VCSA-70-000270 - The vCenter Server must set the distributed port group Promiscuous Mode policy to 'Reject' - Reject.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group.

Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to 'Networking'.

Select a distributed switch and then select a port group.

Select Configure >> Settings >> Policies.

Click 'Edit'.

Click the 'Security' tab.

Set 'Promiscuous Mode' to 'Reject'.

Click 'OK'.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-256350r885661_rule, STIG-ID|VCSA-70-000270, Vuln-ID|V-256350

Plugin: VMware

Control ID: 6f921dd2f6c0bc171658c694a17b93411bff13934cbe2fa3e9f03b217e6eefa6