UCF STIG Viewer Logo

vSphere Client plugins must be verified.


Finding ID Version Rule ID IA Controls Severity
VCENTER-000029 VCENTER-000029 VCENTER-000029_rule Medium
The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.
VMware vCenter Server Security Technical Implementation Guide 2013-01-15


Check Text ( C-VCENTER-000029_chk )
Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources:
From the vSphere Client, "Plug-ins>> Manage Plug-ins" and click the Installed Plug-ins tab. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins.

If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.
Fix Text (F-VCENTER-000029_fix)
Disable/remove all listed plug-ins that cannot be verified as distributed from trusted sources:
From the vSphere client, connect to the vCenter server.
On the menu bar, go to "Plug-ins >> Manage Plug-ins".
Under Installed Plug-ins, right-click the plug-in of choice and select Disable.