STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must enable revocation checking for certificate-based authentication.

DISA Rule

SV-243115r719588_rule

Vulnerability Number

V-243115

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000060

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Client, go to Administration >> Single Sign-On > Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, click the "Edit" button.

By default, the PSC will use the CRL from the certificate to check revocation check status.

OCSP with CRL fallback is recommended, but this setting is site specific and should be configured appropriately.

Check Contents

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, verify that "Revocation check" does not show as disabled.

If "Revocation check" shows as disabled, this is a finding.

Vulnerability Number

V-243115

Documentable

False

Rule Version

VCTR-67-000060

Severity Override Guidance

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, verify that "Revocation check" does not show as disabled.

If "Revocation check" shows as disabled, this is a finding.

Check Content Reference

M

Target Key

5399

Comments