VMware vSphere 8.0 vCenter Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516
Group -
SRG-APP-000516
Group -
The vCenter Server must reset port configuration when virtual machines are disconnected.
Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port Group level. If overrides are no...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must disable Secure Shell (SSH) access.
vCenter Server is delivered as an appliance, and intended to be managed through the VAMI, vSphere Client, and APIs. SSH is a troubleshooting and support tool and should only be enabled when necessa...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon.
Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive ...Rule Medium Severity -
The vCenter Server must require multifactor authentication.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentica...Rule Medium Severity -
The vCenter Server must prohibit password reuse for a minimum of five generations.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords must be...Rule Medium Severity -
The vCenter Server passwords must contain at least one numeric character.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The vCenter Server must enable FIPS-validated cryptography.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Se...Rule High Severity -
The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing exc...Rule Medium Severity -
The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient secur...Rule Medium Severity -
The vCenter server must enforce SNMPv3 security features where SNMP is required.
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were...Rule Medium Severity -
The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
If the virtual machine operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated source MAC address at any time. This allows an oper...Rule Medium Severity -
The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machi...Rule Medium Severity -
The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modifying the virtual local area network (VLAN) tags...Rule Medium Severity -
The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
By default, vCenter will change the "vpxuser" password automatically every 30 days. Ensure this setting meets site policies. If it does not, configure it to meet password aging policies. Note: It ...Rule Medium Severity -
The vCenter Server must use unique service accounts when applications connect to vCenter.
To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts.Rule Medium Severity -
The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations. IP-based storage includes vSAN, Internet Small Computer System Interf...Rule Medium Severity -
The vCenter Server must restrict access to the default roles with cryptographic permissions.
In vSphere, the built-in "Administrator" role contains permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine dis...Rule Medium Severity -
The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secure Sockets Layer (SSL)/Transport Layer Security...Rule Medium Severity -
The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group can log on to the operating system without needin...Rule Medium Severity -
The vCenter server configuration must be backed up on a regular basis.
vCenter server is the control plane for the vSphere infrastructure and all the workloads it hosts. As such, vCenter is usually a highly critical system in its own right. Backups of vCenter can now ...Rule Medium Severity -
The vCenter server must require authentication for published content libraries.
In the vSphere Client, you can create a local or a subscribed content library. By using content libraries, you can store and manage content in one vCenter Server instance. Alternatively, you can di...Rule Medium Severity -
The vCenter Server must not override port group settings at the port level on distributed switches.
Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port Group level. If overrides are no...Rule Medium Severity -
The vCenter Server must enable data in transit encryption for vSAN.
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information. vSAN data-in-transit encryption has the followin...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.