| V-256319 | | The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-256320 | | The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login. | Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is cons... |
| V-256321 | | The vCenter Server must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage ... |
| V-256322 | | vCenter Server plugins must be verified. | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or ... |
| V-256323 | | The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-256324 | | The vCenter Server must require multifactor authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-256325 | | The vCenter Server passwords must be at least 15 characters in length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-256326 | | The vCenter Server must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet... |
| V-256327 | | The vCenter Server passwords must contain at least one uppercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256328 | | The vCenter Server passwords must contain at least one lowercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256329 | | The vCenter Server passwords must contain at least one numeric character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256330 | | The vCenter Server passwords must contain at least one special character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-256332 | | The vCenter Server must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals.
One method of minimizing... |
| V-256333 | | The vCenter Server must enable revocation checking for certificate-based authentication. | The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Re... |
| V-256334 | | The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-256335 | | The vCenter Server users must have the correct roles assigned. | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if need... |
| V-256336 | | The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-256337 | | The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accompl... |
| V-256338 | | The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-256339 | | The vCenter Server must be configured to send logs to a central log server. | vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a sec... |
| V-256340 | | vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-256341 | | The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-256342 | | The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-256343 | | The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and ... |
| V-256344 | | The vCenter server must enforce SNMPv3 security features where SNMP is required. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol con... |
| V-256345 | | The vCenter server must disable SNMPv1/2 receivers. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol con... |
| V-256346 | | The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as b... |
| V-256348 | | The vCenter Server must set the distributed port group Forged Transmits policy to "Reject". | If the virtual machine operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated sour... |
| V-256349 | | The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject". | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows i... |
| V-256350 | | The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject". | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets acro... |
| V-256351 | | The vCenter Server must only send NetFlow traffic to authorized collectors. | The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain inf... |
| V-256352 | | The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the ... |
| V-256353 | | The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modif... |
| V-256354 | | The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Cat... |
| V-256355 | | The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days. | By default, vCenter will change the "vpxuser" password automatically every 30 days. Ensure this setting meets site policies. If it does not, configure... |
| V-256356 | | The vCenter Server must configure the "vpxuser" password to meet length policy. | The "vpxuser" password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies.
... |
| V-256357 | | The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery. | vCenter and the embedded Lifecycle Manager system must never have a direct route to the internet. Despite this, updates and patches sourced from VMwar... |
| V-256358 | | The vCenter Server must use unique service accounts when applications connect to vCenter. | To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must us... |
| V-256359 | | The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. | Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations.
IP-based storage incl... |
| V-256360 | | The vCenter server must be configured to send events to a central log server. | vCenter server generates volumes of security-relevant application-level events. Examples include logins, system reconfigurations, system degradation w... |
| V-256361 | | The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. | The vSAN Health Check is able to download the HCL from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter ser... |
| V-256362 | | The vCenter Server must configure the vSAN Datastore name to a unique name. | A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by d... |
| V-256364 | | The vCenter Server must restrict access to the default roles with cryptographic permissions. | In vSphere, a number of default roles contain permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypt... |
| V-256365 | | The vCenter Server must restrict access to cryptographic permissions. | These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic da... |
| V-256366 | | The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host,... |
| V-256367 | | The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key... |
| V-256368 | | The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source. | LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secu... |
| V-256369 | | The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source. | When adding an LDAP identity source to vSphere Single Sign-On (SSO), the account used to bind to Active Directory must be minimally privileged. This a... |
| V-256370 | | The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group. | vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group ca... |
| V-256371 | | The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group. | The vSphere "TrustedAdmins" group grants additional rights to administer the vSphere Trust Authority feature.
To force accountability and nonrepudiat... |
| V-256372 | | The vCenter server configuration must be backed up on a regular basis. | vCenter server is the control plane for the vSphere infrastructure and all the workloads it hosts. As such, vCenter is usually a highly critical syste... |
| V-256373 | | vCenter task and event retention must be set to at least 30 days. | vCenter tasks and events contain valuable historical actions, useful in troubleshooting availability issues and for incident forensics. While vCenter ... |
| V-256374 | | vCenter Native Key Providers must be backed up with a strong password. | The vCenter Native Key Provider feature was introduced in U2 and acts as a key provider for encryption-based capabilities, such as encrypted virtual m... |
| V-256347 | | The vCenter Server must disable the distributed virtual switch health check. | Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker w... |
| V-256363 | | The vCenter Server must disable Username/Password and Windows Integrated Authentication. | All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency a... |
| V-256318 | | The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-256331 | | The vCenter Server must enable FIPS-validated cryptography. | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements.... |
