VCENTER-000031 - The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.

Information

By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log into the Windows server as the Windows administrative user and create an ordinary user account that will be used to manage vCenter Server (example user: vAdmin).

Ensure the ordinary user account (created above) does not belong to any local groups (example group: administrators).

As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Grant the role of administrator (global vCenter Server administrator) to the ordinary user account (created above).

Log into the vCenter Server (using the vSphere Client) with the ordinary user account (created above) and verify that the user is able to perform all vCenter Server administrative tasks.

As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Delete the local administrator group from the permissions tab in the vSphere Client. Close the vSphere Client connection and attempt to reconnect to the Windows server as the Windows administrative user. The connection should now fail due to lack of administrator access/permissions.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|I, CCI|CCI-000366, Group-ID|V-39566, Rule-ID|SV-250746r799928_rule, STIG-ID|VCENTER-000031, STIG-Legacy|SV-51424, STIG-Legacy|V-39566, Vuln-ID|V-250746

Plugin: VMware

Control ID: 6065a1ae1f7d6153ea113d5761f68010e3cd91f380c0c8f1f15b63d6564c8124