The vCenter Server must separate authentication and authorization for administrators.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258963	VCSA-80-000298	SV-258963r934547_rule		Medium

Description
Many organizations do both authentication and authorization using a centralized directory service such as Active Directory. Attackers who compromise an identity source can often add themselves to authorization groups, and simply log into systems they should not otherwise have access to. Additionally, reliance on central identity systems means that the administrators of those systems are potentially infrastructure administrators, too, as they can add themselves to infrastructure access groups at will. The use of local SSO groups for authorization helps prevent this avenue of attack by allowing the centralized identity source to still authenticate users but moving authorization into vCenter itself.

Description

Many organizations do both authentication and authorization using a centralized directory service such as Active Directory. Attackers who compromise an identity source can often add themselves to authorization groups, and simply log into systems they should not otherwise have access to. Additionally, reliance on central identity systems means that the administrators of those systems are potentially infrastructure administrators, too, as they can add themselves to infrastructure access groups at will. The use of local SSO groups for authorization helps prevent this avenue of attack by allowing the centralized identity source to still authenticate users but moving authorization into vCenter itself.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62703r934545_chk )
From the vSphere Client, go to Administration >> Access Control >> Roles. View the Administrator role and any other role providing administrative access to vCenter to verify the users and/or groups assigned to it by clicking on "Usage". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VIPermission \| Sort Role \| Select Role,Principal,Entity,Propagate,IsGroup \| FT -Auto If any user or group is directly assigned a role with administrative access to vCenter that is from an identity provider, this is a finding. Note: Users and/or groups assigned to roles should be from the "VSPHERE.LOCAL" identity source.

Check Text ( C-62703r934545_chk )

From the vSphere Client, go to Administration >> Access Control >> Roles.

View the Administrator role and any other role providing administrative access to vCenter to verify the users and/or groups assigned to it by clicking on "Usage".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto

If any user or group is directly assigned a role with administrative access to vCenter that is from an identity provider, this is a finding.

Note: Users and/or groups assigned to roles should be from the "VSPHERE.LOCAL" identity source.

Fix Text (F-62612r934546_fix)
To add groups from an identity provider to the local SSO Administrators group, as an example, do the following: From the vSphere Client, go to Administration >> Single Sign On >> Groups. Select the Administrators group and click "Edit". In the "Add Members" section, select the identity source and type the name of the target user/group in the search bar. Select the target user/group to add them and click "Save". Note: A new SSO group or groups can be created as needed and used to provide authorization to vCenter. To remove identity provider users/groups from a role, do the following: From the vSphere Client, go to Administration >> Access Control >> Global Permissions. Select the offending user/group and click "Delete". Note: If permissions are assigned on a specific object, then the role must be updated where it is assigned (for example, at the cluster level).

Fix Text (F-62612r934546_fix)

To add groups from an identity provider to the local SSO Administrators group, as an example, do the following:

From the vSphere Client, go to Administration >> Single Sign On >> Groups.

Select the Administrators group and click "Edit".

In the "Add Members" section, select the identity source and type the name of the target user/group in the search bar.

Select the target user/group to add them and click "Save".

Note: A new SSO group or groups can be created as needed and used to provide authorization to vCenter.

To remove identity provider users/groups from a role, do the following:

From the vSphere Client, go to Administration >> Access Control >> Global Permissions.

Select the offending user/group and click "Delete".

Note: If permissions are assigned on a specific object, then the role must be updated where it is assigned (for example, at the cluster level).