Home > Blogs > VMware Security & Compliance Blog


Ensure DISA Certificate Compliance using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA mandates to have DoD certificates on each Microsoft Windows machine using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).

For this example, DISA STIG for Windows 8 / 8.1 Version: 1  Release: 6 released on 25 Jul 2014 is taken.

Below are the DISA requirements for certificates:

  • WN08-PK-000001 – The DoD Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000002 – The External CA Root Certificate must be installed into the Trusted Root Store
  • WN08-PK-000003 – The DoD Interoperability Root CA 1 to DoD Root CA 2 cross certificate must be installed into the Untrusted Certificates Store
  • WN08-PK-000004 – The US DoD CCEB Interoperability Root CA 1 to DoD Root CA 2 cross-certificate must be installed into the Untrusted Certificates Store

So, basically these requirements want you to follow below steps manually to ensure the entries exist:

  1. Navigate to EACH Local Machine > Certificate Stores
  2. Check out DISA certificates with particular thumbprints, Issued To and Issued By Exist

Having to manually check each of the machine for this can be a nightmare. But, wait, here is VCM!

You can navigate to VCM console and check if those thumbprints exists with other details:

WN08-PK-000001

WN08-PK-000001

WN08-PK-000002

WN08-PK-000002

WN08-PK-000003

WN08-PK-000003

WN08-PK-000004

WN08-PK-000004

But, wait, I promised you no manual interventions right. Correct, so you can create 4 compliance rules one for each of the certificate requirements using UI based rule creation wizard (matter of a few clicks):

Here is how the rules show up:

DISA Certificate Requirement Rules

DISA Certificate Requirement Rules

Now, run the compliance rules on your VCM managed Windows Infrastructure and boom, it shows up your compliant and non-compliant machines!

Certificate Check Results

Certificate Check Results

Now, send that report to your infrastructure manager and get the certificates deployed! Isn’t that easy?

Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content.

Let me know if you would like to see more of such quick peeks and I won’t disappoint you!

Come, join the journey to Start Green Stay Green!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+

This entry was posted in Uncategorized and tagged , , , , , , , , , on by .
Pravin Goyal

About Pravin Goyal

Pravin Goyal is an information security and regulatory compliance expert in CMBU. He delivers and also leads various security projects such as security and compliance policies for PCI DSS 3.1, HIPAA, IRS, DISA, CIS, vSphere hardening guides and NSX hardening guides He loves to keep abreast of latest developments in the field and find compelling ideas to bring some additional business and profitability to VMware. Additionally, he believes in collaborating across BUs and Companies to deliver customer-facing solutions. Off late, he has authored CIS Docker 1.6 and CIS Docker 1.11.0 Security Configuration Benchmark, NSX-v 6.1 hardening guide and is a co-author of vSphere hardening guide. He is leading the STIG compliance project from CMBU. https://www.linkedin.com/in/pravin-goyal-b7299b33