Assign correct roles to vCenter Server users.

Users and service accounts must be assigned only privileges they require. To reduce risk of confidentiality, availability, or integrity loss, the least privilege principle requires that these privileges must be assigned only if needed.

Use unique service accounts for applications that connect to vCenter Server.

Create a service account for each application that connects to vCenter Server. Grant only the required permissions for the application to run.

vCenter Server must restrict access to cryptographic permissions.

These permissions must be reserved for cryptographic administrators where VM and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography. Only the Administrator and any site-specific cryptographic group must have the following permissions:

The vCenter Server must use LDAPS when adding an SSO identity source.

To protect the integrity of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere SSO. When configuring an identity source and supplying an SSL certificate, vCenter Server enforces secure LDAP.

The vCenter Server must implement Active Directory authentication

The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.

Backup the vCenter Native Key Providers with a strong password.

The vCenter Native Key Provider acts as a key provider for encryption based capabilities, such as encrypted virtual machines, without requiring an external KMS solution. When activating this feature, a backup PCKS#12 file is created. If no password is provided during the backup process, the backup file can be used maliciously and compromise the environment.

Restrict access to the cryptographic role.

The built-in

Administrator

role has the permission to perform cryptographic operations, such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators, where virtual machine or vSAN encryption is required. All other vSphere administrators, who do not require cryptographic operations, must be assigned the

No cryptography administrator

role.

The vCenter Server Machine SSL certificate must be issued by an appropriate certificate authority.

The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with an approved certificate. The use of an approved certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.

Ensure that port mirroring is used legitimately.

The vSphere VDS can mirror traffic from one port to another, allowing observation of traffic. Ensure that port mirroring is used legitimately.

Install security patches and updates for vCenter Server.

You install all security patches and updates on vCenter Server instances as soon as possible. An attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges. Mitigate the risk of breaches by updating vCenter Server instances first and then updating ESXi hosts.

Configure Key Encryption Keys (KEKs) to be re-issued at regular intervals for the vSAN encrypted datastores.

Interview the SA to determine whether a procedure exists to perform a shallow re-key of all vSAN encrypted datastores at regular, site-defined intervals. This interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not applicable.

At a minimum, vCenter must provide an immediate, real-time alert to the system administrator (SA) and information system security officer (ISSO) of all audit failure events requiring real-time alerts.

Ensure that the Central Logging Server is configured to alert the SA and ISSO, at a minimum, on any AO-defined events. Otherwise, this is a finding. If there are no AO-defined events, this is not a finding.

Remove unnecessary virtual hardware devices from the VM.

Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. USB devices, sound cards, and other unnecessary hardware may be introduced with migrations from VMware Workstation, Fusion, or through other tools. Any enabled or connected device represents a potential attack channel, through the possibility of device drivers that contain vulnerabilities, by granting the ability to introduce software or exfiltrate data to or from a protected environment.

Note: Removing the CD-ROM device may impact VMware Tools installation and maintenance.

vCenter is a version that has not reached End of General Support status.

Ensure that vCenter Server is of a version that has not reached End of General Support status.

vCenter must separate authentication and authorization for administrators.

Many organizations do both authentication and authorization using a centralized directory service such as Active Directory. Attackers who compromise an identity source can often add themselves to authorization groups, and simply log into systems they should not otherwise have access to. Additionally, reliance on central identity systems means that the administrators of those systems are potentially infrastructure administrators, too, as they can add themselves to infrastructure access groups at will.

The use of local SSO groups for authorization helps prevent this avenue of attack by allowing the centralized identity source to still authenticate users but moving authorization into vCenter itself.

The vCenter Server must configure the firewall to only allow traffic from authorized networks.

Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the system. Note that outgoing/egress traffic is not blocked, nor are related/established connections, so vCenter Server will still be able to communicate with systems where it initiates the connection. Perimeter firewalls should be used to curtail those types of connections.