Check: VCTR-67-000076
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000076
(in versions v1 r4 through v1 r1)
Title
The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator. (Cat II impact)
Discussion
By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows server to users who are not vCenter administrators.
Check Content
Note: For vCenter Server Appliance, this is not applicable. If enhanced linked mode is used then local windows authentication is not available to vCenter, this is not applicable. Under the computer management console for windows view the local administrators group and verify only vCenter administrators have access to the vCenter server. Other groups and users that are not vCenter administrators should be removed from the local administrators group such as Domain Admins. If there are any groups or users present in the local administrators group of the vCenter server, this is a finding.
Fix Text
Under the computer management console for windows view the local administrators group and remove any users or groups that do not fit the criteria defined in the check content.
Additional Identifiers
Rule ID: SV-243131r879887_rule
Vulnerability ID: V-243131
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |