Information
Enabling Secure Boot enforcement ensures that the host only loads UEFI drivers and applications with valid digital signatures, as part of the UEFI firmware standard. It requires support from the server's BIOS and hypervisor boot loader, and mandates that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a trusted partner subordinate.
Organizations should enable Secure Boot enforcement to enhance the security of their virtual environments. Requiring valid digital signatures for UEFI drivers and apps mitigates the risk of offline attacks, where an attacker could transfer the ESXi install drive to a non-Secure Boot host and boot it without detection. This control establishes a trusted boot process, reducing the risk of unauthorized access and maintaining the integrity of the ESXi host.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Impact:
Failing to enable Secure Boot enforcement exposes the ESXi host to potential security breaches. Without this control, an attacker could compromise the ESXi host by booting it on a non-Secure Boot host, bypassing ESXi's protections. This could lead to unauthorized access, data breaches, and compromise of the virtual environment's integrity. Enabling Secure Boot enforcement is crucial for maintaining a secure and trusted ESXi host, mitigating potential negative impacts, and safeguarding the virtual infrastructure.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: 4737dd62abb03e829f178edb8e8ca9c0ca8e33fb279d189c28ccd826d5bb60b9