Detections
Analytics
VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication.
Information
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Next to 'Authentication methods', click 'Edit'. Click the 'Enable smart card authentication' radio button and click 'Save'.To re-enable password authentication for troubleshooting purposes, run the following command on the vCenter server:
/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 vCenter v1r4
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243116r879887_rule, STIG-ID|VCTR-67-000061, Vuln-ID|V-243116
Plugin: VMware
Control ID: 2e2bd4ed3b3df542e03c129d3680183f99f2cf0c199766fb612c04ec2fef6a7e