In vSphere 6.7, the built-in "Administrator" role contains permission to perform cryptographic operations such as KMS functions and encrypting and decrypting virtual machine disks. The vCenter Server must restrict access to the cryptographic role.
Separation of duties dictates that full vCenter. The vCenter Server Administrator role must be secured and assigned to specific users other than a Windows Administrator.īy default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and.
The vCenter Server must configure the vSAN Datastore name to a unique name.Ī vSAN Datastore name by default is "vsanDatastore". To ensure the vCenter server is not directly. The vSAN Health Check is able to download the hardware compatibility list from VMware to check compliance against the underlying vSAN Cluster hosts. The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server. The use of a DoD certificate on the vCenter reverse proxy assures clients. The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported.
TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. The vCenter Server must enable TLS 1.2 exclusively. The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking. The vCenter Server must enable revocation checking for certificate-based authentication. This capability must be enabled and properly configured. The vSphere Client is capable of CAC authentication. The vCenter Server must enable certificate based authentication. The required legal notice must be configured for the vCenter Web Client. The vCenter Server must enable the login banner for vSphere Client.
Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as. The vCenter Server must disable Password and Windows integrated authentication.Īll forms of authentication other than CAC must be disabled. Including VMware Tools.Findings (MAC III - Administrative Sensitive) Finding ID It enables installation of vCenter Server on Windows (Requires a 64-bit capable server).
Installer for VMware vCenter Server, VMware Platform Services Controller, VMware vSphere Update Manager, Update Manager Download Service (UMDS) and other vCenter Server-related modules. Use this package to update from any released VMware vCenter Server Appliance 6.7 to VMware vCenter Server 6.7U3q Appliance It includes the UI and CLI installer for install/upgrade/migration for VMware vCenter Server Appliance, VMware Platform Services Controller, VMware vSphere Update Manager and Update Manager Download Service (UMDS).
VMware vSphere Hypervisor (ESXi) Offline Bundle VMware vSphere Hypervisor (ESXi ISO) image (Includes VMware Tools) VMware vCenter Server Appliance Update Bundle VMware vCenter Server and modules for Windows