VCSA-80-000270 The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".

Information

When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group.

Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to "Networking".

Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies.

Click "Edit".

Click the "Security" tab.

Set "Promiscuous Mode" to "Reject".

Click "OK".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258937r961863_rule, STIG-ID|VCSA-80-000270, Vuln-ID|V-258937

Plugin: VMware

Control ID: f07ec201ebdfaf82f3991798b1eb49ce14a95e8295f6e1ec2e9b9da28bcb5012