VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication.

Information

All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Next to 'Authentication methods', click 'Edit'. Click the 'Enable smart card authentication' radio button and click 'Save'.

To re-enable password authentication for troubleshooting purposes, run the following command on the vCenter server:

/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243116r879887_rule, STIG-ID|VCTR-67-000061, Vuln-ID|V-243116

Plugin: VMware

Control ID: 2e2bd4ed3b3df542e03c129d3680183f99f2cf0c199766fb612c04ec2fef6a7e