The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-265979 | SRG-APP-000516 | VCSA-80-000305 | SV-265979r1003616_rule | 2025-06-09 | 2 |
Description
If not used for their intended purpose, default accounts must be disabled. vCenter ships with several default accounts, two of which are specific to IWA and SASL/Kerberos authentication. If other methods of authentication are used, these accounts are not needed and must be disabled.
ℹ️ Check
If IWA is used for vCenter authentication, this is not applicable.
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users.
Change the domain to "vsphere.local" and review the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts.
If the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts are not disabled, this is a finding.
✔️ Fix
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users.
Select the "K/M" or "krbtgt/VSPHERE.LOCAL" and click "More" then select "Disable".
Click "Ok" to disable the user account.