| V-258917 | | The vCenter Server must enable FIPS-validated cryptography. | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements.... |
| V-258905 | | The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-258906 | | The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon. | Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is cons... |
| V-258907 | | The vCenter Server must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage ... |
| V-258908 | | vCenter Server plugins must be verified. | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or ... |
| V-258909 | | The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-258910 | | The vCenter Server must require multifactor authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-258911 | | The vCenter Server passwords must be at least 15 characters in length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-258912 | | The vCenter Server must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet ... |
| V-258913 | | The vCenter Server passwords must contain at least one uppercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258914 | | The vCenter Server passwords must contain at least one lowercase character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258915 | | The vCenter Server passwords must contain at least one numeric character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258916 | | The vCenter Server passwords must contain at least one special character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258918 | | The vCenter Server must enforce a 90-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals.
One method of minimizing ... |
| V-258919 | | The vCenter Server must enable revocation checking for certificate-based authentication. | The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Re... |
| V-258920 | | The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-258921 | | The vCenter Server user roles must be verified. | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if need... |
| V-258922 | | The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-258923 | | The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accompl... |
| V-258924 | | The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-258925 | | The vCenter Server must be configured to send logs to a central log server. | vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a sec... |
| V-258926 | | The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-258927 | | The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-258928 | | The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-258929 | | The vCenter Server must enable data at rest encryption for vSAN. | Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modificati... |
| V-258930 | | The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and ... |
| V-258931 | | The vCenter server must enforce SNMPv3 security features where SNMP is required. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol con... |
| V-258932 | | The vCenter server must disable SNMPv1/2 receivers. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol con... |
| V-258933 | | The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as b... |
| V-258934 | | The vCenter Server must disable the distributed virtual switch health check. | Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker w... |
| V-258935 | | The vCenter Server must set the distributed port group Forged Transmits policy to "Reject". | If the virtual machine operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated sour... |
| V-258936 | | The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject". | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows i... |
| V-258937 | | The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject". | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets acro... |
| V-258938 | | The vCenter Server must only send NetFlow traffic to authorized collectors. | The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain inf... |
| V-258939 | | The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the ... |
| V-258940 | | The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modif... |
| V-258941 | | The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Cat... |
| V-258942 | | The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days. | By default, vCenter will change the "vpxuser" password automatically every 30 days. Ensure this setting meets site policies. If it does not, configure... |
| V-258943 | | The vCenter Server must configure the "vpxuser" password to meet length policy. | The "vpxuser" password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies.
... |
| V-258945 | | The vCenter Server must use unique service accounts when applications connect to vCenter. | To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must us... |
| V-258946 | | The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. | Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations.
IP-based storage inclu... |
| V-258947 | | The vCenter server must be configured to send events to a central log server. | vCenter server generates volumes of security-relevant application-level events. Examples include logins, system reconfigurations, system degradation w... |
| V-258948 | | The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. | The vSAN Health Check is able to download the HCL from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter ser... |
| V-258949 | | The vCenter Server must configure the vSAN Datastore name to a unique name. | A vSAN Datastore name by default is "vsanDatastore". If more than one vSAN cluster is present in vCenter, both datastores will have the same name by d... |
| V-258950 | | The vCenter Server must disable Username/Password and Windows Integrated Authentication. | All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency a... |
| V-258951 | | The vCenter Server must restrict access to the default roles with cryptographic permissions. | In vSphere, the built-in "Administrator" role contains permission to perform cryptographic operations such as Key Management Server (KMS) functions an... |
| V-258952 | | The vCenter Server must restrict access to cryptographic permissions. | These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic da... |
| V-258953 | | The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host,... |
| V-258954 | | The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key... |
| V-258955 | | The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source. | LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secu... |
| V-258956 | | The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group. | vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group ca... |
| V-258957 | | The vCenter Server must limit membership to the "TrustedAdmins" Single Sign-On (SSO) group. | The vSphere "TrustedAdmins" group grants additional rights to administer the vSphere Trust Authority feature.
To force accountability and nonrepudiat... |
| V-258958 | | The vCenter server configuration must be backed up on a regular basis. | vCenter server is the control plane for the vSphere infrastructure and all the workloads it hosts. As such, vCenter is usually a highly critical syste... |
| V-258959 | | The vCenter server must have task and event retention set to at least 30 days. | vCenter tasks and events contain valuable historical actions, useful in troubleshooting availability issues and for incident forensics. While vCenter ... |
| V-258960 | | The vCenter server Native Key Provider must be backed up with a strong password. | The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption-based capabilities such as encrypted virtua... |
| V-258961 | | The vCenter server must require authentication for published content libraries. | In the vSphere Client, you can create a local or a subscribed content library. By using content libraries, you can store and manage content in one vCe... |
| V-258962 | | The vCenter server must enable the OVF security policy for content libraries. | In the vSphere Client, you can create a local or a subscribed content library. By using content libraries, you can store and manage content in one vCe... |
| V-258963 | | The vCenter Server must separate authentication and authorization for administrators. | Many organizations do both authentication and authorization using a centralized directory service such as Active Directory. Attackers who compromise a... |
| V-258965 | | The vCenter Server must remove unauthorized port mirroring sessions on distributed switches. | The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mi... |
| V-258966 | | The vCenter Server must not override port group settings at the port level on distributed switches. | Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is establish... |
| V-258967 | | The vCenter Server must reset port configuration when virtual machines are disconnected. | Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is establish... |
| V-258968 | | The vCenter Server must disable Secure Shell (SSH) access. | vCenter Server is delivered as an appliance and is and intended to be managed through the VAMI, vSphere Client, and APIs. SSH is a troubleshooting and... |
| V-258969 | | The vCenter Server must enable data in transit encryption for vSAN. | Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information.
v... |
| V-265978 | | The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-265979 | | The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA). | If not used for their intended purpose, default accounts must be disabled. vCenter ships with several default accounts, two of which are specific to I... |
| V-258944 | | The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery. | vCenter and the embedded Lifecycle Manager system must never have a direct route to the internet. Despite this, updates and patches sourced from VMwar... |
| V-258964 | | The vCenter Server must disable CDP/LLDP on distributed switches. | The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, adver... |
