Details

An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

On each Windows computer with the vSphere Client installed:
Set a 15 minute (maximum) timeout in the VpxClient.exe.config file:
Locate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the … section, modify the X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file.

Set a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable:
Locate the vSphere Client executable icon on the desktop, right click, and select properties. Add ‘-inactivityTimeout X’, where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• Group-ID|V-39563
• Rule-ID|SV-250744r799922_rule
• STIG-ID|VCENTER-000027
• STIG-Legacy|SV-51421
• STIG-Legacy|V-39563
• Vuln-ID|V-250744

Source

• Tenable.com/audits