STIGQter STIGQter: STIG Summary: VMware vCenter Server Version 5 Security Technical Implementation Guide

Version: 1

Release: 7 Benchmark Date: 22 Apr 2016

SV-51402r2_ruleThe VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.
SV-51403r2_rulePrivilege re-assignment must be checked after the vCenter Server restarts.
SV-51404r2_ruleThe Web datastore browser must be disabled, unless required for normal day-to-day operations.
SV-51405r1_ruleThe managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
SV-51406r1_ruleThe vCenter Server must be installed using a service account instead of a built-in Windows account.
SV-51407r1_ruleThe connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.
SV-51408r1_ruleThe vCenter Server administrative users must have the correct roles assigned.
SV-51409r1_ruleAccess to SSL certificates must be monitored.
SV-51411r1_ruleExpired certificates must be removed from the vCenter Server.
SV-51412r1_ruleLog files must be cleaned up after failed installations of the vCenter Server.
SV-51413r1_ruleRevoked certificates must be removed from the vCenter Server.
SV-51414r1_ruleThe vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.
SV-51415r1_ruleAccess to SSL certificates must be restricted.
SV-51416r1_ruleThe system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.
SV-51417r1_ruleThe use of Linux-based clients must be restricted.
SV-51418r1_ruleNetwork access to the vCenter Server system must be restricted.
SV-51419r1_ruleA least-privileges assignment must be used for the vCenter Server database user.
SV-51420r2_ruleA least-privileges assignment must be used for the Update Manager database user.
SV-51421r1_ruleThe system must set a timeout for all thick-client logins without activity.
SV-51422r1_rulevSphere Client plugins must be verified.
SV-51424r2_ruleThe vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.
SV-51426r1_ruleThe Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.
SV-51427r1_ruleThe Update Manager must not directly connect to public patch repositories on the Internet.