STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must restrict access to cryptographic permissions.

DISA Rule

SV-216883r612237_rule

Vulnerability Number

V-216883

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000064

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

From the vSphere Web Client go to Administration >> Access Control >> Roles

Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s):

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

Check Contents

From the vSphere Web Client go to Administration >> Access Control >> Roles

Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
$roles = Get-VIRole
ForEach($role in $roles){
$privileges = $role.PrivilegeList
If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){
Write-Host "$role has Cryptographic privileges"
}
}

If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding.

Vulnerability Number

V-216883

Documentable

False

Rule Version

VCWN-65-000064

Severity Override Guidance

From the vSphere Web Client go to Administration >> Access Control >> Roles

Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
$roles = Get-VIRole
ForEach($role in $roles){
$privileges = $role.PrivilegeList
If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){
Write-Host "$role has Cryptographic privileges"
}
}

If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding.

Check Content Reference

M

Target Key

4030

Comments