- V-216842
- V-94751
- Rule IDs
-
- SV-216842r612237_rule
- SV-104581
Checks: C-18073r366240_chk
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with a reserved VLAN ID, this is a finding.
Fix: F-18071r366241_fix
From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section and change the VLAN ID to an unreserved VLAN ID and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000021
- Vuln IDs
-
- V-216843
- V-94753
- Rule IDs
-
- SV-216843r612237_rule
- SV-104583
Checks: C-18074r366243_chk
From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that config.nfc.useSSL is set to "true". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL Verify "config.nfc.useSSL" is set to "true". If the "config.nfc.useSSL" is set to a value other than "true" or does not exist, this is a finding.
Fix: F-18072r366244_fix
From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click "Edit" and edit the "config.nfc.useSSL" value to "true" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL | Set-AdvancedSetting -Value true If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL -Value true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000022
- Vuln IDs
-
- V-216844
- V-94755
- Rule IDs
-
- SV-216844r612237_rule
- SV-104585
Checks: C-18075r366246_chk
This control only applies to Windows based vCenter installations. The following services should be set to run as a service account: VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server vCenter should be installed using the service account as that will configure the services appropriately. If vCenter is not installed with a service account, this is a finding. If the services identified in this control are not running as a service account, this is a finding.
Fix: F-18073r366247_fix
For each of the following services open the services console on the vCenter server and right-click, select "Properties" on the service. Go to the "Log On" tab and configure the service to run as a service account and restart the service. VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000023
- Vuln IDs
-
- V-216845
- V-94757
- Rule IDs
-
- SV-216845r612237_rule
- SV-104587
Checks: C-18076r531360_chk
Select the vCenter Server in the vSphere Web Client object hierarchy. Click Configure. Click Advanced Settings and enter VimPasswordExpirationInDays in the filter box. Verify "VirtualCenter.VimPasswordExpirationInDays" is set to "30". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays and verify it is set to 30. If the "VirtualCenter.VimPasswordExpirationInDays" is set to a value other than "30" or does not exist, this is a finding.
Fix: F-18074r531361_fix
Select the vCenter Server in the vSphere Web Client object hierarchy. Click Configure. Click Advanced Settings and enter VimPasswordExpirationInDays in the filter box. Set "VirtualCenter.VimPasswordExpirationInDays" to "30". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays -Value 30
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000024
- Vuln IDs
-
- V-216846
- V-94759
- Rule IDs
-
- SV-216846r612237_rule
- SV-104589
Checks: C-18077r366252_chk
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Verify that "config.vpxd.hostPasswordLength" is set to "32". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength and verify it is set to 32. If the "config.vpxd.hostPasswordLength" is set to a value other than "32" or does not exist, this is a finding.
Fix: F-18075r366253_fix
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Click "Edit" and edit the "config.vpxd.hostPasswordLength" value to "32" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength | Set-AdvancedSetting -Value 32 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength -Value 32
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000025
- Vuln IDs
-
- V-216847
- V-94761
- Rule IDs
-
- SV-216847r612237_rule
- SV-104591
Checks: C-18078r366255_chk
The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.
Fix: F-18076r366256_fix
If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> Restart the vCenter Service to ensure the configuration file change(s) are in effect.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000026
- Vuln IDs
-
- V-216848
- V-94845
- Rule IDs
-
- SV-216848r612237_rule
- SV-104675
Checks: C-18079r366258_chk
After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified as intact, this is a finding.
Fix: F-18077r366259_fix
As the SSO Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- VCWN-65-000027
- Vuln IDs
-
- V-216849
- V-94763
- Rule IDs
-
- SV-216849r612237_rule
- SV-104593
Checks: C-18080r366261_chk
Login to the vCenter server and verify the only local administrators group contains users and/or groups that contain vCenter Administrators. If the local administrators group contains users and/or groups that are not vCenter Administrators such as "Domain Admins", this is a finding.
Fix: F-18078r366262_fix
Remove all unnecessary users and/or groups from the local administrators group of the vCenter server.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000028
- Vuln IDs
-
- V-216850
- V-94765
- Rule IDs
-
- SV-216850r612237_rule
- SV-104595
Checks: C-18081r366264_chk
If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid...." should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid". If a file name of the format "hs_err_pid" is found, this is a finding. If a site policy does not exist and/or is not followed, this is a finding.
Fix: F-18079r366265_fix
Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid" and remove them.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000029
- Vuln IDs
-
- V-216851
- V-94767
- Rule IDs
-
- SV-216851r612237_rule
- SV-104597
Checks: C-18082r366267_chk
Verify the "webclient.properties" file contains the line "show.allusers.tasks = true". The default location for the "webclient.properties" file are: Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ If "show.allusers.tasks" is not set to "true", this is a finding.
Fix: F-18080r366268_fix
Edit the "webclient.properties" file to set the "show.allusers.tasks" value to "true". The default location for the "webclient.properties" file are: Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ After editing the file the vSphere Web Client service will need to be restarted.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000030
- Vuln IDs
-
- V-216852
- V-94769
- Rule IDs
-
- SV-216852r612237_rule
- SV-104599
Checks: C-18083r366270_chk
If enhanced linked mode is used then local windows authentication is not available to vCenter, this is not applicable. Under the computer management console for windows view the local administrators group and verify only vCenter administrators have access to the vCenter server. Other groups and users that are not vCenter administrators should be removed from the local administrators group such as Domain Admins. If there are any groups or users present in the local administrators group of the vCenter server, this is a finding.
Fix: F-18081r366271_fix
Under the computer management console for windows view the local administrators group and remove any users or groups that do not fit the criteria defined in the check content.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000031
- Vuln IDs
-
- V-216853
- V-94771
- Rule IDs
-
- SV-216853r612237_rule
- SV-104601
Checks: C-18084r366273_chk
Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies. Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click "Update Manager" under "Solutions and Applications". On the "Configuration tab", under "Settings", click "Download Settings". In the "Download Sources" pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding. If all of the above conditions are not met, this is a finding.
Fix: F-18082r366274_fix
Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet. To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click "Update Manager" under "Solutions and Applications". On the "Configuration" tab, under "Settings", click "Download Settings". In the "Download Sources" pane, select "Use a shared repository". Enter the <site-specific> path or the URL to the shared repository. Click "Validate URL" to validate the path. Click "Apply".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000032
- Vuln IDs
-
- V-216854
- V-94773
- Rule IDs
-
- SV-216854r612237_rule
- SV-104603
Checks: C-18085r366276_chk
Verify only the following permissions are allowed to the VUM database user. For Oracle DB normal operation, only the following permissions are required. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.
Fix: F-18083r366277_fix
For Oracle DB normal runtime operation, set the following permissions. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000033
- Vuln IDs
-
- V-216855
- V-94775
- Rule IDs
-
- SV-216855r612237_rule
- SV-104605
Checks: C-18086r366279_chk
Verify only the following permissions are allowed on the vCenter database for the following roles and users. vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES. vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. vCenter database user: VIEW SERVER STATE and VIEW ANY DEFINITIONS. Equivalent permissions must be set for Non-MS databases. If the above database permissions are not set correctly, this is a finding.
Fix: F-18084r366280_fix
Configure correct permissions and roles for SQL: Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES. Grant these privileges to a vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000034
- Vuln IDs
-
- V-216856
- V-94777
- Rule IDs
-
- SV-216856r612237_rule
- SV-104607
Checks: C-18087r366282_chk
Verify that each external application that connects to vCenter has a unique service account dedicated to that application. For example there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter. If any application shares a service account that is used to connect to vCenter, this is a finding.
Fix: F-18085r366283_fix
For applications sharing service accounts create a new service account to assign to the application so that no application shares a service account with another. When standing up a new application that requires access to vCenter always create a new service account prior to installation and grant only the permissions needed for that application.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000035
- Vuln IDs
-
- V-216857
- V-94779
- Rule IDs
-
- SV-216857r612237_rule
- SV-104609
Checks: C-18088r366285_chk
Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources. From the vSphere Web Client go to Administration >> Solutions >> Client Plug-Ins. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, Third-party (Partner) and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.
Fix: F-18086r366286_fix
From the vSphere Web Client go to Administration >> Solutions >> Client Plug-Ins and right click the unknown plug-in and click disable then proceed to remove the plug-in. To remove plug-ins do the following: If you have vCenter Server in linked mode, perform this procedure on the vCenter Server that is used to install the plug-in initially, then restart the vCenter Server services on the linked vCenter Server. In a web browser, navigate to http://vCenter_Server_name_or_IP/mob. Where vCenter_Server_name_or_IP/mob is the name of your vCenter Server or its IP address. Click Content. Click ExtensionManager. Select and copy the name of the plug-in you want to remove from the list of values under Properties. For a list of default plug-ins, see the Additional Information section of this article. Click UnregisterExtension. A new window appears. Paste the name of the plug-in and click Invoke Method. This removes the plug-in. Close the window. Refresh the Managed Object Type:ManagedObjectReference:ExtensionManager window to verify that the plug-in is removed successfully. Note: If the plug-in still appears, you may have to restart the vSphere Client. Note: You may have to enable the Managed Object Browser (MOB) temporarily if previously disabled.
- RMF Control
- SI-6
- Severity
- L
- CCI
- CCI-002702
- Version
- VCWN-65-000036
- Vuln IDs
-
- V-216858
- V-94781
- Rule IDs
-
- SV-216858r612237_rule
- SV-104611
Checks: C-18089r366288_chk
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Verify that "config.log.level" value is set to "info". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level and verify it is set to "info". If the "config.log.level" value is not set to "info" or does not exist, this is a finding.
Fix: F-18087r366289_fix
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Click "Edit" and edit the "config.log.level" setting to "info" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level | Set-AdvancedSetting -Value info If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.log.level -Value info
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000205
- Version
- VCWN-65-000039
- Vuln IDs
-
- V-216859
- V-94783
- Rule IDs
-
- SV-216859r612237_rule
- SV-104613
Checks: C-18090r366291_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Minimum Length: 15 If this password policy is not configured as stated, this is a finding.
Fix: F-18088r366292_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set the Minimum Length to "15" and click "OK".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000192
- Version
- VCWN-65-000040
- Vuln IDs
-
- V-216860
- V-94785
- Rule IDs
-
- SV-216860r612237_rule
- SV-104615
Checks: C-18091r366294_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Upper-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.
Fix: F-18089r366295_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Upper-case Characters to at least "1" and click "OK".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000193
- Version
- VCWN-65-000041
- Vuln IDs
-
- V-216861
- V-94787
- Rule IDs
-
- SV-216861r612237_rule
- SV-104617
Checks: C-18092r366297_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Lower-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.
Fix: F-18090r366298_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Lower-case Characters to at least "1" and click "OK".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000194
- Version
- VCWN-65-000042
- Vuln IDs
-
- V-216862
- V-94789
- Rule IDs
-
- SV-216862r612237_rule
- SV-104619
Checks: C-18093r366300_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Numeric Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.
Fix: F-18091r366301_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Numeric Characters to at least "1" and click "OK".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-001619
- Version
- VCWN-65-000043
- Vuln IDs
-
- V-216863
- V-94791
- Rule IDs
-
- SV-216863r612237_rule
- SV-104621
Checks: C-18094r366303_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirements should be set at a minimum: Special Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.
Fix: F-18092r366304_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Special Characters to at least "1" and click "OK".
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- VCWN-65-000045
- Vuln IDs
-
- V-216864
- V-94793
- Rule IDs
-
- SV-216864r612237_rule
- SV-104623
Checks: C-18095r366306_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Maximum number of failed login attempts: 3 If this account lockout policy is not configured as stated, this is a finding.
Fix: F-18093r366307_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Maximum number of failed login attempts to "3" and click "OK".
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- VCWN-65-000046
- Vuln IDs
-
- V-216865
- V-94795
- Rule IDs
-
- SV-216865r612237_rule
- SV-104625
Checks: C-18096r366309_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Time interval between failures: 900 seconds If this lockout policy is not configured as stated, this is a finding.
Fix: F-18094r366310_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Time interval between failures to "900" and click "OK".
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- VCWN-65-000047
- Vuln IDs
-
- V-216866
- V-94797
- Rule IDs
-
- SV-216866r612237_rule
- SV-104627
Checks: C-18097r366312_chk
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Unlock time: 0 If this account lockout policy is not configured as stated, this is a finding.
Fix: F-18095r366313_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Unlock time to "0" and click "OK".
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-001294
- Version
- VCWN-65-000048
- Vuln IDs
-
- V-216867
- V-94799
- Rule IDs
-
- SV-216867r612237_rule
- SV-104629
Checks: C-18098r366315_chk
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionAddedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding.
Fix: F-18096r366316_fix
From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionAddedEvent" and click "OK".
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-001294
- Version
- VCWN-65-000049
- Vuln IDs
-
- V-216868
- V-94801
- Rule IDs
-
- SV-216868r612237_rule
- SV-104631
Checks: C-18099r366318_chk
From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding.
Fix: F-18097r366319_fix
From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionRemovedEvent" and click "OK".
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-001294
- Version
- VCWN-65-000050
- Vuln IDs
-
- V-216869
- V-94803
- Rule IDs
-
- SV-216869r612237_rule
- SV-104633
Checks: C-18100r366321_chk
"From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq ""vim.event.PermissionUpdatedEvent""} | Select Name,Enabled,@{N=""EventTypeId"";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding."
Fix: F-18098r366322_fix
From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionUpdatedEvent" and click "OK".
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- VCWN-65-000051
- Vuln IDs
-
- V-216870
- V-94805
- Rule IDs
-
- SV-216870r612237_rule
- SV-104635
Checks: C-18101r366324_chk
From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.
Fix: F-18099r366325_fix
To create a new role with specific permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000052
- Vuln IDs
-
- V-216871
- V-94807
- Rule IDs
-
- SV-216871r612237_rule
- SV-104637
Checks: C-18102r366327_chk
If IP-based storage is not used, this is not applicable. IP-Based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding.
Fix: F-18100r366328_fix
Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Web Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Storage VMkernel (for any IP-based storage) and click the pencil icon >> On the Port properties tab uncheck everything (unless vSAN). On the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK. Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Storage portgroup (ISCSI, NFS, vSAN) and click the pencil icon >> On the properties tab, enter the appropriate VLAN ID and click OK.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000053
- Vuln IDs
-
- V-216872
- V-94809
- Rule IDs
-
- SV-216872r612237_rule
- SV-104639
Checks: C-18103r366330_chk
If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> Health and Performance. Review the "Health Service Status" and verify that it is set to "Enabled". If vSAN is enabled and there is no vSAN health check installed or the vSAN Health Check is disabled, this is a finding.
Fix: F-18101r366331_fix
From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> Health and Performance >> "Health Service" and click "Edit Settings". Select the check box for "Turn On Periodical Health Check" and configure the time interval as necessary.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000054
- Vuln IDs
-
- V-216873
- V-94811
- Rule IDs
-
- SV-216873r612237_rule
- SV-104641
Checks: C-18104r366333_chk
If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> General >> Internet Connectivity >> Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If this "Enable Internet access for this cluster" is enabled, this is a finding. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is configured. If "Enable Internet access for this cluster" is disabled or a proxy is not configured, this is a finding.
Fix: F-18102r366334_fix
From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> General >> Internet Connectivity >> Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is appropriately configured.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000055
- Vuln IDs
-
- V-216874
- V-94813
- Rule IDs
-
- SV-216874r612237_rule
- SV-104643
Checks: C-18105r366336_chk
If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Datastores. Review the datastores. Identify any datastores with "vsan" as the datastore type. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "vSAN Enabled Cluster found" Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"} } else{ Write-Host "vSAN is not enabled, this finding is not applicable" } If vSAN is Enabled and the datastore is named "vsanDatastore", this is a finding.
Fix: F-18103r366337_fix
From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Datastores. Right-click on the datastore named "vsanDatastore" and select "Rename". Rename the datastore based on operational naming standards. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "vSAN Enabled Cluster found" $Clusters = Get-Cluster | where {$_.VsanEnabled} Foreach ($clus in $clusters){ $clus | Get-Datastore | where {$_.type -match "vsan"} | Set-Datastore -Name $(($clus.name) + "_vSAN_Datastore") } } else{ Write-Host "vSAN is not enabled, this finding is not applicable" }
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000056
- Vuln IDs
-
- V-216875
- V-94815
- Rule IDs
-
- SV-216875r612237_rule
- SV-104645
Checks: C-18106r366339_chk
From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.
Fix: F-18104r366340_fix
To update a user or groups permissions to an existing role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Global Permissions. Select the user or group and click "Edit" and change the assigned role and click "OK". If permissions are assigned on a specific object then the role must be updated where it is assigned for example at the cluster level. To create a new role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000057
- Vuln IDs
-
- V-216876
- V-94817
- Rule IDs
-
- SV-216876r612237_rule
- SV-104647
Checks: C-18107r366342_chk
Download the VMware TLS Reconfigurator utility from my.vmware.com. Follow installation instructions for your vCenter platform according to VMware KB 2147469. Appliance: 1. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup 2. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan Windows: 1. Open a command prompt and cd to C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator 2. Enter command "reconfigureVc scan" and press "Enter" If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.
Fix: F-18105r366343_fix
Download the VMware TLS Reconfigurator utility from my.vmware.com. Follow installation instructions for your vCenter platform according to VMware KB 2147469. Run the following commands. Appliance: 1. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup 2. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLS1.2 Windows: 1. Open a command prompt and cd to C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator 2. Enter command "reconfigureVc backup" and press "Enter" 3. Enter command "reconfigureVc update -p TLS1.2" and press "Enter" vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted. You can add the --no-restart flag to restart services at a later time. Changes will not take effect until all services are restarted or the machine is rebooted.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000058
- Vuln IDs
-
- V-216877
- V-94819
- Rule IDs
-
- SV-216877r612237_rule
- SV-104649
Checks: C-18108r612201_chk
From the vCenter server (and external PSC if appropriate) run the following command Appliance: /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|grep Issuer Windows: "C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe" entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|find "Issuer" If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.
Fix: F-18106r366346_fix
Obtain a DoD issued certificate and private key for each vCenter and external PSC in the system, following the below requirements: Key size: 2048 bits or more (PEM encoded) CRT format (Base-64) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Verify that the issued certificate includes the full issuing chain. If it does not, concatenate the Base-64 intermediates and root onto the issued machine ssl cert. Export the entire certificate issuing chain up to the root in Base-64 format, concatenate the individual certs into one file that will be used in the next steps when prompted for the signing certificate. Run the certificate-manager tool: Appliance: /usr/lib/vmware-vmca/bin/certificate-manager Windows: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat Select option "1" to replace the machine ssl certificate. Select option "2" to specify existing certificate and private key. Supply the information as prompted remembering the signing certificate file built up previously.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000059
- Vuln IDs
-
- V-216878
- V-94821
- Rule IDs
-
- SV-216878r612237_rule
- SV-104651
Checks: C-18109r366348_chk
See supplemental document. Ensure CAC Authentication occurs upon login to vCenter. Otherwise, this is a finding.
Fix: F-18107r366349_fix
Configure CAC Authentication per supplemental document.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000060
- Vuln IDs
-
- V-216879
- V-94823
- Rule IDs
-
- SV-216879r612237_rule
- SV-104653
Checks: C-18110r366351_chk
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab If "Revocation Check" does not show as enabled, this is a finding.
Fix: F-18108r366352_fix
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab 5. Click the "Enable Revocation Check" button By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000061
- Vuln IDs
-
- V-216880
- V-94825
- Rule IDs
-
- SV-216880r612237_rule
- SV-104655
Checks: C-18111r366354_chk
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. If the selection box next to “Password and Windows session authentication” is checked, this is a finding.
Fix: F-18109r366355_fix
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. 4. Check the box next to “Password and Windows session authentication”. Click "OK". To re-enable password authentication for troubleshooting run the following command from the PSC: /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000062
- Vuln IDs
-
- V-216881
- V-94827
- Rule IDs
-
- SV-216881r612237_rule
- SV-104657
Checks: C-18112r366357_chk
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Login Banner" tab, click the "Edit" button. If selection boxes next to "Status" or "Checkbox Consent" are not checked or if the Message is not configured to the standard DoD User Agreement, this is a finding. Note: Supplementary Information: DoD Logon Banner "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Fix: F-18110r366358_fix
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Login Banner" tab, click the "Edit" button. 4. Check the box next to "Status". 5. Check the box next to "Checkbox Consent". 6. Configure the Title and Message to the standard DoD User Agreement
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000063
- Vuln IDs
-
- V-216882
- V-94829
- Rule IDs
-
- SV-216882r612237_rule
- SV-104659
Checks: C-18113r366360_chk
From the vSphere Web Client go to Administration >> Access Control >> Roles or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Where {$_.Role -eq "Admin"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto If there are any users other than Solution Users with the "Administrator" role that are not explicitly designated for cryptographic operations, this is a finding.
Fix: F-18111r366361_fix
From the vSphere Web Client go to Administration >> Access Control >> Roles Move any accounts not explicitly designated for cryptographic operations, other than Solution Users, to other roles such as "No Cryptography Administrator".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000064
- Vuln IDs
-
- V-216883
- V-94831
- Rule IDs
-
- SV-216883r612237_rule
- SV-104661
Checks: C-18114r366363_chk
From the vSphere Web Client go to Administration >> Access Control >> Roles Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions: Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups or From a PowerCLI command prompt while connected to the vCenter server run the following command: $roles = Get-VIRole ForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){ Write-Host "$role has Cryptographic privileges" } } If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding.
Fix: F-18112r366364_fix
From the vSphere Web Client go to Administration >> Access Control >> Roles Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s): Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000065
- Vuln IDs
-
- V-216884
- V-94833
- Rule IDs
-
- SV-216884r612237_rule
- SV-104663
Checks: C-18115r366366_chk
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Configure >> Virtual SAN >> iSCSI Targets For each iSCSI Target select the item and click the pencil icon to open the edit dialog. If the Authentication method is not set to "Mutual CHAP" and fully configured, this is a finding.
Fix: F-18113r366367_fix
From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Configure >> Virtual SAN >> iSCSI Targets For each iSCSI Target select the item and click the pencil icon to open the edit dialog. Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000066
- Vuln IDs
-
- V-216885
- V-94835
- Rule IDs
-
- SV-216885r612237_rule
- SV-104665
Checks: C-18116r366369_chk
Interview the SA to determine that a procedure has been put in place to perform a shallow re-key of all vSAN encrypted datastores at regular, site defined intervals. VMware recommends a 60-day re-key task but this interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not a finding.
Fix: F-18114r366370_fix
If vSAN encryption is in use, ensure that a regular re-key procedure is in place.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- VCWN-65-000067
- Vuln IDs
-
- V-216886
- V-94837
- Rule IDs
-
- SV-216886r612237_rule
- SV-104667
Checks: C-18117r366372_chk
From the vSphere Web Client go to Administration >> Deployment >> Customer Experience Improvement Program If Customer Experience Improvement Program is Enabled, this is a finding.
Fix: F-18115r366373_fix
From the vSphere Web Client go to Administration >> Deployment >> Customer Experience Improvement Program Click the "Leave" button
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000068
- Vuln IDs
-
- V-216887
- V-94839
- Rule IDs
-
- SV-216887r612237_rule
- SV-104669
Checks: C-18118r531363_chk
Note: This requirement is applicable for Active Directory over LDAP connections and Not Applicable when the vCenter or PSC server is joined to AD and using integrated windows authentication. From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog. If the LDAPs box at the bottom is not checked, this is a finding.
Fix: F-18116r366376_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click the pencil icon to open the edit dialog. Check the box at the bottom for LDAPS and click "Next". Click the green plus button to upload the trusted DC certificate or click the magnifying glass to extract the certificate from the DC directly. Click "Next". Click "Finish".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- VCWN-65-000069
- Vuln IDs
-
- V-216888
- V-94841
- Rule IDs
-
- SV-216888r612237_rule
- SV-104671
Checks: C-18119r531365_chk
Note: This requirement is applicable for Active Directory over LDAP connections and Not Applicable when the vCenter or PSC server is joined to AD and using integrated windows authentication. From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source with of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog. If the account that is configured to bind to the LDAP server is not one with minimal privileges, this is a finding.
Fix: F-18117r366379_fix
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source that has been configured with a highly privileged AD account, highlight the item and click the pencil icon to open the edit dialog. Change the username and password to one with read only rights to the base DN and complete the dialog.
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001967
- Version
- VCWN-65-006000
- Vuln IDs
-
- V-216889
- V-94853
- Rule IDs
-
- SV-216889r612237_rule
- SV-104683
Checks: C-18120r366381_chk
NOTE: For the vCenter 6.5 Server Appliance, this requirement is Not Applicable. In the vSphere Web Client go to a vCenter Server instance. Click the Configure tab >> Settings >> General. On the vCenter Server Settings central pane, click Edit. Click SNMP receivers to edit their settings. Ensure no information for SNMP receivers are entered. If there are SNMP receivers configured, this is a finding.
Fix: F-18118r366382_fix
In the vSphere Web Client go to a vCenter Server instance. Click the Configure tab >> Settings >> General. On the vCenter Server Settings central pane, click Edit. Click SNMP receivers to edit their settings. Remove any SNMP receivers that exist.