7.8 (L1) Ensure port-level configuration overrides are disabled.

Information

Port-level configuration overrides are disabled by default. Once enabled, it allows for different security to be set ignoring what is set at the Port-Group level.

There are cases where unique configurations are needed, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could secretly exploit the broader access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using the vSphere Web Client,

- Go to the Networking section of vCenter
- After expanding each individual switch you will need to perform the following for each PortGroup.
- Go to Configure then expand Settings
- Click on Properties then click on Edit
- Select Advanced then under Override port policies set each to Disabled
- Click OK

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2, CSCv7|12.4

Plugin: VMware

Control ID: 119698a7d458b6157734e76835742a0593fa438f55f87a081d2909ecc62c5a87