Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Windows server hosting vCenter is joined to the domain and access to the server and vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding. If Active Directory is not used in the environment, this is not applicable.
If the server hosting vCenter is not joined to the domain, follow the OS-specific procedures to join it to Active Directory. If local accounts are used for normal operations, Active Directory accounts should be created and used.
Verify the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify vCenter Server is configured to a limit of three consecutive invalid logon attempts by a Single Sign-On user and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed logon attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 If any of these account lockout policies are not configured in Single Sign-On and Active Directory as stated, this is a finding.
Change vCenter Server configuration to a limit of three consecutive invalid logon attempts by a Single Sign-On and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed logon attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 Ensure Active Directory is configured with these account lockout settings as stated.
Verify NSX Manager does not have the default manufacturer password. Log into NSX Manager with built-in administrator account "admin" with the default manufacturer password "default". If the NSX Manager accepts the default manufacturer password, this is a finding.
Change the NSX Manager default manufacturer password. Log into NSX Manager with built-in administrator account "admin" and the default manufacturer password "default". Type "configure terminal", hit enter >> type "cli password" [enter new password], hit enter >> type "exit" >> type "exit".
Verify the application must reveal error messages only to authorized individuals. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and records are being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.
Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select "Backup and Restore". To specify the backup location, click "Change" next to "FTP Server Settings". Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. You will need this passphrase to restore the backup. Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to Scheduling (frequency must be when changes occur or weekly, whichever is sooner). From the Backup Frequency drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select "Daily", the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK."
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Minimum Length: 15. If this password policy is not configured as stated, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set the Minimum Length to "15" and click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Restrict reuse" setting. If the "Restrict reuse" policy is not set to "5" or more, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit" and enter "5" into the "Restrict reuse" setting. Click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Upper-case Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Upper-case Characters to at least "1" and click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Lower-case Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Lower-case Characters to at least "1" and click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Numeric Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Numeric Characters to at least "1" and click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirements should be set at a minimum: Special Characters: At least "1" If this password complexity policy is not configured as stated, this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Set Special Characters to at least "1" and click "OK".
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Maximum lifetime" setting. If the "Maximum lifetime" policy is not set to "60", this is a finding.
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit". Enter "60" into the "Maximum lifetime" setting and click "OK".
Verify the vSphere Web Client sessions terminate after 10 minutes of idle time, requiring the user to log on again to resume using the client. You can view the timeout value by viewing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to 10 in the webclient.properties file, this is a finding.
Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where 10 is the timeout value in minutes. Uncomment the line if necessary. After editing the file, the vSphere Web Client service must be restarted.
Verify the application must reveal error messages only to authorized individuals. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify the vSphere Web Client sessions terminate after 10 minutes of idle time, requiring the user to log on again to resume using the client. View the timeout value by viewing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to 10 in the webclient.properties file, this is a finding.
Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed, locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where 10 is the timeout value in minutes. Uncomment the line if necessary. After editing the file, the vSphere Web Client service must be restarted.
Verify role-based access control. The network device must enforce organization-defined role-based access control policies over defined subjects and objects. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify that non-privileged users are prevented from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify vCenter Server is configured to a limit of three consecutive invalid logon attempts by a Single Sign-On user and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed login attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 If any of these account lockout policies are not configured in Single Sign-On and Active Directory as stated, this is a finding.
Change vCenter Server configuration to a limit of three consecutive invalid logon attempts by a Single Sign-On and Active Directory user during a 15-minute time period. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policies must be set as follows: Maximum number of failed login attempts: 3 Time interval between failures: 900 seconds Unlock time: 0 Ensure Active Directory is configured with these account lockout settings as stated.
Verify the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time. Log on to vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users. View each role and verify the users and/or groups assigned to it. Application service account and user required privileges must be documented. If any user or service account has more privileges than required, this is a finding.
To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign and enter a name for the role and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. Application service account and user required privileges must be documented.
Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration. Navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Verify NSX Manager has the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings. Verify NTP Servers have the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Change the primary and secondary time sources on the NSX Manager to time sources located in different geographic regions using redundant authoritative time sources. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Time Settings >> Edit. Add NTP Servers to the correct time sources. If the NSX Manager does not have primary and secondary time sources located in different geographic regions using redundant authoritative time sources, this is a finding.
Verify NSX Manager audit records are off-loaded to a different system. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If audit records are not configured and are not off-loaded to a different system, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.
Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol.
Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.
Develop a policy to limit the use of the built-in SSO administrator account.
Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and information is being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.
Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select "Backup and Restore". To specify the backup location, click "Change" next to FTP Server Settings. Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. (You will need this passphrase to restore the backup.) Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to "Scheduling" (frequency must be when changes occur or weekly, whichever is sooner). From the "Backup Frequency" drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK".
Verify NSX Manager backups are being sent to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore >> Backup History. Confirm there are current backups and information is being backed up at a consistent interval. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding.
Change NSX Manager backup configurations to send backups to a centralized location and when changes occur or weekly, whichever is sooner. Log on to NSX Manager with credentials authorized for administration, navigate and select Backup and Restore. To specify the backup location, click "Change" next to FTP Server Settings. Type the IP address or host name of the backup system. From the Transfer Protocol drop-down menu, select either "SFTP" or "FTP", based on what the destination supports. Edit the default port if required. Type the username and password required to log on to the backup system. In the Backup Directory field, type the absolute path where backups will be stored. Type a text string in Filename Prefix. (This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type "ppdb", the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.) Type the passphrase to secure the backup. (You will need this passphrase to restore the backup.) Click "OK". For an on-demand backup, click "Backup". For scheduled backups, click "Change" next to Scheduling (Frequency must be when changes occur or weekly, whichever is sooner). From the Backup Frequency drop-down menu, select "Hourly", "Daily", or "Weekly". The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is not applicable to a daily frequency. For a weekly backup, select the day of the week the data must be backed up. For a weekly or daily backup, select the hour at which the backup must begin. Select the minute to begin and click "Schedule". (Do not exclude logs and flow data from being backed up.) Click "OK".
Verify NSX Manager logs are sent to a centralized server and can be used as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If logs are not sent to a centralized server, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.
Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Login to the NSX Manager Web Interface, using credentials authorized for administration. Navigate from the Home screen >> "Manage Appliance Settings" >> Settings >> General >> Syslog Server Verify a syslog server has been configured with the correct address, port, and protocol. Login to the vCenter with the appropriate credentials for the Network and Security Platform >> Select "Hosts and Clusters" from the inventories panel >> Expand the entire drop-down section on the left panel >> Select a host as indicated by the ESX host icon >> Navigate to the "Manage" section on the newly updated right panel >> Select "Settings" >> "System" >> "Advanced System Settings" >> In the search field within "Advanced System Settings" enter "Syslog.global.logHost" and press enter >> Select the "Syslog.global.logHost" >> Click the pencil icon >> Insert the desired syslog aggregator or SIEM that exists in the customer environment.
Verify a public key certificate is obtained from an appropriate certificate policy through an approved service provider is used on the vCenter Server. Launch browser and go to the vSphere Web Client URL https://client-hostname/vsphere-client and verify the CA certificate is signed by an approved service provider. If a public key certificate from an appropriate certificate policy through an approved service provider is not used, this is a finding.
Configure the vCenter Server to obtain its public key certificates in offline mode from an appropriate certificate policy through an approved service provider. Replace default certificates with certificate authority signed SSL certificates in vSphere 6.0 with KB 2111219.
Verify the Windows server hosting vCenter is joined to the domain and configured for Single Sign-On Identity Source of the Active Directory domain. Access to vCenter must be is done using Active Directory/CAC/PIV certificate accounts. CAC/PIV certificate must be mapped to a privileged Active Directory account and the Windows platform client running the web browser must be CAC/PIV-enabled and must not have external network access. If the vCenter server is not joined to an Active Directory domain and not configured for Single Sign-On Identity Source of the Active Directory domain, and Active Directory/CAC/PIV certificate-based accounts are not used for daily operations of the vCenter server, this is a finding.
If local accounts are used for normal operations, Active Directory user accounts/groups must be created and then associated appropriately for normal operations. To create a new role with specific permissions, associate the newly created role to an Active Directory group, and associate that group to an NSX Role, do the following: Log on to vSphere Web Client with credentials authorized for administration, navigate and select Administration >> Access Control >> Roles >> Click the green plus sign, enter a name for the role, and select only the specific permissions required. Groups can then be assigned to the newly created role. To associate the newly created role to an Active Directory Group, navigate and select Administration >> Access Control >> Global Permissions >> Click the green plus sign >> Click Add under Users and Groups >> Select the appropriate Group and assign the appropriate role. Navigate and select Networking and Security >> NSX Managers >> NSX Manager in the Name column >> Manage tab >> Users >> Click the green plus sign >> Choose Specify a vCenter group, enter FQDN of group name, click Next >> Select the appropriate NSX Role and click Finish. All local windows accounts must be removed from the vCenter and Windows server. Application service account and user required privileges must be documented.