VCWN-06-000033 - A least-privileges assignment must be used for the vCenter Server database user.

Information

Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure correct permissions and roles for SQL:

Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, VIEW, and CREATE PROCEDURES.

Grant these privileges to a vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE.
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.

Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.

For more information, refer to the following website: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.install.doc/GUID-36B92A8C-074A-4657-9938-62AB97225B91.html

See Also

http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_vCenter_Server_for_Windows_V1R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-64007, Rule-ID|SV-78497r2_rule, STIG-ID|VCWN-06-000033, Vuln-ID|V-64007

Plugin: VMware

Control ID: c780b4e59d87a0b7ef4c662af01dd03baafb50ed9b5135f149b506d3fe8711c2