2.3 Ensure Managed Object Browser (MOB) is disabled

Information

The Managed Object Browser (MOB) is a web-based server application that lets you examine objects that exist on the server side, explore the object model used by the VM kernel to manage the host, and change configurations. It is installed and started automatically when vCenter is installed.

Rationale:

The MOB is meant to be used primarily for debugging the vSphere SDK. Because there are no access controls, the MOB could also be used as a method to obtain information about a host being targeted for unauthorized access.

Solution

To disable the MOB, run the following ESXi shell command:

vim-cmd proxysvc/remove_service '/mob' 'httpsWithRedirect'

Additionally, the following PowerCLI command may be used:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob |Set-AdvancedSetting -value 'false'

Note: You cannot disable the MOB while a host is in lockdown mode.

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.4

Plugin: VMware

Control ID: e4c5f5ac89733f4c32475ac0dd0239c0294c7deb2df128afdf3a7e5b240505bd