| ESXI-06-000001 - The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode. | ACCESS CONTROL |
| ESXI-06-000002 - The system must verify the DCUI.Access list. | CONFIGURATION MANAGEMENT |
| ESXI-06-000003 - The system must verify the exception users list for lockdown mode. | CONFIGURATION MANAGEMENT |
| ESXI-06-000004 - Remote logging for ESXi hosts must be configured. | ACCESS CONTROL |
| ESXI-06-000005 - The system must enforce the limit of three consecutive invalid logon attempts by a user. | ACCESS CONTROL |
| ESXI-06-000006 - The system must enforce the unlock timeout of 15 minutes after a user account is locked out. | ACCESS CONTROL |
| ESXI-06-000007 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| ESXI-06-000008 - The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| ESXI-06-000030 - The system must produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| ESXI-06-000031 - The VMM must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000034 - The system must disable the Managed Object Browser (MOB). | CONFIGURATION MANAGEMENT |
| ESXI-06-000035 - The VMM must be configured to disable non-essential capabilities by disabling SSH. | CONFIGURATION MANAGEMENT |
| ESXI-06-000036 - The system must disable ESXi Shell unless needed for diagnostics or troubleshooting. | CONFIGURATION MANAGEMENT |
| ESXI-06-000037 - The system must use Active Directory for local user authentication. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000038 - The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000039 - Active Directory ESX Admin group membership must not be used. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000040 - The system must use multifactor authentication for local access to privileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000041 - The system must set a timeout to automatically disable idle sessions after a predetermined period. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000042 - The system must terminate shell services after a predetermined period. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000043 - The system must logout of the console UI after a predetermined period. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000045 - The system must enable a persistent log location for all locally stored logs. | AUDIT AND ACCOUNTABILITY |
| ESXI-06-000046 - The system must configure NTP time synchronization. | AUDIT AND ACCOUNTABILITY |
| ESXI-06-000048 - The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000049 - The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000050 - The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000051 - The system must protect the confidentiality and integrity of transmitted information. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000052 - The system must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000053 - SNMP must be configured properly. | CONFIGURATION MANAGEMENT |
| ESXI-06-000054 - The system must enable bidirectional CHAP authentication for iSCSI traffic. | CONFIGURATION MANAGEMENT |
| ESXI-06-000055 - The system must disable Inter-VM transparent page sharing. | CONFIGURATION MANAGEMENT |
| ESXI-06-000057 - The system must configure the firewall to block network traffic by default - Incoming | CONFIGURATION MANAGEMENT |
| ESXI-06-000057 - The system must configure the firewall to block network traffic by default - Outgoing | CONFIGURATION MANAGEMENT |
| ESXI-06-000058 - The system must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | CONFIGURATION MANAGEMENT |
| ESXI-06-000059 - The virtual switch Forged Transmits policy must be set to reject. | CONFIGURATION MANAGEMENT |
| ESXI-06-000060 - The virtual switch MAC Address Change policy must be set to reject. | CONFIGURATION MANAGEMENT |
| ESXI-06-000061 - The virtual switch Promiscuous Mode policy must be set to reject. | CONFIGURATION MANAGEMENT |
| ESXI-06-000062 - The system must prevent unintended use of the dvFilter network APIs. | CONFIGURATION MANAGEMENT |
| ESXI-06-000063 - All port groups must be configured to a value other than that of the native VLAN. | CONFIGURATION MANAGEMENT |
| ESXI-06-000064 - All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required. | CONFIGURATION MANAGEMENT |
| ESXI-06-000065 - All port groups must not be configured to VLAN values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| ESXI-06-000066 - The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. | CONFIGURATION MANAGEMENT |
| ESXI-06-000067 - All physical switch ports must be configured with spanning tree disabled. | CONFIGURATION MANAGEMENT |
| ESXI-06-000068 - Virtual switch VLANs must be fully documented and have only the required VLANs. | CONFIGURATION MANAGEMENT |
| ESXI-06-000070 - The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications. | CONFIGURATION MANAGEMENT |
| ESXI-06-000071 - The system must verify the integrity of the installation media before installing ESXi. | CONFIGURATION MANAGEMENT |
| ESXI-06-000072 - The system must have all security patches and updates installed. | CONFIGURATION MANAGEMENT |
| ESXI-06-000073 - The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | CONFIGURATION MANAGEMENT |
| ESXI-06-000074 - The system must enable the VSAN Health Check. | CONFIGURATION MANAGEMENT |
| ESXI-06-000075 - The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server. | CONFIGURATION MANAGEMENT |
| ESXI-06-000076 - The system must configure the VSAN Datastore name to a unique name. | CONFIGURATION MANAGEMENT |
