VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.

Information

All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be disabled as soon as CAC authentication is functional.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.

Next to 'Authentication method', click 'Edit'.

Select the radio button to 'Enable smart card authentication'.

Click 'Save'.

To reenable password authentication for troubleshooting purposes, run the following command on the vCenter Server Appliance:

# /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-256363r885700_rule, STIG-ID|VCSA-70-000283, Vuln-ID|V-256363

Plugin: VMware

Control ID: 2ca070df9a7d8e2abbadbb597aa416be72e2d6e192b7dff75a9f31d49a75ca0f