| VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000002 - The vCenter Server must not automatically refresh client sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCTR-67-000003 - The vCenter Server must enforce a 60-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000004 - The vCenter Server must terminate management sessions after 10 minutes of inactivity. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCTR-67-000005 - The vCenter Server users must have the correct roles assigned. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCTR-67-000007 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | CONFIGURATION MANAGEMENT |
| VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events. | AUDIT AND ACCOUNTABILITY |
| VCTR-67-000009 - The vCenter Server must implement Active Directory authentication. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000010 - The vCenter Server must limit the use of the built-in SSO administrative account. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000012 - The vCenter Server must disable the distributed virtual switch health check. | CONFIGURATION MANAGEMENT |
| VCTR-67-000013 - The vCenter Server must set the distributed port group Forged Transmits policy to reject. | CONFIGURATION MANAGEMENT |
| VCTR-67-000014 - The vCenter Server must set the distributed port group MAC Address Change policy to reject. | CONFIGURATION MANAGEMENT |
| VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject. | CONFIGURATION MANAGEMENT |
| VCTR-67-000016 - The vCenter Server must only send NetFlow traffic to authorized collectors. | CONFIGURATION MANAGEMENT |
| VCTR-67-000018 - The vCenter Server must configure all port groups to a value other than that of the native VLAN. | CONFIGURATION MANAGEMENT |
| VCTR-67-000019 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | CONFIGURATION MANAGEMENT |
| VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| VCTR-67-000023 - The vCenter Server must configure the vpxuser auto-password to be changed every 30 days. | CONFIGURATION MANAGEMENT |
| VCTR-67-000024 - The vCenter Server must configure the vpxuser password meets length policy. | CONFIGURATION MANAGEMENT |
| VCTR-67-000025 - The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects. | CONFIGURATION MANAGEMENT |
| VCTR-67-000026 - The vCenter Server must check the privilege reassignment after restarts. | CONFIGURATION MANAGEMENT |
| VCTR-67-000029 - The vCenter Server must enable all tasks to be shown to Administrators in the Web Client. | CONFIGURATION MANAGEMENT |
| VCTR-67-000031 - The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server. | CONFIGURATION MANAGEMENT |
| VCTR-67-000033 - The vCenter Server must use a least-privileges assignment for the vCenter Server database user. | CONFIGURATION MANAGEMENT |
| VCTR-67-000034 - The vCenter Server must use unique service accounts when applications connect to vCenter. | CONFIGURATION MANAGEMENT |
| VCTR-67-000035 - vCenter Server plugins must be verified. | CONFIGURATION MANAGEMENT |
| VCTR-67-000036 - The vCenter Server must produce audit records containing information to establish what type of events occurred. | SYSTEM AND INFORMATION INTEGRITY |
| VCTR-67-000039 - The vCenter Server passwords must be at least 15 characters in length. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000040 - The vCenter Server passwords must contain at least one uppercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000041 - The vCenter Server passwords must contain at least one lowercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000042 - The vCenter Server passwords must contain at least one numeric character. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000043 - The vCenter Server passwords must contain at least one special character. | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000045 - The vCenter Server must limit the maximum number of failed login attempts to three. | ACCESS CONTROL |
| VCTR-67-000046 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | ACCESS CONTROL |
| VCTR-67-000047 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | ACCESS CONTROL |
| VCTR-67-000051 - The vCenter Server users must have the correct roles assigned. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCTR-67-000052 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | CONFIGURATION MANAGEMENT |
| VCTR-67-000054 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server. | CONFIGURATION MANAGEMENT |
| VCTR-67-000055 - The vCenter Server must configure the vSAN Datastore name to a unique name. | CONFIGURATION MANAGEMENT |
| VCTR-67-000057 - The vCenter Server must enable TLS 1.2 exclusively. | CONFIGURATION MANAGEMENT |
| VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. | CONFIGURATION MANAGEMENT |
| VCTR-67-000059 - The vCenter Server must enable certificate based authentication. | CONFIGURATION MANAGEMENT |
| VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication. | CONFIGURATION MANAGEMENT |
| VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication. | CONFIGURATION MANAGEMENT |
| VCTR-67-000062 - The vCenter Server must enable the login banner for vSphere Client. | CONFIGURATION MANAGEMENT |
| VCTR-67-000063 - The vCenter Server must restrict access to the cryptographic role. | CONFIGURATION MANAGEMENT |
| VCTR-67-000064 - The vCenter Server must restrict access to cryptographic permissions. | CONFIGURATION MANAGEMENT |
| VCTR-67-000065 - The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets. | CONFIGURATION MANAGEMENT |
| VCTR-67-000066 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | CONFIGURATION MANAGEMENT |
| VCTR-67-000067 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | CONFIGURATION MANAGEMENT |
