STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an SSO identity source.

DISA Rule

SV-243123r719612_rule

Vulnerability Number

V-243123

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000068

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory" where LDAPS is not configured, highlight the item and click "Edit".

Ensure the primary and secondary server URLs, if specified, are configured for "ldaps://".

At the bottom, click the "Browse" button, select the AD LDAP cert previously exported to the local computer, click "Open", and "Save" to complete modifications.

Note: With LDAPS, the server must be a specific domain controller and its specific certificate or the domain alias with a certificate that is valid for that URL.

Check Contents

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory", if the "Server URL" does not indicate "ldaps://", this is a finding.

Vulnerability Number

V-243123

Documentable

False

Rule Version

VCTR-67-000068

Severity Override Guidance

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration.

Click the "Identity Sources" tab.

For each identity source of type "Active Directory", if the "Server URL" does not indicate "ldaps://", this is a finding.

Check Content Reference

M

Target Key

5399

Comments