ESXI5-VMNET-000007 - Only authorized administrators must have access to virtual networking components.

Information

This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage the role-based access controls within vSphere to ensure that only authorized administrators have access to the different virtual networking components. For example, VM administrators should have access only to port groups in which their VMs reside. Network administrators should have permissions to all virtual networking components but not have access to VMs. These controls will depend very much on the organization's policy on separation of duties, least privilege, and the responsibilities of the administrators within the organization.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

vSphere permissions to specific port groups must be granted only to individuals who need it. From the vSphere Client/vCenter as a user with full Administrator Role rights to the Inventory object to be checked:
(1) Select '[Inventory Object]>> Permissions'. Assign users with the appropriate Role to the all Inventory object(s).

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-39364, Rule-ID|SV-250549r798646_rule, STIG-ID|ESXI5-VMNET-000007, STIG-Legacy|SV-51222, STIG-Legacy|V-39364, Vuln-ID|V-250549

Plugin: VMware

Control ID: e7b500e258055a6f91c88243d92a6a8f761f4fc2323f58a84ea2cb34d1a1b014