| 1.1 Keep ESXi system properly patched | |
| 1.2 Verify Image Profile and VIB Acceptance Levels | |
| 1.3 Verify no unauthorized kernel modules are loaded on the host | |
| 2.1 Configure NTP time synchronization | AUDIT AND ACCOUNTABILITY |
| 2.2 Configure the ESXi host firewall to restrict access to services running on the host | ACCESS CONTROL |
| 2.3 Disable Managed Object Browser (MOB) | |
| 2.4 Do not use default self-signed certificates for ESXi communication | |
| 2.5 Ensure proper SNMP configuration - 'community name private does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.5 Ensure proper SNMP configuration - 'community name public does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.6 Prevent unintended use of dvfilter network APIs | ACCESS CONTROL |
| 2.7 Remove expired or revoked SSL certificates from the ESXi server | |
| 3.1 Configure a centralized location to collect ESXi host core dumps | |
| 3.2 Configure persistent logging for all ESXi host | AUDIT AND ACCOUNTABILITY |
| 3.3 Configure remote logging for ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 4.1 Create a non-root user account for local admin access | |
| 4.2 Establish a password policy for password complexity | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Use Active Directory for local user authentication - Enabled = 'true' | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Use Active Directory for local user authentication - Review Domain | IDENTIFICATION AND AUTHENTICATION |
| 4.4 Verify Active Directory group membership for the 'ESX Admins' group | ACCESS CONTROL |
| 5.2 Disable ESXi Shell unless needed for diagnostics or troubleshooting | CONFIGURATION MANAGEMENT |
| 5.3 Disable SSH | CONFIGURATION MANAGEMENT |
| 5.4 Limit CIM Access | |
| 5.5 Enable lockdown mode to restrict remote access | |
| 5.7 Set a timeout to automatically terminate idle ESXi Shell and SSH sessions | ACCESS CONTROL |
| 5.8 Set a timeout for Shell Services | ACCESS CONTROL |
| 5.9 Set DCUI.Access to allow trusted users to override lockdown mode | ACCESS CONTROL |
| 6.1 Enable bidirectional CHAP authentication for iSCSI traffic. | IDENTIFICATION AND AUTHENTICATION |
| 6.2 Ensure uniqueness of CHAP authentication secrets | |
| 6.3 Mask and zone SAN resources appropriately | |
| 7.1 Ensure that the vSwitch Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure that the vSwitch MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure that port groups are not configured to the value of the native VLAN | |
| 7.5 Ensure that port groups are not configured to VLAN values reserved by upstream physical switches | |
| 7.6 Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | CONFIGURATION MANAGEMENT |
| 8.1.1 Limit informational messages from the VM to the VMX file | AUDIT AND ACCOUNTABILITY |
| 8.2.6 Prevent unauthorized removal and modification of devices. | ACCESS CONTROL |
| 8.2.7 Prevent unauthorized connection of devices. | ACCESS CONTROL |
| 8.3.1 Disable unnecessary or superfluous functions inside VMs | |
| 8.3.2 Minimize use of the VM console | |
| 8.3.3 Use secure protocols for virtual serial port access | |
| 8.3.4 Use templates to deploy VMs whenever possible | |
| 8.4.1 Control access to VMs through the dvfilter network APIs | ACCESS CONTROL |
| 8.4.2 Control VMsafe Agent Address | SYSTEM AND INFORMATION INTEGRITY |
| 8.4.3 Control VMsafe Agent Port | SYSTEM AND INFORMATION INTEGRITY |
| 8.4.4 Control VMsafe Agent Configuration | SYSTEM AND INFORMATION INTEGRITY |
| 8.4.24 Disable VM Console Copy operations | CONFIGURATION MANAGEMENT |
| 8.4.25 Disable VM Console Drag and Drop operations | CONFIGURATION MANAGEMENT |
| 8.4.26 Disable VM Console GUI Options | CONFIGURATION MANAGEMENT |
| 8.4.27 Disable VM Console Paste operations | CONFIGURATION MANAGEMENT |
