The vCenter Server must separate authentication and authorization for administrators.
An XCCDF Rule
Description
<VulnDiscussion>Many organizations do both authentication and authorization using a centralized directory service such as Active Directory. Attackers who compromise an identity source can often add themselves to authorization groups, and simply log into systems they should not otherwise have access to. Additionally, reliance on central identity systems means that the administrators of those systems are potentially infrastructure administrators, too, as they can add themselves to infrastructure access groups at will. The use of local SSO groups for authorization helps prevent this avenue of attack by allowing the centralized identity source to still authenticate users but moving authorization into vCenter itself.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-258963r961863_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
To add groups from an identity provider to the local SSO Administrators group, as an example, do the following:
From the vSphere Client, go to Administration >> Single Sign On >> Groups.
Select the Administrators group and click "Edit".