VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2019-05-22

Updated At: 2019-07-06 12:02:18

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-104545r1_rule VCWN-65-000001 CCI-000200 MEDIUM The vCenter Server for Windows must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the
    SV-104547r1_rule VCWN-65-000002 CCI-001133 MEDIUM The vCenter Server for Windows must not automatically refresh client sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-104551r1_rule VCWN-65-000003 CCI-000199 MEDIUM The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit
    SV-104553r1_rule VCWN-65-000004 CCI-001133 MEDIUM The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-104555r1_rule VCWN-65-000005 CCI-001082 MEDIUM The vCenter Server for Windows users must have the correct roles assigned. Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
    SV-104557r1_rule VCWN-65-000007 CCI-000366 MEDIUM The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC). DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available
    SV-104559r1_rule VCWN-65-000008 CCI-000139 LOW The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events. It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-104561r1_rule VCWN-65-000009 CCI-000770 MEDIUM The vCenter Server for Windows must use Active Directory authentication. The vCenter Server for Windows must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.
    SV-104563r1_rule VCWN-65-000010 CCI-000770 MEDIUM The vCenter Server for Windows must limit the use of the built-in SSO administrative account. Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.
    SV-104565r1_rule VCWN-65-000012 CCI-000366 LOW The vCenter Server for Windows must disable the distributed virtual switch health check. Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when t
    SV-104567r1_rule VCWN-65-000013 CCI-000366 MEDIUM The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject. If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonat
    SV-104569r1_rule VCWN-65-000014 CCI-000366 HIGH The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject. If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by
    SV-104571r1_rule VCWN-65-000015 CCI-000366 MEDIUM The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject. When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disable
    SV-104573r1_rule VCWN-65-000016 CCI-000366 MEDIUM The vCenter Server for Windows must only send NetFlow traffic to authorized collectors. The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network making it easier for a MitM attack to be executed successfully. If Net
    SV-104575r1_rule VCWN-65-000017 CCI-000366 LOW The vCenter Server for Windows must not override port group settings at the port level on distributed switches. Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port-Group level. There are cases where particular VMs require unique configurations, but this
    SV-104577r1_rule VCWN-65-000018 CCI-000366 MEDIUM The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN. ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. F
    SV-104579r1_rule VCWN-65-000019 CCI-000366 MEDIUM The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required. When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest h
    SV-104581r1_rule VCWN-65-000020 CCI-000366 MEDIUM The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches. Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968
    SV-104583r1_rule VCWN-65-000021 CCI-000366 MEDIUM The vCenter Server for Windows must enable SSL for Network File Copy (NFC). NFC is the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, NFC over SSL is enabled (i.e., "True") within a vSphere cluster but the value of the setting is null. Clients check the value of the setting and defaul
    SV-104585r1_rule VCWN-65-000022 CCI-000366 MEDIUM The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account. You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contr
    SV-104587r1_rule VCWN-65-000023 CCI-000366 MEDIUM The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days. By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. Note: It is very important the password aging policy not be shorter than
    SV-104589r1_rule VCWN-65-000024 CCI-000366 MEDIUM The vCenter Server for Windows must configure the vpxuser password meets length policy. The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter,
    SV-104591r1_rule VCWN-65-000025 CCI-000366 LOW The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects. The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to
    SV-104593r1_rule VCWN-65-000027 CCI-000366 HIGH The vCenter Server for Windows must minimize access to the vCenter server. After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of admi
    SV-104595r1_rule VCWN-65-000028 CCI-000366 MEDIUM The vCenter Server for Windows Administrators must clean up log files after failed installations. In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this passwo
    SV-104597r1_rule VCWN-65-000029 CCI-000366 MEDIUM The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client. By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown. Enabling all tasks to be shown will allow the administrator to potentially see any malicious activity they may miss with the view disabled.
    SV-104599r1_rule VCWN-65-000030 CCI-000366 MEDIUM The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator. By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those admini
    SV-104601r1_rule VCWN-65-000031 CCI-000366 LOW The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server. The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. F
    SV-104603r1_rule VCWN-65-000032 CCI-000366 MEDIUM The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user. Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges
    SV-104605r1_rule VCWN-65-000033 CCI-000366 MEDIUM The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user. Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These
    SV-104607r1_rule VCWN-65-000034 CCI-000366 MEDIUM The vCenter Server for Windows must use unique service accounts when applications connect to vCenter. In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they should use unique service accounts.
    SV-104609r1_rule VCWN-65-000035 CCI-000366 MEDIUM vCenter Server for Windows plugins must be verified. The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionalit
    SV-104611r1_rule VCWN-65-000036 CCI-002702 LOW The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred. Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
    SV-104613r1_rule VCWN-65-000039 CCI-000205 MEDIUM The vCenter Server for Windows passwords must be at least 15 characters in length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-104615r1_rule VCWN-65-000040 CCI-000192 MEDIUM The vCenter Server for Windows passwords must contain at least one uppercase character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-104617r1_rule VCWN-65-000041 CCI-000193 MEDIUM The vCenter Server for Windows passwords must contain at least one lowercase character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-104619r1_rule VCWN-65-000042 CCI-000194 MEDIUM The vCenter Server for Windows passwords must contain at least one numeric character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-104621r1_rule VCWN-65-000043 CCI-001619 MEDIUM The vCenter Server for Windows passwords must contain at least one special character. To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques.
    SV-104623r1_rule VCWN-65-000045 CCI-002238 MEDIUM The vCenter Server for Windows must limit the maximum number of failed login attempts to three. By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-104625r1_rule VCWN-65-000046 CCI-002238 MEDIUM The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes. By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-104627r1_rule VCWN-65-000047 CCI-002238 MEDIUM The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures. By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-104629r1_rule VCWN-65-000048 CCI-001294 MEDIUM The vCenter Server for Windows must alert administrators on permission creation operations. If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
    SV-104631r1_rule VCWN-65-000049 CCI-001294 MEDIUM The vCenter Server for Windows must alert administrators on permission deletion operations. If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
    SV-104633r1_rule VCWN-65-000050 CCI-001294 MEDIUM The vCenter Server for Windows must alert administrators on permission update operations. If personnel are not notified of permission events, they will not be aware of possible unsecure situations.
    SV-104635r1_rule VCWN-65-000051 CCI-001084 MEDIUM The vCenter Server for Windows users must have the correct roles assigned. Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
    SV-104637r1_rule VCWN-65-000052 CCI-000366 MEDIUM The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based stor
    SV-104639r1_rule VCWN-65-000053 CCI-000366 MEDIUM The vCenter Server for Windows must enable the vSAN Health Check. The vSAN Health Check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the vSAN Hardware Compatibility Guide
    SV-104641r1_rule VCWN-65-000054 CCI-000366 MEDIUM The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server. The vSAN Health Check is able to download the hardware compatibility list from VMware in order to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet this functiona
    SV-104643r1_rule VCWN-65-000055 CCI-000366 MEDIUM The vCenter Server for Windows must configure the vSAN Datastore name to a unique name. A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads.
    SV-104645r1_rule VCWN-65-000056 CCI-000366 MEDIUM The vCenter Server for Windows users must have the correct roles assigned. Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
    SV-104647r1_rule VCWN-65-000057 CCI-000366 MEDIUM The vCenter Server for Windows must enable TLS 1.2 exclusively. TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third party integrations and add-ons to v
    SV-104649r1_rule VCWN-65-000058 CCI-000366 MEDIUM The vCenter Server for Windows reverse proxy must use DoD approved certificates. The default self-signed, VMCA issued vCenter reverse proxy certificate must be replaced with a DoD approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and pr
    SV-104651r1_rule VCWN-65-000059 CCI-000366 MEDIUM The vCenter Server for Windows must enable certificate based authentication. The vCenter 6.5 Web Client portal is capable of CAC authentication. This capability must be enabled and properly configured.
    SV-104653r1_rule VCWN-65-000060 CCI-000366 MEDIUM The vCenter Server for Windows must enable revocation checking for certificate based authentication. The system must establish the validity of the user supplied identity certificate using OCSP and/or CRL revocation checking.
    SV-104655r1_rule VCWN-65-000061 CCI-000366 LOW The vCenter Server for Windows must disable Password and Windows integrated authentication. All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.
    SV-104657r1_rule VCWN-65-000062 CCI-000366 LOW The vCenter Server for Windows must enable Login banner for vSphere web client. The required legal notice must be configured for the vCenter web client.
    SV-104659r1_rule VCWN-65-000063 CCI-000366 MEDIUM The vCenter Server for Windows must restrict access to cryptographic role. vSphere 6.5 modifies the built-in "Administrator" role to add permission to perform cryptographic operations such as KMS operations and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators where VM
    SV-104661r1_rule VCWN-65-000064 CCI-000366 MEDIUM The vCenter Server for Windows must restrict access to cryptographic permissions. These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography.
    SV-104663r1_rule VCWN-65-000065 CCI-000366 LOW The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets. When enabled vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MitM attack when not authenticating both the iSCSI target and host in which an attacker might impersonate either side of the connectio
    SV-104665r1_rule VCWN-65-000066 CCI-000366 LOW The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s). The Key Encryption Key (KEK) for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the data
    SV-104667r1_rule VCWN-65-000067 CCI-000366 LOW The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP). The VMware Customer Experience Improvement Program (CEIP) sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes this feature must be dis
    SV-104669r1_rule VCWN-65-000068 CCI-000366 MEDIUM The vCenter Server for Windows must use LDAPS when adding an SSO identity source. LDAP (Lightweight Directory Access Protocol) is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over an SSL/TLS encrypted tunnel. To protect confidentiality of LDAP communi
    SV-104671r1_rule VCWN-65-000069 CCI-000366 MEDIUM The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source. When adding an LDAP identity source to vSphere SSO the account used to bind to AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other permissions inside or outside of that OU are unnecessary and violate
    SV-104675r1_rule VCWN-65-000026 CCI-000366 MEDIUM The vCenter Server for Windows must check the privilege re-assignment after restarts. Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or grou
    SV-104683r1_rule VCWN-65-006000 CCI-001967 MEDIUM The vCenter Server for Windows must disable SNMPv1. SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy while previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for ident