STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server users must have the correct roles assigned.

DISA Rule

SV-243076r719471_rule

Vulnerability Number

V-243076

Group Title

SRG-APP-000211

Rule Version

VCTR-67-000005

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To update a user's or group's permissions to an existing role with reduced permissions:

From the vSphere Client, go to Administration >> Access Control >> Global Permissions.

Select the user or group, click "Edit", change the assigned role, and click "OK".

If permissions are assigned on a specific object, the role must be updated where it is assigned (for example, at the cluster level).

To create a new role with reduced permissions:

From the vSphere Client, go to Administration >> Access Control >> Roles.

Click the green plus sign, enter a name for the role, and select only the specific permissions required.

Users can then be assigned to the newly created role.

Check Contents

From the vSphere Client, go to Administration >> Access Control >> Roles.

View each role and verify the users and/or groups assigned to it.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto

Application service account and user required privileges should be documented.

If any user or service account has more privileges than required, this is a finding.

Vulnerability Number

V-243076

Documentable

False

Rule Version

VCTR-67-000005

Severity Override Guidance

From the vSphere Client, go to Administration >> Access Control >> Roles.

View each role and verify the users and/or groups assigned to it.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto

Application service account and user required privileges should be documented.

If any user or service account has more privileges than required, this is a finding.

Check Content Reference

M

Target Key

5399

Comments