The vCenter Server must use unique service accounts when applications connect to vCenter.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258945 | VCSA-80-000278 | SV-258945r934493_rule | CCI-000366 | medium |
| Description | ||||
| To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258945r934493_chk)
Verify each external application that connects to vCenter has a unique service account dedicated to that application.
For example, there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter.
If any application shares a service account that is used to connect to vCenter, this is a finding.
Fix Text (F-62594r934492_fix)
For applications sharing service accounts, create a new service account to assign to the application so that no application shares a service account with another.
When standing up a new application that requires access to vCenter, always create a new service account prior to installation and grant only the permissions needed for that application.