OpenControls Logo

STIG Viewer

The vCenter Server must disable Username/Password and Windows Integrated Authentication.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-256363VCSA-70-000283SV-256363r885700_ruleCCI-000366low
Description
All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be disabled as soon as CAC authentication is functional.
STIGDate
VMware vSphere 7.0 vCenter Security Technical Implementation Guide2023-12-21

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
CM-6
1.00
  • DISA · V1R3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
  • DISA · V1R3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
  • DISA · V1R3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
  • DISA · V1R3 · disa_xccdf · related

Details

Check Text (C-256363r885700_chk)

If a federated identity provider is configured and used for an identity source, this is not applicable. From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Under "Authentication method", examine the allowed methods. If "Smart card authentication" is not enabled and "Password and windows session authentication" is not disabled , this is a finding.

Fix Text (F-59981r885699_fix)

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Next to "Authentication method", click "Edit". Select the radio button to "Enable smart card authentication". Click "Save". To reenable password authentication for troubleshooting purposes, run the following command on the vCenter Server Appliance: # /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local