DISA STIG VMware vSphere vCenter 6.5 v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere vCenter 6.5 v2r2

Updated: 12/6/2023

Authority: DISA STIG

Plugin: VMware

Revision: 1.4

Estimated Item Count: 65

File Details

Filename: DISA_STIG_VMware_vSphere_vCenter_6.5_v2r2.audit

Size: 108 kB

MD5: 21ea124eea274356b23553a21c8fcb55
SHA256: ae60524590b58647dcb4cd3f6dea3fd28dbab8c1b6d575f6dc7ca893141086a5

Audit Items

DescriptionCategories
VCWN-65-000001 - The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
VCWN-65-000002 - The vCenter Server for Windows must not automatically refresh client sessions.
VCWN-65-000003 - The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
VCWN-65-000004 - The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
VCWN-65-000005 - The vCenter Server for Windows users must have the correct roles assigned.
VCWN-65-000007 - The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).
VCWN-65-000008 - The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
VCWN-65-000009 - The vCenter Server for Windows must use Active Directory authentication.
VCWN-65-000010 - The vCenter Server for Windows must limit the use of the built-in SSO administrative account.
VCWN-65-000012 - The vCenter Server for Windows must disable the distributed virtual switch health check.
VCWN-65-000013 - The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.
VCWN-65-000014 - The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.
VCWN-65-000015 - The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.
VCWN-65-000016 - The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
VCWN-65-000017 - The vCenter Server for Windows must not override port group settings at the port level on distributed switches.
VCWN-65-000018 - The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.
VCWN-65-000019 - The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
VCWN-65-000020 - The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.
VCWN-65-000021 - The vCenter Server for Windows must enable SSL for Network File Copy (NFC).

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-65-000022 - The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.
VCWN-65-000023 - The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000024 - The vCenter Server for Windows must configure the vpxuser password meets length policy.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000025 - The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
VCWN-65-000026 - The vCenter Server for Windows must check the privilege re-assignment after restarts.
VCWN-65-000027 - The vCenter Server for Windows must minimize access to the vCenter server.
VCWN-65-000028 - The vCenter Server for Windows Administrators must clean up log files after failed installations.
VCWN-65-000029 - The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.
VCWN-65-000030 - The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.
VCWN-65-000031 - The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
VCWN-65-000032 - The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.
VCWN-65-000033 - The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.
VCWN-65-000034 - The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.
VCWN-65-000035 - vCenter Server for Windows plugins must be verified.
VCWN-65-000036 - The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

VCWN-65-000039 - The vCenter Server for Windows passwords must be at least 15 characters in length.
VCWN-65-000040 - The vCenter Server for Windows passwords must contain at least one uppercase character.
VCWN-65-000041 - The vCenter Server for Windows passwords must contain at least one lowercase character.
VCWN-65-000042 - The vCenter Server for Windows passwords must contain at least one numeric character.
VCWN-65-000043 - The vCenter Server for Windows passwords must contain at least one special character.
VCWN-65-000045 - The vCenter Server for Windows must limit the maximum number of failed login attempts to three.
VCWN-65-000046 - The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.
VCWN-65-000047 - The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.
VCWN-65-000048 - The vCenter Server for Windows must alert administrators on permission creation operations.
VCWN-65-000049 - The vCenter Server for Windows must alert administrators on permission deletion operations.
VCWN-65-000050 - The vCenter Server for Windows must alert administrators on permission update operations.
VCWN-65-000051 - The vCenter Server for Windows users must have the correct roles assigned.
VCWN-65-000052 - The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
VCWN-65-000053 - The vCenter Server for Windows must enable the vSAN Health Check.
VCWN-65-000054 - The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
VCWN-65-000055 - The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.