VMware vCenter Server Version 5 STIG
VMware vCenter Server Version 5 Security Technical Implementation Guide. Version v2 r1, released Oct. 27, 2021.
VCENTER-000021: The use of Linux-based clients must be restricted.
Verify all client operating systems connecting to the vCenter Server are not Linux. If any client operating system connecting to the vCenter Server is Linux-based, this is a finding.
Discussion
Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks.
Fix
Replace all Linux-based clients connecting to the vCenter Server with non-Linux-based clients.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
VCENTER-000018: The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.
Check the permissions assigned in vSphere. Verify that a non-Windows administrative user account is used to manage vCenter. Ensure the user does not belong to any local groups, such as administrator. If a Windows administrative account is used to manage vCenter, this is a finding. If the account used to manage vCenter belongs to a local Windows or administrative group, this is a finding.
Discussion
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.
Fix
Ensure "Administrator" or any other account or group does not have any privileges except users created as follows: Create an ordinary user account that will be used to manage vCenter (example vi-admin). Make sure the user does not belong to any local groups, such as administrator. On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the created account. Log out of vCenter and log into vCenter with the account created. Verify user is able to perform all tasks available to a vCenter administrator. Remove the permissions in the vCenter for the local administrator group.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000023: A least-privileges assignment must be used for the vCenter Server database user.
Verify only the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server, is assigned. Verify that the following permissions are granted to the vCenter user in the vCenter database. GRANT ALTER ON SCHEMA :: <schema> to <user>; GRANT REFERENCES ON SCHEMA :: <schema> to <user>; GRANT INSERT ON SCHEMA :: <schema> to <user>; GRANT CREATE TABLE to <user>; GRANT CREATE VIEW to <user>; GRANT CREATE Procedure to <user>; For SQL, verify that the following permissions are granted to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs. GRANT SELECT on msdb.dbo.syscategories to <user>; GRANT SELECT on msdb.dbo.sysjobsteps to <user>; GRANT SELECT ON msdb.dbo.sysjobs to <user>; GRANT EXECUTE ON msdb.dbo.sp_add_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_delete_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO <user>; GRANT EXECUTE ON msdb.dbo.sp_update_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_category TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO <user>; For Oracle, verify that the following permissions (or DBA role) are granted to the user. grant connect to <user> grant resource to <user> grant create view to <user> grant create materialized view to <user> grant execute on dbms_job to <user> grant execute on dbms_lock to <user> grant unlimited tablespace to <user> If the runtime privileges are not configured per the above guidelines, this is a finding.
Discussion
Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.
Fix
Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below. Grant the following permissions to the vCenter user in the vCenter database: GRANT ALTER ON SCHEMA :: <schema> to <user>; GRANT REFERENCES ON SCHEMA :: <schema> to <user>; GRANT INSERT ON SCHEMA :: <schema> to <user>; GRANT CREATE TABLE to <user>; GRANT CREATE VIEW to <user>; GRANT CREATE Procedure to <user>; Grant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs. GRANT SELECT on msdb.dbo.syscategories to <user>; GRANT SELECT on msdb.dbo.sysjobsteps to <user>; GRANT SELECT ON msdb.dbo.sysjobs to <user>; GRANT EXECUTE ON msdb.dbo.sp_add_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_delete_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO <user>; GRANT EXECUTE ON msdb.dbo.sp_update_job TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_category TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO <user>; GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO <user>; For Oracle, either assign the DBA role or grant the following permissions to the user. grant connect to <user> grant resource to <user> grant create view to <user> grant create materialized view to <user> grant execute on dbms_job to <user> grant execute on dbms_lock to <user> grant unlimited tablespace to <user>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000020: The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.
Check that a role is used to manage the vCenter Server without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify that a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges>> Virtual Machines" the "Guest Operations" checkbox is unchecked. Verify users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role. Ask the SA for a list of users that require administrator privileges without Guest access privileges and verify their role assignments. If users requiring administrator privileges without Guest access privileges are assigned to the default Administrator role, this is a finding.
Discussion
By default, vCenter Server "Administrator" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.
Fix
Create a role to manage vCenter without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify a role exists for administrators with Guest access removed. Right click on the role name and select "Edit". Verify under "All Privileges>> Virtual Machines" the "Guest Operations" checkbox is unchecked. Create account(s) requiring administrator privileges without Guest access privileges.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000029: vSphere Client plugins must be verified.
Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources: From the vSphere Client, "Plug-ins>> Manage Plug-ins" and click the Installed Plug-ins tab. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.
Discussion
The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.
Fix
Disable/remove all listed plug-ins that cannot be verified as distributed from trusted sources: From the vSphere client, connect to the vCenter server. On the menu bar, go to "Plug-ins >> Manage Plug-ins". Under Installed Plug-ins, right-click the plug-in of choice and select Disable.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000099: The version of vCenter running on the server must be a supported version.
vCenter v5 is no longer supported by the vendor. If the server is running vCenter v5, this is a finding.
Discussion
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Fix
Upgrade to a supported version.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
VCENTER-000008: The vCenter Server must be installed using a service account instead of a built-in Windows account.
Verify vCenter Server was installed using a special-purpose user account on the Windows host with a local-only administrator role. This account should have the "Act as part of the operating system" privilege, and write access to the local file system with a local-only administrator role. If the vCenter Server was not installed with a special-purpose, local-only administrator role with the "Act as part of the operating system" privilege, this is a finding.
Discussion
The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. A local user, administrative level account with limited permissions and rights must be set up for the vCenter Server system.
Fix
Re-install the vCenter Server with a special-purpose, local-only administrator role with the "Act as part of the operating system" privilege.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
VCENTER-000009: The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.
Check the following conditions: The Update Manager must be configured to use the Update Manager Download Server. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the Internet versus an internal, organization defined source) must be enforced with site policies. If all of the above conditions are not met, this is a finding.
Discussion
The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.
Fix
Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the Internet.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
VCENTER-000005: Privilege re-assignment must be checked after the vCenter Server restarts.
After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding.
Discussion
During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server defaults the Administrator role to the local Windows administrators group, to act as a new vCenter Server Administrator. This default administrative assignment must be rectified by re-establishing a legitimate vCenter Server account with an Administrator role.
Fix
As a Windows Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000016: Log files must be cleaned up after failed installations of the vCenter Server.
If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid...." should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid". If a file name of the format "hs_err_pid" is found, this is a finding. If a site policy does not exist and/or is not followed, this is a finding.
Discussion
If the vCenter installation fails, a log file (with a name of the form "hs_err_pidXXXX") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.
Fix
Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format "hs_err_pid and remove them.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000013: Access to SSL certificates must be monitored.
Ask the SA if event log monitoring is used to alert on non-service account access to the certificates directory. If event log monitoring is not used, this is a finding.
Discussion
The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes. The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.
Fix
Set up Windows event log monitoring to alert on nonservice account access to the certificates directory.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000034: The Update Manager must not directly connect to public patch repositories on the Internet.
Verify the Update Manager download source is not the Internet. To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify "Direct connection to Internet" is not selected. If "Direct connection to Internet" is configured, this is a finding.
Discussion
In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet.
Fix
To configure a Web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, select Use a shared repository. Enter the <site-specific> path or the URL to the shared repository. Click Validate URL to validate the path. Click Apply.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000003: The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.
Ask the SA if software and system security patches are installed and up-to-date for all ESXi hypervisors/VMs, including the vCenter Server (vCS) and the VMware Update Manager (vUM), if they are also installed as VMs rather than as physical machines. If the vUM's hypervisor host/VM patch, update, and remediation procedure does not include its own hypervisor/VM or that of the vCS (if installed as VMs), this check is not a finding. If the vUM's hypervisor host/VM patch, update, and remediation process also includes its own hypervisor host/VM and/or the vCS's hypervisor host/VM, this is a finding.
Discussion
The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.
Fix
Determine if both the VMware Update Manager (vUM) and vCenter Server (vCS) are installed as physical or virtual machines. No fix is required for vCS/vUM if the vCS and vUM are both installed as physical machines. If the vCS and vUM are installed as virtual machines, they must both be managed either manually or by a secondary installation of vCS and the vUM. All remaining organization hypervisor hosts/VMs must be configured to receive software and security patch updates, via the vUM, on an organization-defined, regularly scheduled basis.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000033: The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.
If the Update Manager Download Server does not connect to the Internet to source vendor patches, this check is not applicable. Verify there is a Web proxy between Update Manager Download Server and the Internet. Check the proxy settings for the Update Manager Download Server to ensure correct configuration. To verify proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select properties and view the proxy information. If a web proxy between Update Manager Download Server and the Internet is not configured, this is a finding.
Discussion
In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to prevent access from the outside to the Update Manager Download Server. Any direct channel to the Internet represents a threat.
Fix
If the Update Manager Download Server does not connect to the Internet to source vendor patches, no fix is required. To configure proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select Use proxy and change the proxy information. Optional: If the proxy requires authentication, select Proxy requires authentication and provide a user name and password. Optional: Click Test Connection at any time to test a connection to the Internet through the proxy is possible. Click Apply.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000012: The vCenter Server administrative users must have the correct roles assigned.
Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users: Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. Right click on each Role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected. If the organization does not require roles for administrator privilege sets, this is a finding. If a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.
Discussion
Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Fix
Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. Go to "Home>> Administration>> Roles" and create a role for each of the administrator privilege sets the organization requires and allows. Right click on each role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000031: The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.
Connect to the vCenter Server via the vSphere Client. Highlight the data center name and navigate to the Permissions tab. Observe the list of users and/or groups. If any local administrator group permissions appear in the displayed list, this is a finding. If a vCenter Administrator account (must be an ordinary user assigned the administrator role) does not appear in the displayed list, this is a finding. If a vCenter Administrator account (must be an ordinary user assigned the administrator role) does appear in the displayed list, this is not a finding.
Discussion
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.
Fix
Log into the Windows server as the Windows administrative user and create an ordinary user account that will be used to manage vCenter Server (example user: vAdmin). Ensure the ordinary user account (created above) does not belong to any local groups (example group: administrators). As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Grant the role of administrator (global vCenter Server administrator) to the ordinary user account (created above). Log into the vCenter Server (using the vSphere Client) with the ordinary user account (created above) and verify that the user is able to perform all vCenter Server administrative tasks. As the Windows administrative user, log into the vCenter Server (using the vSphere Client). Delete the local administrator group from the permissions tab in the vSphere Client. Close the vSphere Client connection and attempt to reconnect to the Windows server as the Windows administrative user. The connection should now fail due to lack of administrator access/permissions.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
VCENTER-000017: Revoked certificates must be removed from the vCenter Server.
To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of revoked certificates. If a procedure does not exist and/or revoked certificates are found, this is a finding.
Discussion
If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.
Fix
If a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of revoked certificates. Remove all revoked certificates.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000022: Network access to the vCenter Server system must be restricted.
The vCenter Server must be protected by a network and/or local firewall on the vCenter Server Windows system. This protection must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system. If the vCenter Server Windows system is not protected by a network and/or local firewall, this is a finding.
Discussion
Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.
Fix
The vCenter Server Windows system must be protected by utilizing a network and/or local firewall. Install the vCenter Server Windows system behind the firewall and/or install a firewall application on the Windows system. Firewall protections must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
VCENTER-000027: The system must set a timeout for all thick-client logins without activity.
On each Windows computer with the vSphere Client installed, verify: A 15 minute (maximum) timeout is set in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the <cmdlineFallback>... </cmdlineFallback> section, verify the setting <inactivityTimeout>X</inactivityTimeout> where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Verify the timeout that the vSphere Client executable is started with is an execution flag: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of "-inactivityTimeout 15" in the command. If either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.
Discussion
An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.
Fix
On each Windows computer with the vSphere Client installed: Set a 15 minute (maximum) timeout in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the <cmdlineFallback>... </cmdlineFallback> section, modify the <inactivityTimeout>X</inactivityTimeout> where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file. Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add "-inactivityTimeout X", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000024: A least-privileges assignment must be used for the Update Manager database user.
Verify only the following permissions are allowed to the VUM DB user after installation. For Oracle DB normal operation, only the following permissions are required. Create session create any table drop any table For SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.
Discussion
Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.
Fix
For Oracle DB normal runtime operation, set the following permissions. Create session create any table drop any table For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000019: Access to SSL certificates must be restricted.
Check the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Verify the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl. If the SSL certificate directory/files are not set so that only the vCenter service account and authorized vCenter Server Administrators can access them, this is a finding.
Discussion
The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.
Fix
Ensure the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Ensure the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000015: Expired certificates must be removed from the vCenter Server.
To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of expired certificates. If a procedure does not exist and/or expired certificates are found, this is a finding.
Discussion
If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.
Fix
If a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of expired certificates. Remove all expired certificates.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
VCENTER-000007: The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB : Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the enableDebugBrowse element is enabled (set to true), and object maintenance is not being performed, this is a finding. If the enableDebugBrowse element is enabled (set to true), and object maintenance is being performed, this is not a finding.
Discussion
The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.
Fix
If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse> Restart the vCenter Service to ensure the configuration file change(s) are in effect.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
VCENTER-000006: The Web datastore browser must be disabled, unless required for normal day-to-day operations.
If the Web datastore browser is required for normal, daily operational tasks, this check is not applicable. Verify the Web datastore browser is disabled: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the <vpxd> </vpxd> element. Ensure the following element is set. <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess> If the Web datastore browser is not disabled, this is a finding.
Discussion
The Web datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the organization-specific, user permissions on vCenter Server.
Fix
If the Web datastore browser is enabled and required for normal, daily operational tasks, no fix is required. Disable the Web datastore browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the <vpxd> ... </vpxd> element. Ensure the following element is set <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess> Restart the vCenter Service to ensure the config file change(s) are in effect.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None