| V-259137 | | The vCenter VAMI service must limit the number of allowed simultaneous session requests. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-259138 | | The vCenter VAMI service must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log in the hosted application. Even when ... |
| V-259139 | | The vCenter VAMI service must generate information to monitor remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-259140 | | The vCenter VAMI service must produce log records containing sufficient information to establish what type of events occurred. | Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events ... |
| V-259141 | | The vCenter VAMI service log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the tr... |
| V-259142 | | The vCenter VAMI service must off-load log records onto a different system or media from the system being logged. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate ... |
| V-259143 | | The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type". | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more function... |
| V-259144 | | The vCenter VAMI service must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-259145 | | The vCenter VAMI service must have Web Distributed Authoring (WebDAV) disabled. | A web server can be installed with functionality that, by its nature, is not secure. WebDAV is an extension to the HTTP protocol that, when developed,... |
| V-259146 | | The vCenter VAMI service must protect system resources and privileged operations from hosted applications. | Most of the attention to denial-of-service (DoS) attacks focuses on ensuring that systems and applications are not victims of these attacks. However, ... |
| V-259147 | | The vCenter VAMI service must restrict access to the web server's private key. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt commun... |
| V-259149 | | The vCenter VAMI service must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. | In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe... |
| V-259150 | | The vCenter VAMI service must set the encoding for all text mime types to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259151 | | The vCenter VAMI service must disable directory listing. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content d... |
| V-259152 | | The vCenter VAMI service must not be configured to use the "mod_status" module. | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of ... |
| V-259153 | | The vCenter VAMI service must have debug logging disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-259154 | | The vCenter VAMI service must enable honoring the SSL cipher order. | During a Transport Layer Security (TLS) session negotiation, when choosing a cipher during a handshake, normally the client's preference is used. This... |
| V-259155 | | The vCenter VAMI service must disable client initiated TLS renegotiation. | All versions of the Secure Sockets Layer (SSL) and TLS protocols (up to and including TLS 1.2) are vulnerable to a man-in-the-middle attack (CVE-2009-... |
| V-259156 | | The vCenter VAMI service must be configured to hide the server type and version in client responses. | Web servers will often display error messages to client users, displaying enough information to aid in the debugging of the error. The information giv... |
| V-259157 | | The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS). | HSTS instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL proto... |
| V-259158 | | The vCenter VAMI service must implement prevent rendering inside a frame or iframe on another site. | Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a b... |
| V-259159 | | The vCenter VAMI service must protect against MIME sniffing. | MIME sniffing was, and still is, a technique used by some web browsers to examine the content of a particular asset. This is done for the purpose of d... |
| V-259160 | | The vCenter VAMI service must enable Content Security Policy. | A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browse... |
| V-259148 | | The vCenter VAMI service must enable FIPS mode. | Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to pr... |
