Check: VCENTER-000027
VMware vCenter Server Version 5 STIG:
VCENTER-000027
(in versions v2 r1 through v1 r7)
Title
The system must set a timeout for all thick-client logins without activity. (Cat II impact)
Discussion
An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.
Check Content
On each Windows computer with the vSphere Client installed, verify: A 15 minute (maximum) timeout is set in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the <cmdlineFallback>... </cmdlineFallback> section, verify the setting <inactivityTimeout>X</inactivityTimeout> where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Verify the timeout that the vSphere Client executable is started with is an execution flag: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of "-inactivityTimeout 15" in the command. If either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.
Fix Text
On each Windows computer with the vSphere Client installed: Set a 15 minute (maximum) timeout in the VpxClient.exe.config file: Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the <cmdlineFallback>... </cmdlineFallback> section, modify the <inactivityTimeout>X</inactivityTimeout> where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file. Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable: Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add "-inactivityTimeout X", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.
Additional Identifiers
Rule ID: SV-250744r799922_rule
Vulnerability ID: V-250744
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |