Title

The NSX vCenter must be configured to use an authentication server to provide automated support for account management functions to centrally control the authentication process for the purpose of granting administrative access. (Cat I impact)

Discussion

Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations and privilege levels. NSX Manager must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. All accounts used for access to the NSX components are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. With the exception of the account of last resort, all accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the network device.

Check Content

Verify the Windows server hosting vCenter is joined to the domain and access to the server and vCenter is done using Active Directory accounts. If the vCenter server is not joined to an Active Directory domain, this is a finding. If Active Directory-based accounts are not used for daily operations of the vCenter server, this is a finding. If Active Directory is not used in the environment, this is not applicable.

Fix Text

If the server hosting vCenter is not joined to the domain, follow the OS-specific procedures to join it to Active Directory. If local accounts are used for normal operations, Active Directory accounts should be created and used.

Additional Identifiers

Rule ID: SV-83765r1_rule

Vulnerability ID: V-69161

Group Title: SRG-APP-000023-NDM-000205

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.