1.1 Ensure ESXi is properly patched | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.1 Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
2.3 Ensure Managed Object Browser (MOB) is disabled | ACCESS CONTROL, MEDIA PROTECTION |
2.5 Ensure SNMP is configured properly - 'community name private does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.5 Ensure SNMP is configured properly - 'community name public does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Ensure dvfilter API is not configured if not used | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory | ACCESS CONTROL |
2.9 Ensure VDS health check is disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
3.2 Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
3.3 Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
4.2 Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
4.3 Ensure the maximum failed login attempts is set to 5 | ACCESS CONTROL |
4.4 Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
4.5 Ensure Active Directory is used for local user authentication | ACCESS CONTROL |
4.6 Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
4.7 Ensure the Exception Users list is properly configured | ACCESS CONTROL, MEDIA PROTECTION |
5.1 Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
5.3 Ensure the ESXi shell is disabled | CONFIGURATION MANAGEMENT |
5.4 Ensure SSH is disabled | CONFIGURATION MANAGEMENT |
5.5 Ensure CIM access is limited | CONFIGURATION MANAGEMENT |
5.6 Ensure Lockdown mode is enabled | ACCESS CONTROL |
5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
5.9 Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
5.10 Ensure DCUI has a trusted users list for lockdown mode | ACCESS CONTROL |
6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
6.2 Ensure the uniqueness of CHAP authentication secrets for iSCSI traffic | IDENTIFICATION AND AUTHENTICATION |
6.3 Ensure storage area network (SAN) resources are segregated properly | SYSTEM AND COMMUNICATIONS PROTECTION |
7.1 Ensure the vSwitch Forged Transmits policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 Ensure the vSwitch MAC Address Change policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.4 Ensure port groups are not configured to the value of the native VLAN | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | SYSTEM AND INFORMATION INTEGRITY |
7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector | SYSTEM AND INFORMATION INTEGRITY |
7.8 Ensure port-level configuration overrides are disabled. | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
8.1.1 Ensure informational messages from the VM to the VMX file are limited | AUDIT AND ACCOUNTABILITY |
8.2.1 Ensure unnecessary floppy devices are disconnected | CONFIGURATION MANAGEMENT |
8.2.3 Ensure unnecessary parallel ports are disconnected | CONFIGURATION MANAGEMENT |
8.2.4 Ensure unnecessary serial ports are disconnected | CONFIGURATION MANAGEMENT |
8.2.5 Ensure unnecessary USB devices are disconnected | CONFIGURATION MANAGEMENT |
8.2.6 Ensure unauthorized modification and disconnection of devices is disabled | CONFIGURATION MANAGEMENT |
8.2.7 Ensure unauthorized connection of devices is disabled | CONFIGURATION MANAGEMENT |
8.2.8 Ensure PCI and PCIe device passthrough is disabled | CONFIGURATION MANAGEMENT |
8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled | CONFIGURATION MANAGEMENT |
8.3.2 Ensure use of the VM console is limited | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.3.3 Ensure secure protocols are used for virtual serial port access | CONFIGURATION MANAGEMENT, MAINTENANCE |
8.3.4 Ensure standard processes are used for VM deployment | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.4.21 Ensure VM Console Copy operations are disabled | CONFIGURATION MANAGEMENT |
8.4.22 Ensure VM Console Drag and Drop operations is disabled | CONFIGURATION MANAGEMENT |