Detections
Analytics
VCSA-80-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
Information
All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be disabled as soon as CAC authentication is functional.NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.Next to "Authentication method", click "Edit".
Select to radio button to "Enable smart card authentication".
Click "Save".
To re-enable password authentication for troubleshooting purposes, run the following command on the vCenter Server Appliance:
# /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y25M07_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 8.0 vCenter STIG v2r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258950r961863_rule, STIG-ID|VCSA-80-000283, Vuln-ID|V-258950
Plugin: VMware
Control ID: 800e402078d07517000349ec22ae7f434828561a11ea68e4175e70e1b7159616