VCENTER-000019 - Access to SSL certificates must be restricted.

Information

The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Ensure the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Ensure the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39557, Rule-ID|SV-250738r799904_rule, STIG-ID|VCENTER-000019, STIG-Legacy|SV-51415, STIG-Legacy|V-39557, Vuln-ID|V-250738

Plugin: VMware

Control ID: 4f48c20db13f8d95a2db1571eac7881bff78b8875f85c4c4ba0d5b41d48c6b69