You perform the procedure on the management domain vCenter Server to configure password policies, lockout policies, alarms, smart Card configurations, proxy, CEIP, login banners, LDAP and other configurations.

Procedure

  1. In a Web browser, log in to management domain vCenter Server by using the vSphere Client.​

    Setting

    Value

    URL

    https://management-domain-vcenter-server-fqdn/ui​​​

    User name​

    administrator@vsphere.local​

  2. Configure the password policies.
    1. From the Home menu of the vSphere Client, click Administration.
    2. Under Single Sign-On, click Configuration.
    3. On the Local Accounts tab, under Password policy, click Edit.
    4. In the Edit password policies dialog box, configure the settings and click Save.

      Configuration ID

      Setting

      Value

      NIST80053-VI-VC-CFG-00421

      Maximum lifetime

      60

  3. Configure the lockout policies.
    1. On the Local Accounts tab, under Lockout Policy click Edit.
    2. In the Edit lockout policies dialog box, configure the settings and click Save.

      Configuration ID

      Setting

      Value

      NIST80053-VI-VC-CFG-00436

      Maximum number of failed login attempts

      3

      NIST80053-VI-VC-CFG-00434

      Time interval between failures

      900 Seconds

      NIST80053-VI-VC-CFG-00435

      Unlock time

      0 seconds

  4. NIST80053-VI-VC-CFG-00442 Configure an alert if an error occurs with the ESXi remote syslog connection.
    1. In the Hosts and clusters inventory, select the management domain vCenter Server.
    2. Click the Configure tab, select Alarm Definitions.
    3. Click Add to open the New alarm definition wizard.
    4. On the Name and targets page, enter the settings and click Next.

      Setting

      Value

      Alarm name

      esx.problem.vmsyslogd.remote.failure

      Target type

      vCenter Server

    5. On the Alarm rule 1 page, under If, enter esx.problem.vmsyslogd.remote.failure as a trigger and press Enter.
    6. Configure the remaining settings for the alarm, click Next, and follow the prompts to finish the wizard.

      Setting

      Value

      Trigger the alarm and

      Show as warning

      Send email notifications

      Off

      Send SNMP traps

      On

      Run script

      Off

  5. NIST80053-VI-VC-CFG-01219 Configure an alert to the appropriate personnel about SSO account actions
    1. Click Add to open the New alarm definition wizard.
    2. On the Name and targets page, enter the settings and click Next.

      Setting

      Value

      Alarm name

      com.vmware.sso.PrincipalManagement

      Target type

      vCenter Server

    3. On the Alarm rule 1 page, under If, enter com.vmware.sso.PrincipalManagement as a trigger and press Enter.
    4. Configure the remaining settings for the alarm, click Next, and follow the prompts to finish the wizard.

      Setting

      Value

      Trigger the alarm and

      Show as warning

      Send email notifications

      Off

      Send SNMP traps

      On

      Run script

      Off

  6. NIST80053-VI-VC-CFG-00418 Configure a proxy for the download of the public Hardware Compatibility List.
    1. In the Hosts and Clusters inventory, select the management domain vCenter Server.
    2. Click the Configure tab and under vSAN, click Internet Connectivity.
    3. On the Internet connectivity page, click Edit.
    4. Select Configure the Proxy Server if your system uses one check box.
    5. Enter the proxy server details and click Apply.
  7. NIST80053-VI-VC-CFG-01236 Remove the privilege to use the virtual machine console for the standard virtual machine user role.
    1. On the Home page of the vSphere Client, click Administration , and click Roles.
    2. From the Roles provider drop-down menu, select the management domain vCenter Server.
    3. Select the Virtual machine user (sample) role and click Edit role action.
    4. In the Edit Role dialog box, select the Virtual machine group and under Interaction, deselect the Console interaction check box.
    5. Click Next and click Finish.
  8. NIST80053-VI-VC-CFG-01209 Configure a login message.
    1. From the Home menu of the vSphere Client, click Administration.
    2. Under Single Sign-On, click Configuration.
    3. Click the Login Message tab and click Edit.
    4. In the Details of login message text box, enter This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials. and click Save.
  9. NIST80053-VI-VC-CFG-01212 Configure Mutual CHAP for vSAN iSCSI targets.
    1. In the Hosts and Clusters inventory, select the vSAN-enabled cluster.
    2. Click the Configure tab and under vSAN, click Services.
    3. In the vSAN iSCSI Target Service tile, click Enable.
    4. Enable the service from the toggle switch and, from the Authentication drop-down menu, select Mutual CHAP.
    5. Configure the incoming and outgoing users and secrets appropriately and click Apply.
  10. NIST80053-VI-VC-CFG-01213 Configure Key Encryption Keys (KEKs) to be re-issued at 60 days intervals for the vSAN encrypted datastores.
    1. In the Hosts and Clusters inventory, select the vSAN-enabled cluster.
    2. Click the Configure tab and, under vSAN, click Services.
    3. In the Data cervices tile, click Edit.
    4. Turn on Data-in-transit encryption and enter a custom interval of 86400 minutes that equals 60 days.
    5. Click Apply.
  11. Set SDDC Deployment Details on the vCenter Server Instances.
    1. In the Global Inventory Lists inventory, click vCenter Servers.
    2. Click the vCenter Server object and click the Configure tab in the central pane.
    3. Under Settings, click Advanced Settings and click Edit settings.
    4. In the Edit advanced vCenter Server Settings dialog box, enter the settings and click Add.

    Setting

    Value

    Name

    config.SDDC.Deployed.ComplianceKit

    Value

    VCF-NIST-800-53