VCENTER-000020 - The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.

Information

By default, vCenter Server 'Administrator' role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a role to manage vCenter without the Guest Access Control (example 'Administrator No Guest Access'), and that this role is assigned to administrators who should not have Guest file and program interaction privileges.

Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator.
Go to 'Home>> Administration>> Roles' and verify a role exists for administrators with Guest access removed.
Right click on the role name and select 'Edit'. Verify under 'All Privileges>> Virtual Machines' the 'Guest Operations' checkbox is unchecked.
Create account(s) requiring administrator privileges without Guest access privileges.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39558, Rule-ID|SV-250739r799907_rule, STIG-ID|VCENTER-000020, STIG-Legacy|SV-51416, STIG-Legacy|V-39558, Vuln-ID|V-250739

Plugin: VMware

Control ID: f530ece65e957a45553c155e488d4a7a263e0b028074b81cf1f4bb26baf29824