VMware vSphere 7.0 vCenter Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
Details
Version / Release: V1R1
Published: 2023-03-01
Updated At: 2023-05-04 00:38:44
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-256318r885565_rule | VCSA-70-000009 | CCI-000068 | HIGH | The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. Satisfies: SRG-APP-000014, SRG-APP-000645, SRG-APP-000156, SRG-APP- | ||||
| SV-256319r885568_rule | VCSA-70-000023 | CCI-000044 | MEDIUM | The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. | ||||
| SV-256320r885571_rule | VCSA-70-000024 | CCI-000048 | MEDIUM | The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login. | Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and | ||||
| SV-256321r885574_rule | VCSA-70-000034 | CCI-000130 | MEDIUM | The vCenter Server must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. | ||||
| SV-256322r885577_rule | VCSA-70-000057 | CCI-000381 | MEDIUM | vCenter Server plugins must be verified. | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, web-based functionalit | ||||
| SV-256323r885580_rule | VCSA-70-000059 | CCI-000764 | MEDIUM | The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the org | ||||
| SV-256324r885583_rule | VCSA-70-000060 | CCI-000166 | MEDIUM | The vCenter Server must require multifactor authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g. | ||||
| SV-256325r885586_rule | VCSA-70-000069 | CCI-000205 | MEDIUM | The vCenter Server passwords must be at least 15 characters in length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru | ||||
| SV-256326r885589_rule | VCSA-70-000070 | CCI-000200 | MEDIUM | The vCenter Server must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords must be changed at specific policy-based intervals. If the inf | ||||
| SV-256327r885592_rule | VCSA-70-000071 | CCI-000192 | MEDIUM | The vCenter Server passwords must contain at least one uppercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password | ||||
| SV-256328r885595_rule | VCSA-70-000072 | CCI-000193 | MEDIUM | The vCenter Server passwords must contain at least one lowercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password | ||||
| SV-256329r885598_rule | VCSA-70-000073 | CCI-000194 | MEDIUM | The vCenter Server passwords must contain at least one numeric character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password | ||||
| SV-256330r885601_rule | VCSA-70-000074 | CCI-001619 | MEDIUM | The vCenter Server passwords must contain at least one special character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password | ||||
| SV-256331r885604_rule | VCSA-70-000077 | CCI-000197 | HIGH | The vCenter Server must enable FIPS-validated cryptography. | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management | ||||
| SV-256332r885607_rule | VCSA-70-000079 | CCI-000199 | MEDIUM | The vCenter Server must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit th | ||||
| SV-256333r885610_rule | VCSA-70-000080 | CCI-000185 | MEDIUM | The vCenter Server must enable revocation checking for certificate-based authentication. | The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking. Satisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG- | ||||
| SV-256334r885613_rule | VCSA-70-000089 | CCI-001133 | MEDIUM | The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat | ||||
| SV-256335r885616_rule | VCSA-70-000095 | CCI-001082 | MEDIUM | The vCenter Server users must have the correct roles assigned. | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality, availability, or integrity loss. Satisfies: SRG-APP-000211, SRG-AP | ||||
| SV-256336r885619_rule | VCSA-70-000110 | CCI-001095 | MEDIUM | The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures sufficient capacity is available to c | ||||
| SV-256337r885622_rule | VCSA-70-000123 | CCI-001683 | MEDIUM | The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by | ||||
| SV-256338r885625_rule | VCSA-70-000145 | CCI-002238 | MEDIUM | The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. | ||||
| SV-256339r885628_rule | VCSA-70-000148 | CCI-001851 | MEDIUM | The vCenter Server must be configured to send logs to a central log server. | vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a security incident or to assist in troubleshooting. | ||||
| SV-256340r885631_rule | VCSA-70-000150 | CCI-000172 | MEDIUM | vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation | ||||
| SV-256341r892804_rule | VCSA-70-000158 | CCI-001891 | MEDIUM | The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S | ||||
| SV-256342r885637_rule | VCSA-70-000195 | CCI-002470 | MEDIUM | The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate | ||||
| SV-256343r885640_rule | VCSA-70-000248 | CCI-000366 | MEDIUM | The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes this feature must be disabled. | ||||
| SV-256344r885643_rule | VCSA-70-000253 | CCI-001967 | MEDIUM | The vCenter server must enforce SNMPv3 security features where SNMP is required. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identifica | ||||
| SV-256345r885646_rule | VCSA-70-000265 | CCI-001967 | MEDIUM | The vCenter server must disable SNMPv1/2 receivers. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. Therefore, SNMPv1/2 receivers must be d | ||||
| SV-256346r885649_rule | VCSA-70-000266 | CCI-002238 | MEDIUM | The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlock time is set to zero, once an account is locked it can o | ||||
| SV-256347r885652_rule | VCSA-70-000267 | CCI-000366 | LOW | The vCenter Server must disable the distributed virtual switch health check. | Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off | ||||
| SV-256348r885655_rule | VCSA-70-000268 | CCI-000366 | MEDIUM | The vCenter Server must set the distributed port group Forged Transmits policy to "Reject". | If the virtual machine operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in | ||||
| SV-256349r885658_rule | VCSA-70-000269 | CCI-000366 | MEDIUM | The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject". | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by | ||||
| SV-256350r885661_rule | VCSA-70-000270 | CCI-000366 | MEDIUM | The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject". | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group. Promiscuous mode is dis | ||||
| SV-256351r885664_rule | VCSA-70-000271 | CCI-000366 | MEDIUM | The vCenter Server must only send NetFlow traffic to authorized collectors. | The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a man-in-the-middle attack to be executed succes | ||||
| SV-256352r885667_rule | VCSA-70-000272 | CCI-000366 | MEDIUM | The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up belonging to native VLAN of the physical switch. For | ||||
| SV-256353r885670_rule | VCSA-70-000273 | CCI-000366 | MEDIUM | The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modifying the virtual local area network (VLAN) tags. In vSphere, this is referred to as VGT. The virtual mac | ||||
| SV-256354r885673_rule | VCSA-70-000274 | CCI-000366 | MEDIUM | The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001 to 1024 and 4094, while Nexus switches typically reserve 3968 | ||||
| SV-256355r885676_rule | VCSA-70-000275 | CCI-000366 | MEDIUM | The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days. | By default, vCenter will change the "vpxuser" password automatically every 30 days. Ensure this setting meets site policies. If it does not, configure it to meet password aging policies. Note: It is very important the password aging policy is not shorte | ||||
| SV-256356r885679_rule | VCSA-70-000276 | CCI-000366 | MEDIUM | The vCenter Server must configure the "vpxuser" password to meet length policy. | The "vpxuser" password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The "vpxuser" password is added by vCe | ||||
| SV-256357r885682_rule | VCSA-70-000277 | CCI-000366 | MEDIUM | The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery. | vCenter and the embedded Lifecycle Manager system must never have a direct route to the internet. Despite this, updates and patches sourced from VMware on the internet must be delivered in a timely manner. There are two methods to accomplish this: a prox | ||||
| SV-256358r885685_rule | VCSA-70-000278 | CCI-000366 | MEDIUM | The vCenter Server must use unique service accounts when applications connect to vCenter. | To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts. | ||||
| SV-256359r885688_rule | VCSA-70-000279 | CCI-000366 | MEDIUM | The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. | Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations. IP-based storage includes vSAN, Internet Small Computer System Interface (iSCSI), and Network File System (NFS). This configur | ||||
| SV-256360r885691_rule | VCSA-70-000280 | CCI-001851 | MEDIUM | The vCenter server must be configured to send events to a central log server. | vCenter server generates volumes of security-relevant application-level events. Examples include logins, system reconfigurations, system degradation warnings, and more. To ensure these events are available for forensic analysis and correlation, they must | ||||
| SV-256361r885694_rule | VCSA-70-000281 | CCI-000366 | MEDIUM | The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. | The vSAN Health Check is able to download the HCL from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet, this functionality must be disabled. If this f | ||||
| SV-256362r885697_rule | VCSA-70-000282 | CCI-000366 | MEDIUM | The vCenter Server must configure the vSAN Datastore name to a unique name. | A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads. | ||||
| SV-256363r885700_rule | VCSA-70-000283 | CCI-000366 | LOW | The vCenter Server must disable Username/Password and Windows Integrated Authentication. | All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be d | ||||
| SV-256364r885703_rule | VCSA-70-000284 | CCI-000366 | MEDIUM | The vCenter Server must restrict access to the cryptographic role. | In vSphere, the built-in "Administrator" role contains permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administr | ||||
| SV-256365r885706_rule | VCSA-70-000285 | CCI-000366 | MEDIUM | The vCenter Server must restrict access to cryptographic permissions. | These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography. | ||||
| SV-256366r885709_rule | VCSA-70-000286 | CCI-000366 | MEDIUM | The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side o | ||||
| SV-256367r885712_rule | VCSA-70-000287 | CCI-000366 | MEDIUM | The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow reke | ||||
| SV-256368r885715_rule | VCSA-70-000288 | CCI-000366 | MEDIUM | The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source. | LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encrypted tunnel. To protect confidentiality of LDA | ||||
| SV-256369r885718_rule | VCSA-70-000289 | CCI-000366 | MEDIUM | The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source. | When adding an LDAP identity source to vSphere Single Sign-On (SSO), the account used to bind to Active Directory must be minimally privileged. This account only requires read rights to the base domain name specified. Any other permissions inside or outsi | ||||
| SV-256370r885721_rule | VCSA-70-000290 | CCI-000366 | MEDIUM | The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group. | vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group can log on to the operating system without needing a separate account. However, even though unique SSO user | ||||
| SV-256371r885724_rule | VCSA-70-000291 | CCI-000366 | MEDIUM | The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group. | The vSphere "TrustedAdmins" group grants additional rights to administer the vSphere Trust Authority feature. To force accountability and nonrepudiation, the SSO group "TrustedAdmins" must be severely restricted. | ||||
| SV-256372r885727_rule | VCSA-70-000292 | CCI-000366 | MEDIUM | The vCenter server configuration must be backed up on a regular basis. | vCenter server is the control plane for the vSphere infrastructure and all the workloads it hosts. As such, vCenter is usually a highly critical system in its own right. Backups of vCenter can now be made at a data and configuration level versus tradition | ||||
| SV-256373r885730_rule | VCSA-70-000293 | CCI-000366 | MEDIUM | vCenter task and event retention must be set to at least 30 days. | vCenter tasks and events contain valuable historical actions, useful in troubleshooting availability issues and for incident forensics. While vCenter events are sent to central log servers in real time, it is important that administrators have quick acces | ||||
| SV-256374r885733_rule | VCSA-70-000294 | CCI-000366 | MEDIUM | vCenter Native Key Providers must be backed up with a strong password. | The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature, a backup must be taken th | ||||