VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide

  • Version/Release: V2R3
  • Published: 2023-06-16
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-216825 - SV-216825r879602_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
VCWN-65-000001
Vuln IDs
  • V-216825
  • V-94715
Rule IDs
  • SV-216825r879602_rule
  • SV-104545
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-18056r366189_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Restrict reuse" setting. If the "Restrict reuse" policy is not set to "5" or more, this is a finding.

Fix: F-18054r366190_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit and enter "5" into the "Restrict reuse" setting and click "OK".

b
The vCenter Server for Windows must not automatically refresh client sessions.
SC-10 - Medium - CCI-001133 - V-216826 - SV-216826r879622_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
VCWN-65-000002
Vuln IDs
  • V-216826
  • V-94717
Rule IDs
  • SV-216826r879622_rule
  • SV-104547
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Automatic client session refreshes keep unused sessions online, blocking session timeouts.
Checks: C-18057r366192_chk

On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Find the "refresh.rate =" line in the "webclient.properties" file. If the refresh rate is not set to "-1" in the "webclient.properties" file, this is a finding.

Fix: F-18055r366193_fix

Change the refresh rate value by editing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Edit the file to include the line "refresh.rate = -1" where "-1" indicates sessions are not automatically refreshed. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.

b
The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-216827 - SV-216827r879611_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
VCWN-65-000003
Vuln IDs
  • V-216827
  • V-94721
Rule IDs
  • SV-216827r879611_rule
  • SV-104551
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Checks: C-18058r366195_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Maximum lifetime" setting. If the "Maximum lifetime" policy is not set to "60", this is a finding.

Fix: F-18056r366196_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit and enter "60" into the "Maximum lifetime" setting and click "OK".

b
The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
SC-10 - Medium - CCI-001133 - V-216828 - SV-216828r879622_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
VCWN-65-000004
Vuln IDs
  • V-216828
  • V-94723
Rule IDs
  • SV-216828r879622_rule
  • SV-104553
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-18059r366198_chk

By default, vSphere Web Client sessions terminate after "120" minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Find the "session.timeout =" line in the "webclient.properties" file. If the session timeout is not set to "10" in the "webclient.properties" file, this is a finding.

Fix: F-18057r366199_fix

Change the timeout value by editing the "webclient.properties" file. On the system where vCenter is installed locate the "webclient.properties" file. Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where "10" is the timeout value in minutes. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.

b
The vCenter Server for Windows users must have the correct roles assigned.
SC-2 - Medium - CCI-001082 - V-216829 - SV-216829r879631_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
VCWN-65-000005
Vuln IDs
  • V-216829
  • V-94725
Rule IDs
  • SV-216829r879631_rule
  • SV-104555
Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Checks: C-18060r366201_chk

From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-18058r366202_fix

To update a user or groups permissions to an existing role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Global Permissions. Select the user or group and click "Edit" and change the assigned role and click "OK". If permissions are assigned on a specific object then the role must be updated where it is assigned for example at the cluster level. To create a new role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.

b
The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
CM-6 - Medium - CCI-000366 - V-216830 - SV-216830r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000007
Vuln IDs
  • V-216830
  • V-94727
Rule IDs
  • SV-216830r879887_rule
  • SV-104557
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Checks: C-18061r366204_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Properties. View the Properties pane and verify Network I/O Control is enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NIOC Enabled";E={$_.ExtensionData.config.NetworkResourceManagementEnabled}} If Network I/O Control is disabled, this is a finding.

Fix: F-18059r366205_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Properties. In the Properties pane click "Edit" and change Network I/O Control to enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: (Get-VDSwitch "DVSwitch Name" | Get-View).EnableNetworkResourceManagement($true)

a
The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
AU-5 - Low - CCI-000139 - V-216831 - SV-216831r879570_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-000139
Version
VCWN-65-000008
Vuln IDs
  • V-216831
  • V-94729
Rule IDs
  • SV-216831r879570_rule
  • SV-104559
It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. To ensure the appropriate personnel are alerted if an audit failure occurs a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.
Checks: C-18062r366207_chk

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions. Verify there is an alarm created to alert when an ESXi host can no longer reach its syslog server. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "esx.problem.vmsyslogd.remote.failure"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert when syslog failures occur, this is a finding.

Fix: F-18060r366208_fix

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions >> Click the green plus icon. Provide an alarm name and description, Select "Hosts" from the "Monitor" dropdown menu. Select "specific event" next to "Monitor for". Enable the alarm. Click "Next". Add a new Trigger and paste in "esx.problem.vmsyslogd.remote.failure" for the Event. Select "Alert" for the Status. Click "Next". Add an action to send an email or a trap for "green to yellow" and "yellow to red" categories, configure appropriately. Click "Finish". Note - This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.

b
The vCenter Server for Windows must use Active Directory authentication.
IA-2 - Medium - CCI-000770 - V-216832 - SV-216832r879594_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
VCWN-65-000009
Vuln IDs
  • V-216832
  • V-94731
Rule IDs
  • SV-216832r879594_rule
  • SV-104561
The vCenter Server for Windows must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.
Checks: C-18063r366210_chk

If Active Directory is not used in the environment, this is not applicable. Verify the Windows server hosting vCenter is joined to the domain and access to the server and to vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding.

Fix: F-18061r366211_fix

If the server hosting vCenter is not joined to the domain follow the OS specific procedures to join it to Active Directory. If local accounts are used for normal operations then Active Directory accounts should be created and used.

b
The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
IA-2 - Medium - CCI-000770 - V-216833 - SV-216833r879594_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
VCWN-65-000010
Vuln IDs
  • V-216833
  • V-94733
Rule IDs
  • SV-216833r879594_rule
  • SV-104563
Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.
Checks: C-18064r366213_chk

Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.

Fix: F-18062r366214_fix

A policy should be developed to limit the use of the built-in SSO administrator account.

a
The vCenter Server for Windows must disable the distributed virtual switch health check.
CM-6 - Low - CCI-000366 - V-216834 - SV-216834r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000012
Vuln IDs
  • V-216834
  • V-94735
Rule IDs
  • SV-216834r879887_rule
  • SV-104565
Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.
Checks: C-18065r366216_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify both checks are disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.

Fix: F-18063r366217_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. Click the "Edit" button and disable both health checks. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

b
The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
CM-6 - Medium - CCI-000366 - V-216835 - SV-216835r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000013
Vuln IDs
  • V-216835
  • V-94737
Rule IDs
  • SV-216835r879887_rule
  • SV-104567
If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses. To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.
Checks: C-18066r366219_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "Forged Transmits" policy is set to accept for a non-uplink port, this is a finding.

Fix: F-18064r366220_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "Forged Transmits" to reject. Click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false

c
The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
CM-6 - High - CCI-000366 - V-216836 - SV-216836r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
VCWN-65-000014
Vuln IDs
  • V-216836
  • V-94739
Rule IDs
  • SV-216836r879887_rule
  • SV-104569
If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing.
Checks: C-18067r366222_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.

Fix: F-18065r366223_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "MAC Address Changes" to reject. Click "OK".   or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false

b
The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
CM-6 - Medium - CCI-000366 - V-216837 - SV-216837r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000015
Vuln IDs
  • V-216837
  • V-94741
Rule IDs
  • SV-216837r879887_rule
  • SV-104571
When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.
Checks: C-18068r366225_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies Verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.

Fix: F-18066r366226_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies >> Edit >> Security. Set "Promiscuous Mode" to reject. Click "OK".   or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false

b
The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
CM-6 - Medium - CCI-000366 - V-216838 - SV-216838r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000016
Vuln IDs
  • V-216838
  • V-94743
Rule IDs
  • SV-216838r879887_rule
  • SV-104573
The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network making it easier for a MitM attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target IP's are correct.
Checks: C-18069r366228_chk

To view NetFlow Collector IPs configured on distributed switches: From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}} ---- To view if NetFlow is enabled on any distributed port groups: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}} If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.

Fix: F-18067r366229_fix

To remove collector IPs do the following: From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. Click edit and remove any unknown collector IPs. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $dvs = Get-VDSwitch dvswitch | Get-View ForEach($vs in $dvs){ $spec = New-Object VMware.Vim.VMwareDVSConfigSpec $spec.configversion = $vs.Config.ConfigVersion $spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig $spec.IpfixConfig.CollectorIpAddress = "" $spec.IpfixConfig.CollectorPort = "0" $spec.IpfixConfig.ActiveFlowTimeout = "60" $spec.IpfixConfig.IdleFlowTimeout = "15" $spec.IpfixConfig.SamplingRate = "0" $spec.IpfixConfig.InternalFlowsOnly = $False $vs.ReconfigureDvs_Task($spec) } Note: This will reset the NetFlow collector configuration back to the defaults. To disable NetFlow on a distributed port group do the following: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy $spec.defaultPortConfig.ipfixEnabled.inherited = $false $spec.defaultPortConfig.ipfixEnabled.value = $false $pg.ReconfigureDVPortgroup_Task($spec) }

a
The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
CM-6 - Low - CCI-000366 - V-216839 - SV-216839r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000017
Vuln IDs
  • V-216839
  • V-94745
Rule IDs
  • SV-216839r879887_rule
  • SV-104575
Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port-Group level. There are cases where particular VMs require unique configurations, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could surreptitiously exploit that broader access.
Checks: C-18070r366231_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties. View the Properties pane and verify all Override port policies are set to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Get-View | Select Name, @{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}}, @{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}}, @{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}}, @{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}}, @{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}}, @{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}}, @{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}}, @{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}}, @{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run. This does not apply to the reset port configuration on disconnect policy. If any port level overrides are enabled and not documented, this is a finding.

Fix: F-18068r366232_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties. Click "Edit" and change all Override port policies to disabled. From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.VlanOverrideAllowed = $False $spec.Policy.UplinkTeamingOverrideAllowed = $False $spec.Policy.SecurityPolicyOverrideAllowed = $False $spec.Policy.IpfixOverrideAllowed = $False $spec.Policy.BlockOverrideAllowed = $False $spec.Policy.ShapingOverrideAllowed = $False $spec.Policy.VendorConfigOverrideAllowed = $False $spec.Policy.TrafficFilterOverrideAllowed = $False $spec.Policy.PortConfigResetAtDisconnect = $True $pg.ReconfigureDVPortgroup_Task($spec) }

b
The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
CM-6 - Medium - CCI-000366 - V-216840 - SV-216840r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000018
Vuln IDs
  • V-216840
  • V-94747
Rule IDs
  • SV-216840r879887_rule
  • SV-104577
ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.
Checks: C-18071r366234_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.

Fix: F-18069r366235_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section change the VLAN ID to a non-native VLAN and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b
The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
CM-6 - Medium - CCI-000366 - V-216841 - SV-216841r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000019
Vuln IDs
  • V-216841
  • V-94749
Rule IDs
  • SV-216841r879887_rule
  • SV-104579
When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.
Checks: C-18072r366237_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.

Fix: F-18070r366238_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section change the VLAN ID to an appropriate VLAN ID other than "4095" and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b
The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
CM-6 - Medium - CCI-000366 - V-216842 - SV-216842r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000020
Vuln IDs
  • V-216842
  • V-94751
Rule IDs
  • SV-216842r879887_rule
  • SV-104581
Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.
Checks: C-18073r366240_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with a reserved VLAN ID, this is a finding.

Fix: F-18071r366241_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies. Click "Edit" and under the VLAN section and change the VLAN ID to an unreserved VLAN ID and click "OK". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b
The vCenter Server for Windows must enable SSL for Network File Copy (NFC).
CM-6 - Medium - CCI-000366 - V-216843 - SV-216843r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000021
Vuln IDs
  • V-216843
  • V-94753
Rule IDs
  • SV-216843r879887_rule
  • SV-104583
NFC is the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, NFC over SSL is enabled (i.e., "True") within a vSphere cluster but the value of the setting is null. Clients check the value of the setting and default to not using SSL for performance reasons if the value is null. This behavior can be changed by ensuring the setting has been explicitly created and set to "True". This will force clients to use SSL. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured.
Checks: C-18074r366243_chk

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that config.nfc.useSSL is set to "true". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL Verify "config.nfc.useSSL" is set to "true". If the "config.nfc.useSSL" is set to a value other than "true" or does not exist, this is a finding.

Fix: F-18072r366244_fix

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click "Edit" and edit the "config.nfc.useSSL" value to "true" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL | Set-AdvancedSetting -Value true If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL -Value true

b
The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
CM-6 - Medium - CCI-000366 - V-216844 - SV-216844r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000022
Vuln IDs
  • V-216844
  • V-94755
Rule IDs
  • SV-216844r879887_rule
  • SV-104585
You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. With a domain user account, you can enable Windows authentication for SQL Server; it also allows more granular security and logging. The installing account only needs to be a member of the Administrators group, and have permission to act as part of the operating system and log on as a service. If you are using SQL Server for the vCenter database, you must configure the SQL Server database to allow the domain account access to SQL Server.
Checks: C-18075r366246_chk

This control only applies to Windows based vCenter installations. The following services should be set to run as a service account: VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server vCenter should be installed using the service account as that will configure the services appropriately. If vCenter is not installed with a service account, this is a finding. If the services identified in this control are not running as a service account, this is a finding.

Fix: F-18073r366247_fix

For each of the following services open the services console on the vCenter server and right-click, select "Properties" on the service. Go to the "Log On" tab and configure the service to run as a service account and restart the service. VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server

b
The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
CM-6 - Medium - CCI-000366 - V-216845 - SV-216845r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000023
Vuln IDs
  • V-216845
  • V-94757
Rule IDs
  • SV-216845r879887_rule
  • SV-104587
By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. Note: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.
Checks: C-18076r531360_chk

Select the vCenter Server in the vSphere Web Client object hierarchy. Click Configure. Click Advanced Settings and enter VimPasswordExpirationInDays in the filter box. Verify "VirtualCenter.VimPasswordExpirationInDays" is set to "30". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity &lt;vcenter server name&gt; -Name VirtualCenter.VimPasswordExpirationInDays and verify it is set to 30. If the "VirtualCenter.VimPasswordExpirationInDays" is set to a value other than "30" or does not exist, this is a finding.

Fix: F-18074r531361_fix

Select the vCenter Server in the vSphere Web Client object hierarchy. Click Configure. Click Advanced Settings and enter VimPasswordExpirationInDays in the filter box. Set "VirtualCenter.VimPasswordExpirationInDays" to "30". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays -Value 30

b
The vCenter Server for Windows must configure the vpxuser password meets length policy.
CM-6 - Medium - CCI-000366 - V-216846 - SV-216846r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000024
Vuln IDs
  • V-216846
  • V-94759
Rule IDs
  • SV-216846r879887_rule
  • SV-104589
The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter, meaning no manual intervention is normally required. The vpxuser password length must never be modified to less than the default length of 32 characters.
Checks: C-18077r366252_chk

From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vCenter Server &gt;&gt; Configure &gt;&gt; Settings &gt;&gt; Advanced Settings. Verify that "config.vpxd.hostPasswordLength" is set to "32". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity &lt;vcenter server name&gt; -Name config.vpxd.hostPasswordLength and verify it is set to 32. If the "config.vpxd.hostPasswordLength" is set to a value other than "32" or does not exist, this is a finding.

Fix: F-18075r366253_fix

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Click "Edit" and edit the "config.vpxd.hostPasswordLength" value to "32" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength | Set-AdvancedSetting -Value 32 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength -Value 32

a
The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
CM-6 - Low - CCI-000366 - V-216847 - SV-216847r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000025
Vuln IDs
  • V-216847
  • V-94761
Rule IDs
  • SV-216847r879887_rule
  • SV-104591
The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.
Checks: C-18078r366255_chk

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the &lt;vpxd&gt; ... &lt;/vpxd&gt; element. Ensure the following element is set. &lt;enableDebugBrowse&gt;false&lt;/enableDebugBrowse&gt; If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.

Fix: F-18076r366256_fix

If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> Restart the vCenter Service to ensure the configuration file change(s) are in effect.

b
The vCenter Server for Windows must check the privilege re-assignment after restarts.
CM-6 - Medium - CCI-000366 - V-216848 - SV-216848r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000026
Vuln IDs
  • V-216848
  • V-94845
Rule IDs
  • SV-216848r879887_rule
  • SV-104675
Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account administrator@vsphere.local. This account can then act as the administrator. Reestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous administrator@vsphere.local account.
Checks: C-18079r366258_chk

After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified as intact, this is a finding.

Fix: F-18077r366259_fix

As the SSO Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.

c
The vCenter Server for Windows must minimize access to the vCenter server.
CM-6 - High - CCI-000366 - V-216849 - SV-216849r879887_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
VCWN-65-000027
Vuln IDs
  • V-216849
  • V-94763
Rule IDs
  • SV-216849r879887_rule
  • SV-104593
After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of administering vCenter Server or the host OS. Anyone logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate.
Checks: C-18080r366261_chk

Login to the vCenter server and verify the only local administrators group contains users and/or groups that contain vCenter Administrators. If the local administrators group contains users and/or groups that are not vCenter Administrators such as "Domain Admins", this is a finding.

Fix: F-18078r366262_fix

Remove all unnecessary users and/or groups from the local administrators group of the vCenter server.

b
The vCenter Server for Windows Administrators must clean up log files after failed installations.
CM-6 - Medium - CCI-000366 - V-216850 - SV-216850r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000028
Vuln IDs
  • V-216850
  • V-94765
Rule IDs
  • SV-216850r879887_rule
  • SV-104595
In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.
Checks: C-18081r366264_chk

If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid...." should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid". If a file name of the format "hs_err_pid" is found, this is a finding. If a site policy does not exist and/or is not followed, this is a finding.

Fix: F-18079r366265_fix

Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid" and remove them.

b
The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
CM-6 - Medium - CCI-000366 - V-216851 - SV-216851r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000029
Vuln IDs
  • V-216851
  • V-94767
Rule IDs
  • SV-216851r879887_rule
  • SV-104597
By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown. Enabling all tasks to be shown will allow the administrator to potentially see any malicious activity they may miss with the view disabled.
Checks: C-18082r366267_chk

Verify the "webclient.properties" file contains the line "show.allusers.tasks = true". The default location for the "webclient.properties" file are: Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ If "show.allusers.tasks" is not set to "true", this is a finding.

Fix: F-18080r366268_fix

Edit the "webclient.properties" file to set the "show.allusers.tasks" value to "true". The default location for the "webclient.properties" file are: Appliance: /etc/vmware/vsphere-client/ Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ After editing the file the vSphere Web Client service will need to be restarted.

b
The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
CM-6 - Medium - CCI-000366 - V-216852 - SV-216852r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000030
Vuln IDs
  • V-216852
  • V-94769
Rule IDs
  • SV-216852r879887_rule
  • SV-104599
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows server to users who are not vCenter administrators.
Checks: C-18083r766915_chk

If enhanced linked mode is used then local windows authentication is not available to vCenter, this is not applicable. Under the computer management console for Windows, view the local administrators group and verify only vCenter administrators have access to the vCenter server. Other groups and users that are not vCenter administrators should be removed from the local administrators group, such as Domain Admins. If there are any unauthorized groups or users present in the local administrators group of the vCenter server, this is a finding.

Fix: F-18081r366271_fix

Under the computer management console for windows view the local administrators group and remove any users or groups that do not fit the criteria defined in the check content.

a
The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
CM-6 - Low - CCI-000366 - V-216853 - SV-216853r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000031
Vuln IDs
  • V-216853
  • V-94771
Rule IDs
  • SV-216853r879887_rule
  • SV-104601
The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.
Checks: C-18084r366273_chk

Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies. Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click "Update Manager" under "Solutions and Applications". On the "Configuration tab", under "Settings", click "Download Settings". In the "Download Sources" pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding. If all of the above conditions are not met, this is a finding.

Fix: F-18082r366274_fix

Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet. To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click "Update Manager" under "Solutions and Applications". On the "Configuration" tab, under "Settings", click "Download Settings". In the "Download Sources" pane, select "Use a shared repository". Enter the <site-specific> path or the URL to the shared repository. Click "Validate URL" to validate the path. Click "Apply".

b
The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
CM-6 - Medium - CCI-000366 - V-216854 - SV-216854r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000032
Vuln IDs
  • V-216854
  • V-94773
Rule IDs
  • SV-216854r879887_rule
  • SV-104603
Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.
Checks: C-18085r366276_chk

Verify only the following permissions are allowed to the VUM database user. For Oracle DB normal operation, only the following permissions are required. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Fix: F-18083r366277_fix

For Oracle DB normal runtime operation, set the following permissions. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

b
The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
CM-6 - Medium - CCI-000366 - V-216855 - SV-216855r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000033
Vuln IDs
  • V-216855
  • V-94775
Rule IDs
  • SV-216855r879887_rule
  • SV-104605
Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.
Checks: C-18086r366279_chk

Verify only the following permissions are allowed on the vCenter database for the following roles and users. vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES. vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. vCenter database user: VIEW SERVER STATE and VIEW ANY DEFINITIONS. Equivalent permissions must be set for Non-MS databases. If the above database permissions are not set correctly, this is a finding.

Fix: F-18084r366280_fix

Configure correct permissions and roles for SQL: Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES. Grant these privileges to a vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.

b
The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
CM-6 - Medium - CCI-000366 - V-216856 - SV-216856r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000034
Vuln IDs
  • V-216856
  • V-94777
Rule IDs
  • SV-216856r879887_rule
  • SV-104607
In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they should use unique service accounts.
Checks: C-18087r366282_chk

Verify that each external application that connects to vCenter has a unique service account dedicated to that application. For example there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter. If any application shares a service account that is used to connect to vCenter, this is a finding.

Fix: F-18085r366283_fix

For applications sharing service accounts create a new service account to assign to the application so that no application shares a service account with another. When standing up a new application that requires access to vCenter always create a new service account prior to installation and grant only the permissions needed for that application.

b
vCenter Server for Windows plugins must be verified.
CM-6 - Medium - CCI-000366 - V-216857 - SV-216857r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000035
Vuln IDs
  • V-216857
  • V-94779
Rule IDs
  • SV-216857r879887_rule
  • SV-104609
The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.
Checks: C-18088r366285_chk

Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources. From the vSphere Web Client go to Administration &gt;&gt; Solutions &gt;&gt; Client Plug-Ins. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, Third-party (Partner) and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.

Fix: F-18086r366286_fix

From the vSphere Web Client go to Administration >> Solutions >> Client Plug-Ins and right click the unknown plug-in and click disable then proceed to remove the plug-in. To remove plug-ins do the following: If you have vCenter Server in linked mode, perform this procedure on the vCenter Server that is used to install the plug-in initially, then restart the vCenter Server services on the linked vCenter Server. In a web browser, navigate to http://vCenter_Server_name_or_IP/mob. Where vCenter_Server_name_or_IP/mob is the name of your vCenter Server or its IP address. Click Content. Click ExtensionManager. Select and copy the name of the plug-in you want to remove from the list of values under Properties. For a list of default plug-ins, see the Additional Information section of this article. Click UnregisterExtension. A new window appears. Paste the name of the plug-in and click Invoke Method. This removes the plug-in. Close the window. Refresh the Managed Object Type:ManagedObjectReference:ExtensionManager window to verify that the plug-in is removed successfully. Note: If the plug-in still appears, you may have to restart the vSphere Client. Note: You may have to enable the Managed Object Browser (MOB) temporarily if previously disabled.

a
The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
SI-6 - Low - CCI-002702 - V-216858 - SV-216858r879845_rule
RMF Control
SI-6
Severity
Low
CCI
CCI-002702
Version
VCWN-65-000036
Vuln IDs
  • V-216858
  • V-94781
Rule IDs
  • SV-216858r879845_rule
  • SV-104611
Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Checks: C-18089r366288_chk

From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vCenter Server &gt;&gt; Configure &gt;&gt; Settings &gt;&gt; Advanced Settings. Verify that "config.log.level" value is set to "info". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity &lt;vcenter server name&gt; -Name config.log.level and verify it is set to "info". If the "config.log.level" value is not set to "info" or does not exist, this is a finding.

Fix: F-18087r366289_fix

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> Settings >> Advanced Settings. Click "Edit" and edit the "config.log.level" setting to "info" or if the value does not exist create it by entering the values in the "Key" and "Value" fields and clicking "Add". or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level | Set-AdvancedSetting -Value info If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.log.level -Value info

b
The vCenter Server for Windows passwords must be at least 15 characters in length.
IA-5 - Medium - CCI-000205 - V-216859 - SV-216859r879601_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
VCWN-65-000039
Vuln IDs
  • V-216859
  • V-94783
Rule IDs
  • SV-216859r879601_rule
  • SV-104613
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-18090r366291_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Minimum Length: 15 If this password policy is not configured as stated, this is a finding.

Fix: F-18088r366292_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set the Minimum Length to "15" and click "OK".

b
The vCenter Server for Windows passwords must contain at least one uppercase character.
IA-5 - Medium - CCI-000192 - V-216860 - SV-216860r879603_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
VCWN-65-000040
Vuln IDs
  • V-216860
  • V-94785
Rule IDs
  • SV-216860r879603_rule
  • SV-104615
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.
Checks: C-18091r366294_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Upper-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-18089r366295_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Upper-case Characters to at least "1" and click "OK".

b
The vCenter Server for Windows passwords must contain at least one lowercase character.
IA-5 - Medium - CCI-000193 - V-216861 - SV-216861r879604_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
VCWN-65-000041
Vuln IDs
  • V-216861
  • V-94787
Rule IDs
  • SV-216861r879604_rule
  • SV-104617
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.
Checks: C-18092r366297_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Lower-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-18090r366298_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Lower-case Characters to at least "1" and click "OK".

b
The vCenter Server for Windows passwords must contain at least one numeric character.
IA-5 - Medium - CCI-000194 - V-216862 - SV-216862r879605_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
VCWN-65-000042
Vuln IDs
  • V-216862
  • V-94789
Rule IDs
  • SV-216862r879605_rule
  • SV-104619
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.
Checks: C-18093r366300_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Numeric Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-18091r366301_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Numeric Characters to at least "1" and click "OK".

b
The vCenter Server for Windows passwords must contain at least one special character.
IA-5 - Medium - CCI-001619 - V-216863 - SV-216863r879606_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
VCWN-65-000043
Vuln IDs
  • V-216863
  • V-94791
Rule IDs
  • SV-216863r879606_rule
  • SV-104621
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.
Checks: C-18094r366303_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Password Policy. View the values of the password format requirements. The following password requirements should be set at a minimum: Special Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-18092r366304_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Special Characters to at least "1" and click "OK".

b
The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
AC-7 - Medium - CCI-002238 - V-216864 - SV-216864r879722_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
VCWN-65-000045
Vuln IDs
  • V-216864
  • V-94793
Rule IDs
  • SV-216864r879722_rule
  • SV-104623
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Checks: C-18095r366306_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Maximum number of failed login attempts: 3 If this account lockout policy is not configured as stated, this is a finding.

Fix: F-18093r366307_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Maximum number of failed login attempts to "3" and click "OK".

b
The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
AC-7 - Medium - CCI-002238 - V-216865 - SV-216865r879722_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
VCWN-65-000046
Vuln IDs
  • V-216865
  • V-94795
Rule IDs
  • SV-216865r879722_rule
  • SV-104625
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Checks: C-18096r366309_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Time interval between failures: 900 seconds If this lockout policy is not configured as stated, this is a finding.

Fix: F-18094r366310_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Time interval between failures to "900" and click "OK".

b
The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
AC-7 - Medium - CCI-002238 - V-216866 - SV-216866r879722_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-002238
Version
VCWN-65-000047
Vuln IDs
  • V-216866
  • V-94797
Rule IDs
  • SV-216866r879722_rule
  • SV-104627
By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Checks: C-18097r366312_chk

From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration &gt;&gt; Policies &gt;&gt; Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Unlock time: 0 If this account lockout policy is not configured as stated, this is a finding.

Fix: F-18095r366313_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click "Edit". Set the Unlock time to "0" and click "OK".

b
The vCenter Server for Windows must alert administrators on permission creation operations.
SI-6 - Medium - CCI-001294 - V-216867 - SV-216867r879661_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
VCWN-65-000048
Vuln IDs
  • V-216867
  • V-94799
Rule IDs
  • SV-216867r879661_rule
  • SV-104629
If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
Checks: C-18098r366315_chk

From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vCenter Server &gt;&gt; Monitor &gt;&gt; Issues &gt;&gt; Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionAddedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding.

Fix: F-18096r366316_fix

From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionAddedEvent" and click "OK".

b
The vCenter Server for Windows must alert administrators on permission deletion operations.
SI-6 - Medium - CCI-001294 - V-216868 - SV-216868r879661_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
VCWN-65-000049
Vuln IDs
  • V-216868
  • V-94801
Rule IDs
  • SV-216868r879661_rule
  • SV-104631
If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
Checks: C-18099r366318_chk

From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vCenter Server &gt;&gt; Monitor &gt;&gt; Issues &gt;&gt; Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding.

Fix: F-18097r366319_fix

From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionRemovedEvent" and click "OK".

b
The vCenter Server for Windows must alert administrators on permission update operations.
SI-6 - Medium - CCI-001294 - V-216869 - SV-216869r879661_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
VCWN-65-000050
Vuln IDs
  • V-216869
  • V-94803
Rule IDs
  • SV-216869r879661_rule
  • SV-104633
If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
Checks: C-18100r366321_chk

"From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vCenter Server &gt;&gt; Monitor &gt;&gt; Issues &gt;&gt; Alarm Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq ""vim.event.PermissionUpdatedEvent""} | Select Name,Enabled,@{N=""EventTypeId"";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding."

Fix: F-18098r366322_fix

From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionUpdatedEvent" and click "OK".

b
The vCenter Server for Windows users must have the correct roles assigned.
SC-3 - Medium - CCI-001084 - V-216870 - SV-216870r879643_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
VCWN-65-000051
Vuln IDs
  • V-216870
  • V-94805
Rule IDs
  • SV-216870r879643_rule
  • SV-104635
Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Checks: C-18101r366324_chk

From the vSphere Web Client go to Administration &gt;&gt; Access Control &gt;&gt; Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-18099r366325_fix

To create a new role with specific permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.

b
The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
CM-6 - Medium - CCI-000366 - V-216871 - SV-216871r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000052
Vuln IDs
  • V-216871
  • V-94807
Rule IDs
  • SV-216871r879887_rule
  • SV-104637
Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.
Checks: C-18102r366327_chk

If IP-based storage is not used, this is not applicable. IP-Based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configure &gt;&gt; Networking &gt;&gt; VMkernel adapters and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding.

Fix: F-18100r366328_fix

Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Web Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Storage VMkernel (for any IP-based storage) and click the pencil icon >> On the Port properties tab uncheck everything (unless vSAN). On the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK. Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Storage portgroup (ISCSI, NFS, vSAN) and click the pencil icon >> On the properties tab, enter the appropriate VLAN ID and click OK.

b
The vCenter Server for Windows must enable the vSAN Health Check.
CM-6 - Medium - CCI-000366 - V-216872 - SV-216872r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000053
Vuln IDs
  • V-216872
  • V-94809
Rule IDs
  • SV-216872r879887_rule
  • SV-104639
The vSAN Health Check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the vSAN Hardware Compatibility Guide
Checks: C-18103r366330_chk

If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vSAN Enabled Cluster &gt;&gt; Manage &gt;&gt; Configure &gt;&gt; Virtual SAN &gt;&gt; Health and Performance. Review the "Health Service Status" and verify that it is set to "Enabled". If vSAN is enabled and there is no vSAN health check installed or the vSAN Health Check is disabled, this is a finding.

Fix: F-18101r366331_fix

From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> Health and Performance >> "Health Service" and click "Edit Settings". Select the check box for "Turn On Periodical Health Check" and configure the time interval as necessary.

b
The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
CM-6 - Medium - CCI-000366 - V-216873 - SV-216873r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000054
Vuln IDs
  • V-216873
  • V-94811
Rule IDs
  • SV-216873r879887_rule
  • SV-104641
The vSAN Health Check is able to download the hardware compatibility list from VMware in order to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet this functionality must be disabled or if this feature is necessary an external proxy server must be configured.
Checks: C-18104r366333_chk

If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vSAN Enabled Cluster &gt;&gt; Manage &gt;&gt; Configure &gt;&gt; Virtual SAN &gt;&gt; General &gt;&gt; Internet Connectivity &gt;&gt; Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If this "Enable Internet access for this cluster" is enabled, this is a finding. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is configured. If "Enable Internet access for this cluster" is disabled or a proxy is not configured, this is a finding.

Fix: F-18102r366334_fix

From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Manage >> Configure >> Virtual SAN >> General >> Internet Connectivity >> Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is appropriately configured.

b
The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
CM-6 - Medium - CCI-000366 - V-216874 - SV-216874r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000055
Vuln IDs
  • V-216874
  • V-94813
Rule IDs
  • SV-216874r879887_rule
  • SV-104643
A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads.
Checks: C-18105r366336_chk

If no clusters are enabled for vSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a vSAN Enabled Cluster &gt;&gt; Datastores. Review the datastores. Identify any datastores with "vsan" as the datastore type. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "vSAN Enabled Cluster found" Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"} } else{ Write-Host "vSAN is not enabled, this finding is not applicable" } If vSAN is Enabled and the datastore is named "vsanDatastore", this is a finding.

Fix: F-18103r366337_fix

From the vSphere Web Client go to Host and Clusters >> Select a vSAN Enabled Cluster >> Datastores. Right-click on the datastore named "vsanDatastore" and select "Rename". Rename the datastore based on operational naming standards. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "vSAN Enabled Cluster found" $Clusters = Get-Cluster | where {$_.VsanEnabled} Foreach ($clus in $clusters){ $clus | Get-Datastore | where {$_.type -match "vsan"} | Set-Datastore -Name $(($clus.name) + "_vSAN_Datastore") } } else{ Write-Host "vSAN is not enabled, this finding is not applicable" }

b
The vCenter Server for Windows users must have the correct roles assigned.
CM-6 - Medium - CCI-000366 - V-216875 - SV-216875r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000056
Vuln IDs
  • V-216875
  • V-94815
Rule IDs
  • SV-216875r879887_rule
  • SV-104645
Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Checks: C-18106r366339_chk

From the vSphere Web Client go to Administration &gt;&gt; Access Control &gt;&gt; Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-18104r366340_fix

To update a user or groups permissions to an existing role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Global Permissions. Select the user or group and click "Edit" and change the assigned role and click "OK". If permissions are assigned on a specific object then the role must be updated where it is assigned for example at the cluster level. To create a new role with reduced permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.

b
The vCenter Server for Windows must enable TLS 1.2 exclusively.
CM-6 - Medium - CCI-000366 - V-216876 - SV-216876r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000057
Vuln IDs
  • V-216876
  • V-94817
Rule IDs
  • SV-216876r879887_rule
  • SV-104647
TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2. Make sure you modify TLS settings in the following order: 1. Platform Services Controls (if applicable), 2. vCenter, 3. ESXi
Checks: C-18107r366342_chk

Download the VMware TLS Reconfigurator utility from my.vmware.com. Follow installation instructions for your vCenter platform according to VMware KB 2147469. Appliance: 1. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup 2. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan Windows: 1. Open a command prompt and cd to C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator 2. Enter command "reconfigureVc scan" and press "Enter" If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.

Fix: F-18105r366343_fix

Download the VMware TLS Reconfigurator utility from my.vmware.com. Follow installation instructions for your vCenter platform according to VMware KB 2147469. Run the following commands. Appliance: 1. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc backup 2. /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLS1.2 Windows: 1. Open a command prompt and cd to C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator 2. Enter command "reconfigureVc backup" and press "Enter" 3. Enter command "reconfigureVc update -p TLS1.2" and press "Enter" vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted. You can add the --no-restart flag to restart services at a later time. Changes will not take effect until all services are restarted or the machine is rebooted.

b
The vCenter Server for Windows reverse proxy must use DoD approved certificates.
CM-6 - Medium - CCI-000366 - V-216877 - SV-216877r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000058
Vuln IDs
  • V-216877
  • V-94819
Rule IDs
  • SV-216877r879887_rule
  • SV-104649
The default self-signed, VMCA issued vCenter reverse proxy certificate must be replaced with a DoD approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured.
Checks: C-18108r622446_chk

From the vCenter server (and external PSC if appropriate) run the following command Appliance: /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|grep Issuer Windows: "C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe" entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|find "Issuer" If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.

Fix: F-18106r366346_fix

Obtain a DoD issued certificate and private key for each vCenter and external PSC in the system, following the below requirements: Key size: 2048 bits or more (PEM encoded) CRT format (Base-64) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Verify that the issued certificate includes the full issuing chain. If it does not, concatenate the Base-64 intermediates and root onto the issued machine ssl cert. Export the entire certificate issuing chain up to the root in Base-64 format, concatenate the individual certs into one file that will be used in the next steps when prompted for the signing certificate. Run the certificate-manager tool: Appliance: /usr/lib/vmware-vmca/bin/certificate-manager Windows: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat Select option "1" to replace the machine ssl certificate. Select option "2" to specify existing certificate and private key. Supply the information as prompted remembering the signing certificate file built up previously.

b
The vCenter Server for Windows must enable certificate based authentication.
CM-6 - Medium - CCI-000366 - V-216878 - SV-216878r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000059
Vuln IDs
  • V-216878
  • V-94821
Rule IDs
  • SV-216878r879887_rule
  • SV-104651
The vCenter 6.5 Web Client portal is capable of CAC authentication. This capability must be enabled and properly configured.
Checks: C-18109r366348_chk

See supplemental document. Ensure CAC Authentication occurs upon login to vCenter. Otherwise, this is a finding.

Fix: F-18107r366349_fix

Configure CAC Authentication per supplemental document.

b
The vCenter Server for Windows must enable revocation checking for certificate based authentication.
CM-6 - Medium - CCI-000366 - V-216879 - SV-216879r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000060
Vuln IDs
  • V-216879
  • V-94823
Rule IDs
  • SV-216879r879887_rule
  • SV-104653
The system must establish the validity of the user supplied identity certificate using OCSP and/or CRL revocation checking.
Checks: C-18110r366351_chk

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://&lt;FQDN or IP of PSC&gt;/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@&lt;mydomain&gt;. 2. Browse to Single Sign-On &gt; Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab If "Revocation Check" does not show as enabled, this is a finding.

Fix: F-18108r366352_fix

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab 5. Click the "Enable Revocation Check" button By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately.

a
The vCenter Server for Windows must disable Password and Windows integrated authentication.
CM-6 - Low - CCI-000366 - V-216880 - SV-216880r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000061
Vuln IDs
  • V-216880
  • V-94825
Rule IDs
  • SV-216880r879887_rule
  • SV-104655
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.
Checks: C-18111r366354_chk

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://&lt;FQDN or IP of PSC&gt;/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@&lt;mydomain&gt;. 2. Browse to Single Sign-On &gt;&gt; Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. If the selection box next to “Password and Windows session authentication” is checked, this is a finding.

Fix: F-18109r366355_fix

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. 4. Check the box next to “Password and Windows session authentication”. Click "OK". To re-enable password authentication for troubleshooting run the following command from the PSC: /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

a
The vCenter Server for Windows must enable Login banner for vSphere web client.
CM-6 - Low - CCI-000366 - V-216881 - SV-216881r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000062
Vuln IDs
  • V-216881
  • V-94827
Rule IDs
  • SV-216881r879887_rule
  • SV-104657
The required legal notice must be configured for the vCenter web client.
Checks: C-18112r366357_chk

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://&lt;FQDN or IP of PSC&gt;/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@&lt;mydomain&gt;. 2. Browse to Single Sign-On &gt;&gt; Configuration. 3. Click the "Login Banner" tab, click the "Edit" button. If selection boxes next to "Status" or "Checkbox Consent" are not checked or if the Message is not configured to the standard DoD User Agreement, this is a finding. Note: Supplementary Information: DoD Logon Banner "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-18110r366358_fix

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https://<FQDN or IP of PSC>/psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@<mydomain>. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Login Banner" tab, click the "Edit" button. 4. Check the box next to "Status". 5. Check the box next to "Checkbox Consent". 6. Configure the Title and Message to the standard DoD User Agreement

b
The vCenter Server for Windows must restrict access to cryptographic role.
CM-6 - Medium - CCI-000366 - V-216882 - SV-216882r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000063
Vuln IDs
  • V-216882
  • V-94829
Rule IDs
  • SV-216882r879887_rule
  • SV-104659
vSphere 6.5 modifies the built-in "Administrator" role to add permission to perform cryptographic operations such as KMS operations and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. A new built-in role called "No Cryptography Administrator" has been added to provide all administrative permissions except cryptographic operations. Permissions must be restricted such that normal vSphere administrators are assigned the "No Cryptography Administrator" role or more restrictive. The "Administrator" role must be tightly controlled and must not be applied to administrators who will not be doing cryptographic work. Catastrophic data loss can result from a poorly administered cryptography.
Checks: C-18113r366360_chk

From the vSphere Web Client go to Administration &gt;&gt; Access Control &gt;&gt; Roles or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Where {$_.Role -eq "Admin"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto If there are any users other than Solution Users with the "Administrator" role that are not explicitly designated for cryptographic operations, this is a finding. 

Fix: F-18111r366361_fix

From the vSphere Web Client go to Administration >> Access Control >> Roles Move any accounts not explicitly designated for cryptographic operations, other than Solution Users, to other roles such as "No Cryptography Administrator".

b
The vCenter Server for Windows must restrict access to cryptographic permissions.
CM-6 - Medium - CCI-000366 - V-216883 - SV-216883r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000064
Vuln IDs
  • V-216883
  • V-94831
Rule IDs
  • SV-216883r879887_rule
  • SV-104661
These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography.
Checks: C-18114r366363_chk

From the vSphere Web Client go to Administration &gt;&gt; Access Control &gt;&gt; Roles Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions: Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups or From a PowerCLI command prompt while connected to the vCenter server run the following command: $roles = Get-VIRole ForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){ Write-Host "$role has Cryptographic privileges" } } If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding.

Fix: F-18112r366364_fix

From the vSphere Web Client go to Administration >> Access Control >> Roles Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s): Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups

a
The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
CM-6 - Low - CCI-000366 - V-216884 - SV-216884r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000065
Vuln IDs
  • V-216884
  • V-94833
Rule IDs
  • SV-216884r879887_rule
  • SV-104663
When enabled vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MitM attack when not authenticating both the iSCSI target and host in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.
Checks: C-18115r366366_chk

If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable. From the vSphere Web Client go to Host and Clusters &gt;&gt; Select a Cluster &gt;&gt; Configure &gt;&gt; Virtual SAN &gt;&gt; iSCSI Targets For each iSCSI Target select the item and click the pencil icon to open the edit dialog. If the Authentication method is not set to "Mutual CHAP" and fully configured, this is a finding.

Fix: F-18113r366367_fix

From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Configure >> Virtual SAN >> iSCSI Targets For each iSCSI Target select the item and click the pencil icon to open the edit dialog. Change the "Authentication" field to "Mutual CHAP" and configure the incoming and outgoing users and secrets appropriately.

a
The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
CM-6 - Low - CCI-000366 - V-216885 - SV-216885r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000066
Vuln IDs
  • V-216885
  • V-94835
Rule IDs
  • SV-216885r879887_rule
  • SV-104665
The Key Encryption Key (KEK) for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow re-key is a procedure in which the KMS issues a new KEK to the ESXi host which re-wraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site defined interval and can be viewed as similar in criticality to changing an administrative password. Should the KMS itself somehow be compromised, a standing operational procedure to re-key will put a time limit on the usefulness of any stolen KMS data.
Checks: C-18116r366369_chk

Interview the SA to determine that a procedure has been put in place to perform a shallow re-key of all vSAN encrypted datastores at regular, site defined intervals. VMware recommends a 60-day re-key task but this interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not a finding.

Fix: F-18114r366370_fix

If vSAN encryption is in use, ensure that a regular re-key procedure is in place.

a
The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
CM-6 - Low - CCI-000366 - V-216886 - SV-216886r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
VCWN-65-000067
Vuln IDs
  • V-216886
  • V-94837
Rule IDs
  • SV-216886r879887_rule
  • SV-104667
The VMware Customer Experience Improvement Program (CEIP) sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes this feature must be disabled.
Checks: C-18117r366372_chk

From the vSphere Web Client go to Administration &gt;&gt; Deployment &gt;&gt; Customer Experience Improvement Program If Customer Experience Improvement Program is Enabled, this is a finding.

Fix: F-18115r366373_fix

From the vSphere Web Client go to Administration >> Deployment >> Customer Experience Improvement Program Click the "Leave" button

b
The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
CM-6 - Medium - CCI-000366 - V-216887 - SV-216887r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000068
Vuln IDs
  • V-216887
  • V-94839
Rule IDs
  • SV-216887r879887_rule
  • SV-104669
LDAP (Lightweight Directory Access Protocol) is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communications the LDAPS option must be selected when adding an LDAP identity source in vSphere SSO.
Checks: C-18118r531363_chk

Note: This requirement is applicable for Active Directory over LDAP connections and Not Applicable when the vCenter or PSC server is joined to AD and using integrated windows authentication. From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog. If the LDAPs box at the bottom is not checked, this is a finding.

Fix: F-18116r366376_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click the pencil icon to open the edit dialog. Check the box at the bottom for LDAPS and click "Next". Click the green plus button to upload the trusted DC certificate or click the magnifying glass to extract the certificate from the DC directly. Click "Next". Click "Finish".

b
The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
CM-6 - Medium - CCI-000366 - V-216888 - SV-216888r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCWN-65-000069
Vuln IDs
  • V-216888
  • V-94841
Rule IDs
  • SV-216888r879887_rule
  • SV-104671
When adding an LDAP identity source to vSphere SSO the account used to bind to AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other permissions inside or outside of that OU are unnecessary and violate least privilege.
Checks: C-18119r531365_chk

Note: This requirement is applicable for Active Directory over LDAP connections and Not Applicable when the vCenter or PSC server is joined to AD and using integrated windows authentication. From the vSphere Web Client go to Administration &gt;&gt; Single Sign-On &gt;&gt; Configuration. Click the "Identity Sources" tab. For each identity source with of type "Active Directory", highlight the item and click the pencil icon to open the edit dialog. If the account that is configured to bind to the LDAP server is not one with minimal privileges, this is a finding.

Fix: F-18117r366379_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration. Click the "Identity Sources" tab. For each identity source that has been configured with a highly privileged AD account, highlight the item and click the pencil icon to open the edit dialog. Change the username and password to one with read only rights to the base DN and complete the dialog.

b
The vCenter Server for Windows must disable SNMPv1.
IA-3 - Medium - CCI-001967 - V-216889 - SV-216889r879892_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
VCWN-65-006000
Vuln IDs
  • V-216889
  • V-94853
Rule IDs
  • SV-216889r879892_rule
  • SV-104683
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy while previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. SNMPv3 is not supported in vCenter Server for Windows.
Checks: C-18120r366381_chk

NOTE: For the vCenter 6.5 Server Appliance, this requirement is Not Applicable. In the vSphere Web Client go to a vCenter Server instance. Click the Configure tab &gt;&gt; Settings &gt;&gt; General. On the vCenter Server Settings central pane, click Edit. Click SNMP receivers to edit their settings. Ensure no information for SNMP receivers are entered. If there are SNMP receivers configured, this is a finding.

Fix: F-18118r366382_fix

In the vSphere Web Client go to a vCenter Server instance. Click the Configure tab >> Settings >> General. On the vCenter Server Settings central pane, click Edit. Click SNMP receivers to edit their settings. Remove any SNMP receivers that exist.

c
The version of vCenter Server for Windows running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-257276 - SV-257276r919133_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
VCWN-65-000999
Vuln IDs
  • V-257276
Rule IDs
  • SV-257276r919133_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-60960r918866_chk

vCenter Server for Windows 6.5 is no longer supported by the vendor. If the system is running vCenter Server for Windows 6.5, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.