DISA STIG VMware vSphere vCenter 6.5 v2r2

Audit Details

Name: DISA STIG VMware vSphere vCenter 6.5 v2r2

Updated: 4/25/2022

Authority: DISA STIG

Plugin: VMware

Revision: 1.2

Estimated Item Count: 65

File Details

Filename: DISA_STIG_VMware_vSphere_vCenter_6.5_v2r2.audit

Size: 117 kB

MD5: 814f3932b1f3917c1ee0641674b8e065
SHA256: 9257029a394e0a305896be72714a0e245ab11cb8e9c3472738d6ddb2b4e94f8f

Audit Items

DescriptionCategories
VCWN-65-000001 - The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000002 - The vCenter Server for Windows must not automatically refresh client sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-65-000003 - The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000004 - The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-65-000005 - The vCenter Server for Windows users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-65-000007 - The vCenter Server for Windows must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).

CONFIGURATION MANAGEMENT

VCWN-65-000008 - The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

AUDIT AND ACCOUNTABILITY

VCWN-65-000009 - The vCenter Server for Windows must use Active Directory authentication.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000010 - The vCenter Server for Windows must limit the use of the built-in SSO administrative account.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000012 - The vCenter Server for Windows must disable the distributed virtual switch health check.

CONFIGURATION MANAGEMENT

VCWN-65-000013 - The vCenter Server for Windows must set the distributed port group Forged Transmits policy to reject.

CONFIGURATION MANAGEMENT

VCWN-65-000014 - The vCenter Server for Windows must set the distributed port group MAC Address Change policy to reject.

CONFIGURATION MANAGEMENT

VCWN-65-000015 - The vCenter Server for Windows must set the distributed port group Promiscuous Mode policy to reject.

CONFIGURATION MANAGEMENT

VCWN-65-000016 - The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.

CONFIGURATION MANAGEMENT

VCWN-65-000017 - The vCenter Server for Windows must not override port group settings at the port level on distributed switches.

CONFIGURATION MANAGEMENT

VCWN-65-000018 - The vCenter Server for Windows must configure all port groups to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

VCWN-65-000019 - The vCenter Server for Windows must configure all port groups to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

CONFIGURATION MANAGEMENT

VCWN-65-000020 - The vCenter Server for Windows must not configure all port groups to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

VCWN-65-000021 - The vCenter Server for Windows must enable SSL for Network File Copy (NFC).

CONFIGURATION MANAGEMENT

VCWN-65-000022 - The vCenter Server for Windows services must be ran using a service account instead of a built-in Windows account.

CONFIGURATION MANAGEMENT

VCWN-65-000023 - The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.

CONFIGURATION MANAGEMENT

VCWN-65-000024 - The vCenter Server for Windows must configure the vpxuser password meets length policy.

CONFIGURATION MANAGEMENT

VCWN-65-000025 - The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

CONFIGURATION MANAGEMENT

VCWN-65-000026 - The vCenter Server for Windows must check the privilege re-assignment after restarts.

CONFIGURATION MANAGEMENT

VCWN-65-000027 - The vCenter Server for Windows must minimize access to the vCenter server.

CONFIGURATION MANAGEMENT

VCWN-65-000028 - The vCenter Server for Windows Administrators must clean up log files after failed installations.

CONFIGURATION MANAGEMENT

VCWN-65-000029 - The vCenter Server for Windows must enable all tasks to be shown to Administrators in the Web Client.

CONFIGURATION MANAGEMENT

VCWN-65-000030 - The vCenter Server for Windows Administrator role must be secured and assigned to specific users other than a Windows Administrator.

CONFIGURATION MANAGEMENT

VCWN-65-000031 - The vCenter Server for Windows must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.

CONFIGURATION MANAGEMENT

VCWN-65-000032 - The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.

CONFIGURATION MANAGEMENT

VCWN-65-000033 - The vCenter Server for Windows must use a least-privileges assignment for the vCenter Server database user.

CONFIGURATION MANAGEMENT

VCWN-65-000034 - The vCenter Server for Windows must use unique service accounts when applications connect to vCenter.

CONFIGURATION MANAGEMENT

VCWN-65-000035 - vCenter Server for Windows plugins must be verified.

CONFIGURATION MANAGEMENT

VCWN-65-000036 - The vCenter Server for Windows must produce audit records containing information to establish what type of events occurred.

SYSTEM AND INFORMATION INTEGRITY

VCWN-65-000039 - The vCenter Server for Windows passwords must be at least 15 characters in length.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000040 - The vCenter Server for Windows passwords must contain at least one uppercase character.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000041 - The vCenter Server for Windows passwords must contain at least one lowercase character.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000042 - The vCenter Server for Windows passwords must contain at least one numeric character.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000043 - The vCenter Server for Windows passwords must contain at least one special character.

IDENTIFICATION AND AUTHENTICATION

VCWN-65-000045 - The vCenter Server for Windows must limit the maximum number of failed login attempts to three.

ACCESS CONTROL

VCWN-65-000046 - The vCenter Server for Windows must set the interval for counting failed login attempts to at least 15 minutes.

ACCESS CONTROL

VCWN-65-000047 - The vCenter Server for Windows must require an administrator to unlock an account locked due to excessive login failures.

ACCESS CONTROL

VCWN-65-000048 - The vCenter Server for Windows must alert administrators on permission creation operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-65-000049 - The vCenter Server for Windows must alert administrators on permission deletion operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-65-000050 - The vCenter Server for Windows must alert administrators on permission update operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-65-000051 - The vCenter Server for Windows users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-65-000052 - The vCenter Server for Windows must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

CONFIGURATION MANAGEMENT

VCWN-65-000053 - The vCenter Server for Windows must enable the vSAN Health Check.

CONFIGURATION MANAGEMENT

VCWN-65-000054 - The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.

CONFIGURATION MANAGEMENT

VCWN-65-000055 - The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.

CONFIGURATION MANAGEMENT