VMware vSphere vCenter Server Version 6 V1R2

b

The system must prohibit password reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-63149 - SV-77639r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

VCWN-06-000001

Vuln IDs

V-63149

Rule IDs

SV-77639r1_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-63901r2_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Restrict reuse" setting. If the "Restrict reuse" policy is not set to 5 or more, this is a finding.

Fix: F-69067r2_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit" and enter "5" into the "Restrict reuse" setting and click "OK".

b

The system must not automatically refresh client sessions.

SC-10 - Medium - CCI-001133 - V-63943 - SV-78433r1_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

VCWN-06-000002

Vuln IDs

V-63943

Rule IDs

SV-78433r1_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Automatic client session refreshes keep unused sessions online, blocking session timeouts.

Checks: C-64689r1_chk

On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Appliance: /etc/vmware/vsphere-client/ Find the refresh.rate = line in the webclient.properties file. If the refresh rate is not set to -1 in the webclient.properties file, this is a finding.

Fix: F-69871r1_fix

You can change the refresh rate value by editing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Appliance: /etc/vmware/vsphere-client/ Edit the file to include the line "refresh.rate = -1" where -1 indicates sessions are not automatically refreshed. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.

b

The system must enforce a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-63945 - SV-78435r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

VCWN-06-000003

Vuln IDs

V-63945

Rule IDs

SV-78435r1_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.

Checks: C-64695r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the value of the "Maximum lifetime" setting. If the "Maximum lifetime" policy is not set to 60, this is a finding.

Fix: F-69873r3_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click "Edit" and enter "60" into the "Maximum lifetime" setting and click "OK".

b

The system must terminate management sessions after 10 minutes of inactivity.

SC-10 - Medium - CCI-001133 - V-63947 - SV-78437r1_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

VCWN-06-000004

Vuln IDs

V-63947

Rule IDs

SV-78437r1_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-64697r1_chk

By default, vSphere Web Client sessions terminate after 120 minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Appliance: /etc/vmware/vsphere-client/ Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to 10 in the webclient.properties file, this is a finding.

Fix: F-69875r1_fix

You can change the timeout value by editing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client Appliance: /etc/vmware/vsphere-client/ Edit the file to include the line "session.timeout = 10" where 10 is the timeout value in minutes. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.

b

The vCenter Server users must have the correct roles assigned.

SC-2 - Medium - CCI-001082 - V-63949 - SV-78439r1_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

VCWN-06-000005

Vuln IDs

V-63949

Rule IDs

SV-78439r1_rule

Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.

Checks: C-64699r1_chk

From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-69877r1_fix

To create a new role with specific permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.

b

The system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).

CM-6 - Medium - CCI-000366 - V-63951 - SV-78441r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000007

Vuln IDs

V-63951

Rule IDs

SV-78441r1_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-64701r1_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Properties. View the Properties pane and verify Network I/O Control is enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NIOC Enabled";E={$_.ExtensionData.config.NetworkResourceManagementEnabled}} If Network I/O Control is disabled, this is a finding.

Fix: F-69879r2_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Properties. In the Properties pane click "Edit" and change Network I/O Control to enabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: (Get-VDSwitch "DVSwitch Name" | Get-View).EnableNetworkResourceManagement($true)

a

The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

AU-5 - Low - CCI-000139 - V-63953 - SV-78443r1_rule

RMF Control

AU-5

Severity

L

CCI

CCI-000139

Version

VCWN-06-000008

Vuln IDs

V-63953

Rule IDs

SV-78443r1_rule

It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. To ensure the appropriate personnel are alerted if an audit failure occurs a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.

Checks: C-64703r1_chk

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Verify there is an alarm created to alert if an ESXi host can no longer reach its syslog server. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "esx.problem.vmsyslogd.remote.failure"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert when syslog failures occur, this is a finding.

Fix: F-69881r1_fix

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions >> Right click in the empty space and select New Alarm. On the General tab provide an alarm name and description, Select Hosts for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the Triggers tab click Add and in the event column enter "esx.problem.vmsyslogd.remote.failure" and click OK. Note - This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.

b

The system must use Active Directory authentication.

IA-2 - Medium - CCI-000770 - V-63955 - SV-78445r1_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

VCWN-06-000009

Vuln IDs

V-63955

Rule IDs

SV-78445r1_rule

The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.

Checks: C-64705r1_chk

Verify the Windows server hosting vCenter is joined to the domain and access to the server and to vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory based accounts are not used for daily operations of the vCenter server, this is a finding. If Active Directory is not used in the environment, this is not applicable.

Fix: F-69883r1_fix

If the server hosting vCenter is not joined to the domain follow the OS specific procedures to join it to Active Directory. If local accounts are used for normal operations then Active Directory accounts should be created and used.

b

The system must limit the use of the built-in SSO administrative account.

IA-2 - Medium - CCI-000770 - V-63959 - SV-78449r1_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

VCWN-06-000010

Vuln IDs

V-63959

Rule IDs

SV-78449r1_rule

Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.

Checks: C-64711r1_chk

Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.

Fix: F-69889r1_fix

A policy should be developed to limit the use of the built-in SSO administrator account.

a

The system must disable the distributed virtual switch health check.

CM-6 - Low - CCI-000366 - V-63961 - SV-78451r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VCWN-06-000012

Vuln IDs

V-63961

Rule IDs

SV-78451r1_rule

Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.

Checks: C-64713r1_chk

From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Health Check. View the health check pane and verify both checks are disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.

Fix: F-69891r1_fix

From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Health Check. Click the edit button and disable both health checks. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

b

The distributed port group Forged Transmits policy must be set to reject.

CM-6 - Medium - CCI-000366 - V-63963 - SV-78453r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000013

Vuln IDs

V-63963

Rule IDs

SV-78453r2_rule

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses. To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.

Checks: C-64715r3_chk

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy If the "Forged Transmits" policy is set to accept for a non-uplink port, this is a finding.

Fix: F-69893r3_fix

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and set "Forged Transmits" to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false

c

The system must ensure the distributed port group MAC Address Change policy is set to reject.

CM-6 - High - CCI-000366 - V-63965 - SV-78455r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

VCWN-06-000014

Vuln IDs

V-63965

Rule IDs

SV-78455r1_rule

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing.

Checks: C-64717r1_chk

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | Get-VDSecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.

Fix: F-69895r1_fix

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and set "MAC Address Changes" to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false

b

The system must ensure the distributed port group Promiscuous Mode policy is set to reject.

CM-6 - Medium - CCI-000366 - V-63967 - SV-78457r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000015

Vuln IDs

V-63967

Rule IDs

SV-78457r1_rule

When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.

Checks: C-64719r1_chk

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy Get-VDPortgroup | Get-VDSecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.

Fix: F-69897r1_fix

From the vSphere Client go to Home >> Networking. Select a distributed port group and click edit and go to security and set "Promiscuous Mode" to reject. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false

b

The system must only send NetFlow traffic to authorized collectors.

CM-6 - Medium - CCI-000366 - V-63969 - SV-78459r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000016

Vuln IDs

V-63969

Rule IDs

SV-78459r1_rule

The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network making it easier for a MITM attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target IP's are correct.

Checks: C-64721r1_chk

To view NetFlow Collector IPs configured on distributed switches From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}} To view if NetFlow is enabled on any distributed port groups From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}} If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.

Fix: F-69899r1_fix

To remove collector IPs do the following: From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> NetFlow. View the NetFlow pane and click edit and remove any unknown collector IPs. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $dvs = Get-VDSwitch dvswitch | Get-View ForEach($vs in $dvs){ $spec = New-Object VMware.Vim.VMwareDVSConfigSpec $spec.configversion = $vs.Config.ConfigVersion $spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig $spec.IpfixConfig.CollectorIpAddress = "" $spec.IpfixConfig.CollectorPort = "0" $spec.IpfixConfig.ActiveFlowTimeout = "60" $spec.IpfixConfig.IdleFlowTimeout = "15" $spec.IpfixConfig.SamplingRate = "0" $spec.IpfixConfig.InternalFlowsOnly = $False $vs.ReconfigureDvs_Task($spec) } Note: This will reset the NetFlow collector configuration back to the defaults. To disable NetFlow on a distributed port group do the following: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy $spec.defaultPortConfig.ipfixEnabled.inherited = $false $spec.defaultPortConfig.ipfixEnabled.value = $false $pg.ReconfigureDVPortgroup_Task($spec) }

a

The system must not override port group settings at the port level on distributed switches.

CM-6 - Low - CCI-000366 - V-63971 - SV-78461r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VCWN-06-000017

Vuln IDs

V-63971

Rule IDs

SV-78461r1_rule

Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port-Group level. There are cases where particular VMs require unique configurations, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could surreptitiously exploit that broader access.

Checks: C-64723r1_chk

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Properties. View the Properties pane and verify all Override port policies are set to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Get-View | Select Name, @{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}}, @{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}}, @{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}}, @{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}}, @{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}}, @{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}}, @{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}}, @{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}}, @{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run. This does not apply to the reset port configuration on disconnect policy. If any port level overrides are enabled and not documented, this is a finding.

Fix: F-69901r1_fix

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Properties. Click Edit and change all Override port policies to disabled. From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.VlanOverrideAllowed = $False $spec.Policy.UplinkTeamingOverrideAllowed = $False $spec.Policy.SecurityPolicyOverrideAllowed = $False $spec.Policy.IpfixOverrideAllowed = $False $spec.Policy.BlockOverrideAllowed = $False $spec.Policy.ShapingOverrideAllowed = $False $spec.Policy.VendorConfigOverrideAllowed = $False $spec.Policy.TrafficFilterOverrideAllowed = $False $spec.Policy.PortConfigResetAtDisconnect = $True $pg.ReconfigureDVPortgroup_Task($spec) }

b

All port groups must be configured to a value other than that of the native VLAN.

CM-6 - Medium - CCI-000366 - V-63973 - SV-78463r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000018

Vuln IDs

V-63973

Rule IDs

SV-78463r1_rule

ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

Checks: C-64725r1_chk

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.

Fix: F-69903r1_fix

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Click Edit and under the VLAN section change the VLAN ID to a non-native VLAN and click OK. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b

All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

CM-6 - Medium - CCI-000366 - V-63975 - SV-78465r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000019

Vuln IDs

V-63975

Rule IDs

SV-78465r1_rule

When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.

Checks: C-64727r1_chk

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.

Fix: F-69905r1_fix

To change the VLAN ID of distributed virtual port groups do the following: From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Click Edit and under the VLAN section change the VLAN ID to not be 4095 and click OK. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b

All port groups must not be configured to VLAN values reserved by upstream physical switches.

CM-6 - Medium - CCI-000366 - V-63977 - SV-78467r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000020

Vuln IDs

V-63977

Rule IDs

SV-78467r1_rule

Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.

Checks: C-64729r1_chk

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with a reserved VLAN ID, this is a finding.

Fix: F-69907r1_fix

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Click Edit and under the VLAN section change the VLAN ID to not be a reserved VLAN ID and click OK. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

b

The system must enable SSL for Network File Copy (NFC).

CM-6 - Medium - CCI-000366 - V-63979 - SV-78469r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000021

Vuln IDs

V-63979

Rule IDs

SV-78469r1_rule

NFC is the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, NFC over SSL is enabled (i.e., "True") within a vSphere cluster but the value of the setting is null. Clients check the value of the setting and default to not using SSL for performance reasons if the value is null. This behavior can be changed by ensuring the setting has been explicitly created and set to "True". This will force clients to use SSL. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured.

Checks: C-64731r1_chk

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that config.nfc.useSSL is set to true. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL and verify it is set to true. If the config.nfc.useSSL is set to a value other than true or does not exist, this is a finding.

Fix: F-69909r1_fix

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click Edit and edit the config.nfc.useSSL setting to true or if the value does not exist create it by entering the values in the Key and Value fields and clicking Add. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL | Set-AdvancedSetting -Value true If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL -Value true

b

The vCenter Server services must be ran using a service account instead of a built-in Windows account.

CM-6 - Medium - CCI-000366 - V-63981 - SV-78471r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000022

Vuln IDs

V-63981

Rule IDs

SV-78471r1_rule

You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. With a domain user account, you can enable Windows authentication for SQL Server; it also allows more granular security and logging. The installing account only needs to be a member of the Administrators group, and have permission to act as part of the operating system and log on as a service. If you are using SQL Server for the vCenter database, you must configure the SQL Server database to allow the domain account access to SQL Server.

Checks: C-64733r1_chk

This control only applies to Windows based vCenter installations. The following services should be set to run as a service account: VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server vCenter should be installed using the service account as that will configure the services appropriately. If vCenter is not installed with a service account and the services identified in this control and not running as a service account, this is a finding.

Fix: F-69911r1_fix

For each of the following services open the services console on the vCenter server and right click and select properties on the service. Go to the Log On tab and configure the service to run as a service account and restart the service. VMware Content Library Service VMware Inventory Service VMware Performance Charts VMware VirtualCenter Server

b

The system must ensure the vpxuser auto-password change meets policy.

CM-6 - Medium - CCI-000366 - V-63983 - SV-78473r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000023

Vuln IDs

V-63983

Rule IDs

SV-78473r1_rule

By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. Note: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.

Checks: C-64735r1_chk

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that VirtualCenter.VimPasswordExpirationInDays is set to 30. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays and verify it is set to 30. If the VirtualCenter.VimPasswordExpirationInDays is set to a value other than 30 or does not exist, this is a finding.

Fix: F-69913r1_fix

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click Edit and edit the VirtualCenter.VimPasswordExpirationInDays setting to 30 or if the value does not exist create it by entering the values in the Key and Value fields and clicking Add. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays -Value 30

b

The system must ensure the vpxuser password meets length policy.

CM-6 - Medium - CCI-000366 - V-63985 - SV-78475r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000024

Vuln IDs

V-63985

Rule IDs

SV-78475r1_rule

The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter, meaning no manual intervention is normally required. The vpxuser password length must never be modified to less than the default length of 32 characters.

Checks: C-64737r1_chk

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that config.vpxd.hostPasswordLength is set to 32. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength and verify it is set to 32. If the config.vpxd.hostPasswordLength is set to a value other than 32 or does not exist, this is a finding.

Fix: F-69915r1_fix

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click Edit and edit the config.vpxd.hostPasswordLength setting to 32 or if the value does not exist create it by entering the values in the Key and Value fields and clicking Add. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength | Set-AdvancedSetting -Value 32 If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength -Value 32

a

The system must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

CM-6 - Low - CCI-000366 - V-63987 - SV-78477r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VCWN-06-000025

Vuln IDs

V-63987

Rule IDs

SV-78477r1_rule

The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.

Checks: C-64739r2_chk

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the enableDebugBrowse element is enabled (set to true), and object maintenance is not being performed, this is a finding. If the enableDebugBrowse element is enabled (set to true), and object maintenance is being performed, this is not a finding.

Fix: F-69917r1_fix

If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> Restart the vCenter Service to ensure the configuration file change(s) are in effect.

b

Privilege re-assignment must be checked after the vCenter Server restarts.

CM-6 - Medium - CCI-000366 - V-63989 - SV-78479r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000026

Vuln IDs

V-63989

Rule IDs

SV-78479r1_rule

Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account administrator@vsphere.local. This account can then act as the administrator. Reestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous administrator@vsphere.local account.

Checks: C-64741r1_chk

After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding.

Fix: F-69919r1_fix

As the SSO Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.

c

The system must minimize access to the vCenter server.

CM-6 - High - CCI-000366 - V-63991 - SV-78481r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

VCWN-06-000027

Vuln IDs

V-63991

Rule IDs

SV-78481r1_rule

After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of administering vCenter Server or the host OS. Anyone logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate.

Checks: C-64743r1_chk

Login to the vCenter server and verify the local administrators group only contains users and/or groups that contain vCenter Administrators. If the local administrators group contains users and/or groups that are not vCenter Administrators such as "Domain Admins", this is a finding.

Fix: F-69921r1_fix

Remove all unnecessary users and/or groups from the local administrators group of the vCenter server.

b

Log files must be cleaned up after failed installations of the vCenter Server.

CM-6 - Medium - CCI-000366 - V-63993 - SV-78483r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000028

Vuln IDs

V-63993

Rule IDs

SV-78483r1_rule

In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.

Checks: C-64745r1_chk

If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid...." should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid". If a file name of the format "hs_err_pid" is found, this is a finding. If a site policy does not exist and/or is not followed, this is a finding.

Fix: F-69923r1_fix

Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid" and remove them.

b

The system must enable all tasks to be shown to Administrators in the Web Client.

CM-6 - Medium - CCI-000366 - V-63995 - SV-78485r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000029

Vuln IDs

V-63995

Rule IDs

SV-78485r1_rule

By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown. Enabling all tasks to be shown will allow the administrator to potentially see any malicious activity they may miss with the view disabled.

Checks: C-64747r1_chk

Verify the webclient.properties file contains the line "show.allusers.tasks = true". The default locations for the webclient.properties file are: Windows - C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ Appliance - /etc/vmware/vsphere-client/ If show.allusers.tasks is not set to true, this is a finding.

Fix: F-69927r1_fix

Edit the webclient.properties file to set the show.allusers.tasks setting to true. The default locations for the webclient.properties file are: Windows - C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\ Appliance - /etc/vmware/vsphere-client/ After editing the file the vSphere Web Client service will need to be restarted.

b

The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.

CM-6 - Medium - CCI-000366 - V-63999 - SV-78489r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000030

Vuln IDs

V-63999

Rule IDs

SV-78489r1_rule

By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows server to users who are not vCenter administrators.

Checks: C-64751r1_chk

If enhanced linked mode is used then local windows authentication is not available to vCenter, this is not applicable. Under the computer management console for windows view the local administrators group and verify only vCenter administrators have access to the vCenter server. Other groups and users that are not vCenter administrators should be removed from the local administrators group such as Domain Admins. If there are any groups or users present in the local administrators group of the vCenter server, this is a finding.

Fix: F-69929r1_fix

Under the computer management console for windows view the local administrators group and remove any users or groups that are not vCenter administrators.

a

The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.

CM-6 - Low - CCI-000366 - V-64003 - SV-78493r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VCWN-06-000031

Vuln IDs

V-64003

Rule IDs

SV-78493r1_rule

The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.

Checks: C-64755r1_chk

Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal source) must be enforced with site policies. Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding. If all of the above conditions are not met, this is a finding.

Fix: F-69933r1_fix

Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet. To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the <site-specific> path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.

b

A least-privileges assignment must be used for the Update Manager database user.

CM-6 - Medium - CCI-000366 - V-64005 - SV-78495r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000032

Vuln IDs

V-64005

Rule IDs

SV-78495r1_rule

Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.

Checks: C-64757r1_chk

Verify only the following permissions are allowed to the VUM database user. For Oracle DB normal operation, only the following permissions are required. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Fix: F-69935r1_fix

For Oracle DB normal runtime operation, set the following permissions. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

b

A least-privileges assignment must be used for the vCenter Server database user.

CM-6 - Medium - CCI-000366 - V-64007 - SV-78497r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000033

Vuln IDs

V-64007

Rule IDs

SV-78497r1_rule

Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.

Checks: C-64759r1_chk

Verify only the following permissions are allowed on the vCenter database for the following roles and users. vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, VIEW, and CREATE PROCEDURES. vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. vCenter database user: VIEW SERVER STATE and VIEW ANY DEFINITIONS. Equivalent permissions must be set for Non-MS databases. If the above database permissions are not set correctly, this is a finding. For more information, refer to the following website: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.install.doc/GUID-36B92A8C-074A-4657-9938-62AB97225B91.html

Fix: F-69937r1_fix

Configure correct permissions and roles for SQL: Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database: Schema permissions ALTER, REFERENCES, and INSERT. Permissions CREATE TABLE, VIEW, and CREATE PROCEDURES. Grant these privileges to a vCenter database user role: SELECT, INSERT, DELETE, UPDATE, and EXECUTE. EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures. SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables. Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user. For more information, refer to the following website: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.install.doc/GUID-36B92A8C-074A-4657-9938-62AB97225B91.html

b

The system must use unique service accounts when applications connect to vCenter.

CM-6 - Medium - CCI-000366 - V-64009 - SV-78499r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000034

Vuln IDs

V-64009

Rule IDs

SV-78499r1_rule

In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they should use unique service accounts.

Checks: C-64761r1_chk

Verify that each external application that connects to vCenter has a unique service account dedicated to that application. For example there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter. If any application shares a service account that is used to connect to vCenter, this is a finding.

Fix: F-69939r1_fix

For applications sharing service accounts create a new service account to assign to the application so that no application shares a service account with another. When standing up a new application that requires access to vCenter always create a new service account prior to installation and grant only the permissions needed for that application.

b

vSphere Client plugins must be verified.

CM-6 - Medium - CCI-000366 - V-64011 - SV-78501r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VCWN-06-000035

Vuln IDs

V-64011

Rule IDs

SV-78501r1_rule

The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.

Checks: C-64763r1_chk

Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources. From the vSphere Web Client go to Administration >> Client Plug-Ins. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.

Fix: F-69941r1_fix

From the vSphere Web Client go to Administration >> Client Plug-Ins and right click the unknown plug-in and click disable then proceed to remove the plug-in. To remove plug-ins do the following: If you have vCenter Server in linked mode, perform this procedure on the vCenter Server that is used to install the plug-in initially, then restart the vCenter Server services on the linked vCenter Server. In a web browser, navigate to http://vCenter_Server_name_or_IP/mob. Where vCenter_Server_name_or_IP/mob is the name of your vCenter Server or its IP address. Click Content. Click ExtensionManager. Select and copy the name of the plug-in you want to remove from the list of values under Properties. For a list of default plug-ins, see the Additional Information section of this article. Click UnregisterExtension. A new window appears. Paste the name of the plug-in and click Invoke Method. This removes the plug-in. Close the window. Refresh the Managed Object Type:ManagedObjectReference:ExtensionManager window to verify that the plug-in is removed successfully. Note: If the plug-in still appears, you may have to restart the vSphere Client. Note: You may have to enable the Managed Object Browser(mob) temporarily if previously disabled.

a

The system must produce audit records containing information to establish what type of events occurred.

SI-6 - Low - CCI-002702 - V-64013 - SV-78503r1_rule

RMF Control

SI-6

Severity

L

CCI

CCI-002702

Version

VCWN-06-000036

Vuln IDs

V-64013

Rule IDs

SV-78503r1_rule

Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Checks: C-64765r1_chk

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Verify that config.log.level is set to "info". or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level and verify it is set to "info". If the config.log.level is set to a value other than info or does not exist, this is a finding.

Fix: F-69943r1_fix

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click Edit and edit the config.log.level setting to info or if the value does not exist create it by entering the values in the Key and Value fields and clicking Add. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If the setting already exists: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level | Set-AdvancedSetting -Value info If the setting does not exist: New-AdvancedSetting -Entity <vcenter server name> -Name config.log.level -Value info

b

Passwords must be at least 15 characters in length.

IA-5 - Medium - CCI-000205 - V-64015 - SV-78505r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

VCWN-06-000039

Vuln IDs

V-64015

Rule IDs

SV-78505r1_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-64767r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Minimum Length: 15 If this password policy is not configured as stated, this is a finding.

Fix: F-69945r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit. Set the Minimum Length to 15 and click OK.

b

Passwords must contain at least one uppercase character.

IA-5 - Medium - CCI-000192 - V-64017 - SV-78507r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

VCWN-06-000040

Vuln IDs

V-64017

Rule IDs

SV-78507r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64769r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Upper-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-69947r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit. Set Upper-case Characters to at least 1 and click OK.

b

Passwords must contain at least one lowercase character.

IA-5 - Medium - CCI-000193 - V-64019 - SV-78509r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

VCWN-06-000041

Vuln IDs

V-64019

Rule IDs

SV-78509r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64771r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Lower-case Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-69949r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit. Set Lower-case Characters to at least 1 and click OK.

b

Passwords must contain at least one numeric character.

IA-5 - Medium - CCI-000194 - V-64021 - SV-78511r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

VCWN-06-000042

Vuln IDs

V-64021

Rule IDs

SV-78511r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64773r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirement should be set at a minimum: Numeric Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-69951r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit. Set Numeric Characters to at least 1 and click OK.

b

Passwords must contain at least one special character.

IA-5 - Medium - CCI-001619 - V-64023 - SV-78513r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

VCWN-06-000043

Vuln IDs

V-64023

Rule IDs

SV-78513r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64775r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. The following password requirements should be set at a minimum: Special Characters: At least 1 If this password complexity policy is not configured as stated, this is a finding.

Fix: F-69953r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. Click Edit. Set Special Characters to at least 1 and click OK.

b

The system must limit the maximum number of failed login attempts to three.

AC-7 - Medium - CCI-002238 - V-64025 - SV-78515r1_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

VCWN-06-000045

Vuln IDs

V-64025

Rule IDs

SV-78515r1_rule

By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-64777r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Maximum number of failed login attempts: 3 If this account lockout policy is not configured as stated, this is a finding.

Fix: F-69955r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click Edit. Set the Maximum number of failed login attempts to 3 and click OK.

b

The system must set the interval for counting failed login attempts to at least 15 minutes.

AC-7 - Medium - CCI-002238 - V-64027 - SV-78517r1_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

VCWN-06-000046

Vuln IDs

V-64027

Rule IDs

SV-78517r1_rule

By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-64779r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Time interval between failures: 900 seconds If this lockout policy is not configured as stated, this is a finding.

Fix: F-69957r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click Edit. Set the Time interval between failures to 900 and click OK.

b

The system must require an administrator to unlock an account locked due to excessive login failures.

AC-7 - Medium - CCI-002238 - V-64029 - SV-78519r1_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

VCWN-06-000047

Vuln IDs

V-64029

Rule IDs

SV-78519r1_rule

By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-64781r1_chk

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. View the values for the lockout policies. The following lockout policy should be set at follows: Unlock time: 0 If this account lockout policy is not configured as stated, this is a finding.

Fix: F-69959r1_fix

From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. Click Edit. Set the Unlock time to 0 and click OK.

b

The system must alert administrators on permission creation operations.

SI-6 - Medium - CCI-001294 - V-64031 - SV-78521r1_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001294

Version

VCWN-06-000048

Vuln IDs

V-64031

Rule IDs

SV-78521r1_rule

If personnel are not notified of permission events, they will not be aware of possible unsecure situations.

Checks: C-64783r1_chk

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Verify there is an alarm created to alert on permission additions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionAddedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission addition events, this is a finding.

Fix: F-69961r1_fix

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions >> Right click in the empty space and select New Alarm. On the General tab provide an alarm name and description, Select vCenter for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the Triggers tab click Add three triggers and in the event column enter "vim.event.PermissionAddedEvent", "vim.event.PermissionRemovedEvent", and "vim.event.PermissionUpdatedEvent" for the three triggers and click OK.

b

The system must alert administrators on permission deletion operations.

SI-6 - Medium - CCI-001294 - V-64033 - SV-78523r1_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001294

Version

VCWN-06-000049

Vuln IDs

V-64033

Rule IDs

SV-78523r1_rule

If personnel are not notified of permission events, they will not be aware of possible unsecure situations.

Checks: C-64785r1_chk

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Verify there is an alarm created to alert on permission deletions. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission deletion events, this is a finding.

Fix: F-69963r1_fix

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions >> Right click in the empty space and select New Alarm. On the General tab provide an alarm name and description, Select vCenter for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the Triggers tab click Add three triggers and in the event column enter "vim.event.PermissionAddedEvent", "vim.event.PermissionRemovedEvent", and "vim.event.PermissionUpdatedEvent" for the three triggers and click OK.

b

The system must alert administrators on permission update operations.

SI-6 - Medium - CCI-001294 - V-64035 - SV-78525r1_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001294

Version

VCWN-06-000050

Vuln IDs

V-64035

Rule IDs

SV-78525r1_rule

If personnel are not notified of permission events, they will not be aware of possible unsecure situations.

Checks: C-64787r1_chk

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Verify there is an alarm created to alert on permission changes. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionUpdatedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on permission update events, this is a finding.

Fix: F-69965r1_fix

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions >> Right click in the empty space and select New Alarm. On the General tab provide an alarm name and description, Select vCenter for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the Triggers tab click Add three triggers and in the event column enter "vim.event.PermissionAddedEvent", "vim.event.PermissionRemovedEvent", and "vim.event.PermissionUpdatedEvent" for the three triggers and click OK.

b

The vCenter Server users must have the correct roles assigned.

SC-3 - Medium - CCI-001084 - V-64037 - SV-78527r1_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

VCWN-06-100005

Vuln IDs

V-64037

Rule IDs

SV-78527r1_rule

Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.

Checks: C-64789r1_chk

From the vSphere Web Client go to Administration >> Access Control >> Roles. View each role and verify the users and/or groups assigned to it. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding.

Fix: F-69967r1_fix

To create a new role with specific permissions do the following: From the vSphere Web Client go to Administration >> Access Control >> Roles. Click the green plus sign and enter a name for the role and select only the specific permissions required. Users can then be assigned to the newly created role.

Content changes 1

Checks: C-63901r2_chk

Fix: F-69067r2_fix

Generate Mitigation Statement:

Checks: C-64689r1_chk

Fix: F-69871r1_fix

Generate Mitigation Statement:

Checks: C-64695r1_chk

Fix: F-69873r3_fix

Generate Mitigation Statement:

Checks: C-64697r1_chk

Fix: F-69875r1_fix

Generate Mitigation Statement:

Checks: C-64699r1_chk

Fix: F-69877r1_fix

Generate Mitigation Statement:

Checks: C-64701r1_chk

Fix: F-69879r2_fix

Generate Mitigation Statement:

Checks: C-64703r1_chk

Fix: F-69881r1_fix

Generate Mitigation Statement:

Checks: C-64705r1_chk

Fix: F-69883r1_fix

Generate Mitigation Statement:

Checks: C-64711r1_chk

Fix: F-69889r1_fix

Generate Mitigation Statement:

Checks: C-64713r1_chk

Fix: F-69891r1_fix

Generate Mitigation Statement:

Checks: C-64715r3_chk

Fix: F-69893r3_fix

Generate Mitigation Statement:

Checks: C-64717r1_chk

Fix: F-69895r1_fix

Generate Mitigation Statement:

Checks: C-64719r1_chk

Fix: F-69897r1_fix

Generate Mitigation Statement:

Checks: C-64721r1_chk

Fix: F-69899r1_fix

Generate Mitigation Statement:

Checks: C-64723r1_chk

Fix: F-69901r1_fix

Generate Mitigation Statement:

Checks: C-64725r1_chk

Fix: F-69903r1_fix

Generate Mitigation Statement:

Checks: C-64727r1_chk

Fix: F-69905r1_fix

Generate Mitigation Statement:

Checks: C-64729r1_chk

Fix: F-69907r1_fix

Generate Mitigation Statement:

Checks: C-64731r1_chk

Fix: F-69909r1_fix

Generate Mitigation Statement:

Checks: C-64733r1_chk

Fix: F-69911r1_fix

Generate Mitigation Statement:

Checks: C-64735r1_chk

Fix: F-69913r1_fix

Generate Mitigation Statement:

Checks: C-64737r1_chk

Fix: F-69915r1_fix

Generate Mitigation Statement:

Checks: C-64739r2_chk

Fix: F-69917r1_fix

Generate Mitigation Statement:

Checks: C-64741r1_chk

Fix: F-69919r1_fix

Generate Mitigation Statement:

Checks: C-64743r1_chk

Fix: F-69921r1_fix

Generate Mitigation Statement:

Checks: C-64745r1_chk

Fix: F-69923r1_fix

Generate Mitigation Statement:

Checks: C-64747r1_chk