Information
Ensure that the Promiscuous Mode policy is set to reject.
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup. Unlike standard vSwitches, dvSwitches only allow Promiscuous Mode at the dvPortgroup level
http://pubs.vmware.com/vsphere-65/topic/com.vmware.vsphere.security.doc/GUID-C590B7D3-4E28-4F2B-8A59-4CDB9C6F2DAA.html
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From vSphere web client, for each portgroup within each distributed switch go to "Manage" -> "Settings" -> "Policies" and click "Edit". Go to "Security" and set the "Promiscuous Mode" policy to "Reject".