| 1.1 Keep ESXi system properly patched | |
| 1.2 Verify Image Profile and VIB Acceptance Levels | |
| 1.3 Verify no unauthorized kernel modules are loaded on the host | |
| 1.4 Ensure that the Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5 Ensure that VDS Netflow traffic is only being sent to authorized collector IP Addresses | |
| 1.6 Restrict port-level configuration overrides on vDS | |
| 2.1 Configure NTP time synchronization | AUDIT AND ACCOUNTABILITY |
| 2.2 Configure the ESXi host firewall to restrict access to services running on the host | ACCESS CONTROL |
| 2.3 Disable Managed Object Browser (MOB) | |
| 2.4 Do not use default self-signed certificates for ESXi communication | |
| 2.6 Ensure proper SNMP configuration- 'community name private does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.6 Ensure proper SNMP configuration- 'community name public does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Prevent unintended use of dvfilter network APIs | ACCESS CONTROL |
| 2.8 When adding ESXi hosts to Active Directory use the vSphere Authentication Proxy to protect passwords | |
| 3.1 Configure a centralized location to collect ESXi host core dumps | |
| 3.2 Configure Host Profiles to monitor and alert on configuration changes | |
| 3.3 Configure persistent logging for all ESXi host | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure remote logging for ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 4.1 Create a non-root user account for local admin access | |
| 4.2 Ensure the vpxuser account's password is automatically changed every 10 or fewer days | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Establish a password policy for password complexity | IDENTIFICATION AND AUTHENTICATION |
| 4.4 Use Active Directory for local user authentication - Enabled = 'true' | IDENTIFICATION AND AUTHENTICATION |
| 4.4 Use Active Directory for local user authentication - Review Domain | IDENTIFICATION AND AUTHENTICATION |
| 4.5 Verify Active Directory group membership for the 'ESX Admins' group | ACCESS CONTROL |
| 5.2 Disable ESXi Shell unless needed for diagnostics or troubleshooting | CONFIGURATION MANAGEMENT |
| 5.3 Disable SSH | CONFIGURATION MANAGEMENT |
| 5.4 Enable lockdown mode to restrict remote access | |
| 5.5 Remove keys from SSH authorized_keys file | |
| 5.6 Set a timeout to automatically terminate idle ESXi Shell and SSH sessions | ACCESS CONTROL |
| 5.8 Set DCUI.Access to allow trusted users to override lockdown mode | ACCESS CONTROL |
| 6.1 Enable bidirectional CHAP authentication for iSCSI traffic | IDENTIFICATION AND AUTHENTICATION |
| 6.2 Ensure uniqueness of CHAP authentication secrets | |
| 7.1.1 Disable VDS network healthcheck if not used | |
| 7.1.2 Ensure that the MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1.3 Ensure that the Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1.4 Ensure that there are no unused ports on a distributed virtual port group | |
| 7.1.5 Ensure that VDS Port Mirror traffic is only being sent to authorized collector ports or VLANs | |
| 7.1.6 Verify that the autoexpand option for VDS dvPortgroups is disabled | |
| 7.2.1 Ensure that port groups are not configured to the value of the native VLAN | |
| 7.2.2 Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | CONFIGURATION MANAGEMENT |
| 7.2.3 Ensure that port groups are not configured to VLAN values reserved by upstream physical switches | |
| 7.3.1 Ensure that the vSwitch Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3.2 Ensure that the vSwitch MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.1 Disable VM communication through VMCI | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.2 Limit informational messages from the VM to the VMX file | AUDIT AND ACCOUNTABILITY |
| 8.1.3 Limit sharing of console connections | ACCESS CONTROL |
| 8.2.1 Disconnect unauthorized devices - Floppy Devices | MEDIA PROTECTION |
| 8.2.2 Disconnect unauthorized devices - CD/DVD Devices | |
| 8.2.3 Disconnect unauthorized devices - Parallel Devices | CONFIGURATION MANAGEMENT |
