STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

DISA Rule

SV-216847r612237_rule

Vulnerability Number

V-216847

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000025

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If the datastore browser is enabled and required for object maintenance, no fix is immediately required.

Disable the managed object browser:
Determine the location of the vpxd.cfg file on the Windows host.
Edit the file and locate the <vpxd> ... </vpxd> element.
Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse>

Restart the vCenter Service to ensure the configuration file change(s) are in effect.

Check Contents

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities.

Check the operational status of the MOB:
Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.
Edit the file and locate the <vpxd> ... </vpxd> element.
Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse>

If the MOB is currently enabled, ask the SA if it is being used for object maintenance.

If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.

Vulnerability Number

V-216847

Documentable

False

Rule Version

VCWN-65-000025

Severity Override Guidance

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities.

Check the operational status of the MOB:
Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.
Edit the file and locate the <vpxd> ... </vpxd> element.
Ensure the following element is set. <enableDebugBrowse>false</enableDebugBrowse>

If the MOB is currently enabled, ask the SA if it is being used for object maintenance.

If the "enableDebugBrowse" element is enabled (set to true), and object maintenance is not being performed, this is a finding.

Check Content Reference

M

Target Key

4030

Comments