Check: VCTR-67-000026
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000026
(in versions v1 r4 through v1 r1)
Title
The vCenter Server must check the privilege reassignment after restarts. (Cat II impact)
Discussion
Check for privilege reassignment when restarting vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account [email protected]. This account can then act as the Administrator. Reestablish a named Administrator account and assign the Administrator role to that account to avoid using the anonymous [email protected] account.
Check Content
Note: For vCenter Server Appliance, this is not applicable. After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the Administrator role must log in and verify the role permissions remain intact. If the user and/or user group granted vCenter Administrator role permissions cannot be verified as intact, this is a finding.
Fix Text
As the SSO Administrator, log in to the vCenter Server and restore a legitimate Administrator account per site-specific user/group/role requirements.
Additional Identifiers
Rule ID: SV-243092r879887_rule
Vulnerability ID: V-243092
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |