Information
Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure correct permissions and roles for SQL:
Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, ALTER TABLE, VIEW, and CREATE PROCEDURES.
Grant these privileges to a vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE.
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.
Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.