You perform the procedure on all vCenter Server instances to configure password policies, lockout policies, alarms, proxy, login banners, LDAP, and other configurations.

Procedure

  1. In a Web browser, log in to vCenter Server by using the vSphere Client.​

    Setting

    Value

    URL

    https://management-domain-vcenter-server-fqdn/ui​​​

    User name​

    [email protected]
  2. Configure the password policies.
    1. From the Home menu of the vSphere Client, click Administration.
    2. Under Single Sign-On, click Configuration.
    3. On the Local accounts tab, under Password policy, click Edit.
    4. In the Edit password policies dialog box, configure the settings and click Save.

      Configuration ID

      Setting

      Value

      VMW-VC-00421

      Maximum lifetime

      60

      VMW-VC-00410

      Minimum Length

      15
  3. Configure the lockout policies.
    1. On the Local accounts tab, under Lockout policy, click Edit.
    2. In the Edit lockout policies dialog box, configure the settings and click Save.

      Configuration ID

      Setting

      Value

      VMW-VC-00436

      Maximum number of failed login attempts

      3

      VMW-VC-00434

      Time interval between failures

      900 seconds

      VMW-VC-00435

      Unlock time

      0 seconds
  4. VMW-VC-01219 Configure an alert for the appropriate personnel about SSO account actions
    1. In the Hosts and clusters inventory, select the vCenter Server that manages the ESXi host you configure.
    2. Click the Configure tab, select Alarm definitions under Security.
    3. Click Add.

      The New alarm definition wizard opens.

    4. On the Name and targets page, enter the settings and click Next.

      Setting

      Value

      Alarm name

      SSO account actions - com.vmware.sso.PrincipalManagement

      Target type

      vCenter Server
    5. On the Alarm rule 1 page, under If, enter com.vmware.sso.PrincipalManagement as a trigger and press Enter.
    6. Configure the remaining settings for the alarm, click Next, and follow the prompts to finish the wizard.

      Setting

      Value

      Trigger the alarm and

      Show as warning

      Send email notifications

      Off

      Send SNMP traps

      On

      Run script

      Off
  5. VMW-VC-00418 Configure a proxy for the download of the public Hardware Compatibility List.
    1. In the Hosts and Clusters inventory, select the vCenter Server that you configure.
    2. Click the Configure tab and under vSAN, click Internet connectivity.
    3. On the Internet connectivity page, click Edit.
    4. Select the Configure the proxy server if your system uses one check box.
    5. Enter the proxy server details and click Apply.
  6. VMW-VC-01236 Remove the privilege to use the virtual machine console for the standard virtual machine user role.
    1. On the Home page of the vSphere Client, click Administration , and click Roles.
    2. From the Roles provider drop-down menu, select the vCenter Server that you configure.
    3. Select the Virtual machine user (sample) role and click Edit role action.
    4. In the Edit role dialog box, select the Virtual machine group and under Interaction, deselect the Console interaction check box.
    5. Click Next and click Finish.
  7. VMW-VC-01209 Configure a login message.
    1. From the Home menu of the vSphere Client, click Administration.
    2. Navigate to Single sing-on > Configuration.
    3. Click the Login message tab and click Edit.
    4. Activate the Show login message toggle.
    5. In the Login message text box, enter the login message.
    6. Activate the Consent checkbox toggle.
    7. In the Details of login message text box, enter the site-specific banner text and click Save.
  8. VMW-VC-01212 Configure Mutual CHAP for vSAN iSCSI targets.
    1. In the Hosts and Clusters inventory, select the vSAN-enabled cluster.
    2. Click the Configure tab and under vSAN, click Services.
    3. In the vSAN iSCSI target service tile, click Enable.
    4. Activate the service from the toggle switch.
    5. From the Authentication drop-down menu, select Mutual CHAP
    6. Configure the incoming and outgoing users and secrets appropriately and click Apply.
  9. VMW-VC-01238 Deactivate SNMPv1/2 receivers.
    1. In the Hosts and Clusters inventory, select the vCenter Server that you configure.
    2. Click the Configure tab and, under Settings, click General.
    3. On the vCenter Server settings page, click Edit.
    4. In the Edit vCenter general settings dialog box, click SNMP receivers.
    5. Deactivate all active receivers and click Save.
  10. Set SDDC deployment details on the vCenter Server instances.
    1. In the Global inventory lists inventory, click vCenter Servers.
    2. Click the vCenter Server object and click the Configure tab in the central pane.
    3. Under Settings, click Advanced settings and click Edit settings.
    4. In the Edit advanced vCenter Server settings dialog box, enter the settings and click Add.

    Setting

    Value

    Name

    config.SDDC.Deployed.ComplianceKit

    Value

    VCF-NIST-800-53
  11. VMW-VC-00422 vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
    1. From the Home menu of the vSphere Client, click Administration.
    2. Under Deployment, click Client configuration.
    3. Click Edit, for Session timeout , enter 10 minutes, and click Save.