STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-104545r1_ruleThe vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
SV-104547r1_ruleThe vCenter Server for Windows must not automatically refresh client sessions.
SV-104551r1_ruleThe vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
SV-104553r1_ruleThe vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
SV-104555r1_ruleThe vCenter Server for Windows users must have the correct roles assigned.
SV-104557r1_ruleThe vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
SV-104559r1_ruleThe vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
SV-104561r1_ruleThe vCenter Server for Windows must use Active Directory authentication.
SV-104563r1_ruleThe vCenter Server for Windows must limit the use of the built-in SSO administrative account.
SV-104565r1_ruleThe vCenter Server for Windows must disable the distributed virtual switch health check.
SV-104567r1_ruleThe vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
SV-104569r1_ruleThe vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
SV-104571r1_ruleThe vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
SV-104573r1_ruleThe vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
SV-104575r1_ruleThe vCenter Server for Windows must not override port group settings at the port level on distributed switches.
SV-104577r1_ruleThe vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
SV-104579r1_ruleThe vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
SV-104581r1_ruleThe vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
SV-104583r1_ruleThe vCenter Server for Windows must enable SSL for Network File Copy (NFC).
SV-104585r1_ruleThe vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
SV-104587r1_ruleThe vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
SV-104589r1_ruleThe vCenter Server for Windows must configure the vpxuser password meets length policy.
SV-104591r1_ruleThe vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
SV-104593r1_ruleThe vCenter Server for Windows must minimize access to the vCenter server.
SV-104595r1_ruleThe vCenter Server for Windows Administrators must clean up log files after failed installations.
SV-104597r1_ruleThe vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
SV-104599r1_ruleThe vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
SV-104601r1_ruleThe vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
SV-104603r1_ruleThe vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
SV-104605r2_ruleThe vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
SV-104607r1_ruleThe vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
SV-104609r1_rulevCenter Server for Windows plugins must be verified.
SV-104611r1_ruleThe vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.
SV-104613r1_ruleThe vCenter Server for Windows passwords must be at least 15 characters in length.
SV-104615r1_ruleThe vCenter Server for Windows passwords must contain at least one uppercase character.
SV-104617r1_ruleThe vCenter Server for Windows passwords must contain at least one lowercase character.
SV-104619r1_ruleThe vCenter Server for Windows passwords must contain at least one numeric character.
SV-104621r1_ruleThe vCenter Server for Windows passwords must contain at least one special character.
SV-104623r1_ruleThe vCenter Server for Windows must limit the maximum number of failed login attempts to three.
SV-104625r1_ruleThe vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
SV-104627r1_ruleThe vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
SV-104629r1_ruleThe vCenter Server for Windows must alert administrators on permission creation operations.
SV-104631r2_ruleThe vCenter Server for Windows must alert administrators on permission deletion operations.
SV-104633r1_ruleThe vCenter Server for Windows must alert administrators on permission update operations.
SV-104635r1_ruleThe vCenter Server for Windows users must have the correct roles assigned.
SV-104637r1_ruleThe vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
SV-104639r1_ruleThe vCenter Server for Windows must enable the vSAN Health Check.
SV-104641r1_ruleThe vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
SV-104643r1_ruleThe vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
SV-104645r1_ruleThe vCenter Server for Windows users must have the correct roles assigned.
SV-104647r1_ruleThe vCenter Server for Windows must enable TLS 1.2 exclusively.
SV-104649r1_ruleThe vCenter Server for Windows reverse proxy must use DoD approved certificates.
SV-104651r1_ruleThe vCenter Server for Windows must enable certificate based authentication.
SV-104653r1_ruleThe vCenter Server for Windows must enable revocation checking for certificate based authentication.
SV-104655r1_ruleThe vCenter Server for Windows must disable Password and Windows integrated authentication.
SV-104657r1_ruleThe vCenter Server for Windows must enable Login banner for vSphere web client.
SV-104659r1_ruleThe vCenter Server for Windows must restrict access to cryptographic role.
SV-104661r1_ruleThe vCenter Server for Windows must restrict access to cryptographic permissions.
SV-104663r1_ruleThe vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.
SV-104665r1_ruleThe vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
SV-104667r1_ruleThe vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).
SV-104669r1_ruleThe vCenter Server for Windows must use LDAPS when adding an SSO identity source.
SV-104671r1_ruleThe vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
SV-104675r1_ruleThe vCenter Server for Windows must check the privilege re-assignment after restarts.
SV-104683r1_ruleThe vCenter Server for Windows must disable SNMPv1.