An error occurred:

VMware vSphere 8.0 vCenter STIG Version Comparison

VMware vSphere 8.0 vCenter Security Technical Implementation Guide

Comparison

There are 8 differences between versions v1 r1 (Oct. 31, 2023) (the "left" version) and v2 r2 (Jan. 30, 2025) (the "right" version).

Check VCSA-80-000009 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

Check Content

From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the GET call and click Execute and review the response for the configured global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetTlsProfilesGlobal If the global TLS profile is not "NIST_2024", this is a finding.

Discussion

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. In vCenter 8 Update 3, Transport Layer Security (TLS) Profiles were introduced that allow users to manage and configure TLS parameters for the vCenter server. Several TLS profiles are available by default but not all may be suitable for high security environments.

Fix

From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the PUT call and enter the following in the value box: { "profile": "NIST_2024" } Click Execute and Continue to configure a new global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-SetProfilesGlobalAsync -TlsProfilesGlobalSetSpec (Initialize-TlsProfilesGlobalSetSpec -VarProfile NIST_2024) To monitor the status of the operation the task id from the command output can be used with the "Invoke-GetTask" command. For example: Invoke-GetTask -Task 66b247c2-fe02-4425-9338-1c88eb856138:com.vmware.appliance.tls.profiles.global