Check: ESXI-67-000040
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000040
(in versions v1 r3 through v1 r2)
Title
The ESXi host must use multifactor authentication for local DCUI access to privileged accounts. (Cat III impact)
Discussion
To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Note: This feature requires an existing PKI and AD integration. Satisfies: SRG-OS-000107-VMM-000530, SRG-OS-000376-VMM-001520, SRG-OS-000377-VMM-001530, SRG-OS-000403-VMM-001640
Check Content
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Smart Card Mode" is "Disabled", this is a finding. For environments that do not have PKI or AD available, this is Not Applicable.
Fix Text
The following are prerequisites to configuration of smart card authentication for the ESXi DCUI: - Active Directory domain that supports smart card authentication, smart card readers, and smart cards; - ESXi joined to an Active Directory domain; and - Trusted certificates for root and intermediary certificate authorities. From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services, click "Edit", and check the "Enable Smart Card Authentication" checkbox. At the "Certificates" tab, click the green plus sign to import trusted certificate authority certificates and click "OK".
Additional Identifiers
Rule ID: SV-239295r854592_rule
Vulnerability ID: V-239295
Group Title: SRG-OS-000107-VMM-000530
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
CCI-001954 |
The information system electronically verifies Personal Identity Verification (PIV) credentials. |
CCI-002470 |
The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |