Check: VCTR-67-000078
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000078
(in versions v1 r4 through v1 r1)
Title
The vCenter Server must disable Password and Windows integrated authentication. (Cat II impact)
Discussion
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily reenabled for emergency access to the local SSO domain accounts, but it must be disabled as soon as CAC authentication is functional.
Check Content
Note: For vCenter Server Appliance, this is not applicable. From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. If "Smart card authentication" is not enabled and "Password and windows session authentication" is not disabled, this is a finding.
Fix Text
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Next to "Authentication methods", click "Edit". Click the "Enable smart card authentication" radio button and click "Save". To reenable password authentication for troubleshooting purposes, run the following command on the vCenter server: C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config.bat -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local
Additional Identifiers
Rule ID: SV-243133r879887_rule
Vulnerability ID: V-243133
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |