STIGQter STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.

DISA Rule

SV-216855r612237_rule

Vulnerability Number

V-216855

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000033

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure correct permissions and roles for SQL:

Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES.

Grant these privileges to a vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE.
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.

Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.

Check Contents

Verify only the following permissions are allowed on the vCenter database for the following roles and users.

vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES.

vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE.
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.

vCenter database user:
VIEW SERVER STATE and VIEW ANY DEFINITIONS.

Equivalent permissions must be set for Non-MS databases.

If the above database permissions are not set correctly, this is a finding.

Vulnerability Number

V-216855

Documentable

False

Rule Version

VCWN-65-000033

Severity Override Guidance

Verify only the following permissions are allowed on the vCenter database for the following roles and users.

vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES.

vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE.
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.

vCenter database user:
VIEW SERVER STATE and VIEW ANY DEFINITIONS.

Equivalent permissions must be set for Non-MS databases.

If the above database permissions are not set correctly, this is a finding.

Check Content Reference

M

Target Key

4030

Comments