Check: VMCH-70-000022
VMware vSphere 7.0 Virtual Machine STIG:
VMCH-70-000022
(in versions v1 r3 through v1 r1)
Title
The virtual machine (VM) guest operating system must be locked when the last console connection is closed. (Cat II impact)
Discussion
When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed.
Check Content
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "tools.guest.desktop.autolock" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock If the virtual machine advanced setting "tools.guest.desktop.autolock" does not exist or is not set to "true", this is a finding. If the VM is not Windows-based, this is not a finding.
Fix Text
From the vSphere Client, select the Virtual Machine, right-click and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find or create the "tools.guest.desktop.autolock" value and set it to "true". Note: The VM must be powered off to modify the advanced settings through the vSphere Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case, the modified settings will not take effect until a cold boot of the VM. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name tools.guest.desktop.autolock -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true
Additional Identifiers
Rule ID: SV-256470r886453_rule
Vulnerability ID: V-256470
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |