| 1.1 Keep ESXi system properly patched | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | |
| 1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 1.2 (L1) Host hardware must enable UEFI Secure Boot | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | SYSTEM AND SERVICES ACQUISITION |
| 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 1.3 Ensure Password Complexity is set to 3 | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | IDENTIFICATION AND AUTHENTICATION |
| 1.3 Verify no unauthorized kernel modules are loaded on the host | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | CIS Palo Alto Firewall 10 v1.3.0 L1 | Palo_Alto | IDENTIFICATION AND AUTHENTICATION |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | IDENTIFICATION AND AUTHENTICATION |
| 1.5 (L1) Host integrated hardware management controller must be secure | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 2.1 Configure NTP time synchronization | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | AUDIT AND ACCOUNTABILITY |
| 2.2 Configure the ESXi host firewall to restrict access to services running on the host | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | ACCESS CONTROL |
| 2.3 Disable Managed Object Browser (MOB) | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | |
| 2.4 Do not use default self-signed certificates for ESXi communication | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | |
| 2.6 (L1) Host must have reliable time synchronization sources | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | AUDIT AND ACCOUNTABILITY |
| 3.7 (L1) Host must automatically terminate idle DCUI sessions | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | ACCESS CONTROL |
| 3.12 (L1) Host must lock an account after a specified number of failed login attempts | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | ACCESS CONTROL |
| 4.3 (L1) Host must log sufficient information for events | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | AUDIT AND ACCOUNTABILITY |
| 4.9 (L1) Host must transmit audit records to a remote log collector | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | AUDIT AND ACCOUNTABILITY |
| 5.2 (L1) Host must block network traffic by default | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Ensure all WildFire session information settings are enabled | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.7 (L1) Host should reject MAC address changes on standard virtual switches and port groups | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 11 v1.2.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Enable bidirectional CHAP authentication for iSCSI traffic. | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | IDENTIFICATION AND AUTHENTICATION |
| 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.4 Zero out VMDK files prior to deletion | CIS VMware ESXi 5.5 v1.2.0 Level 2 | VMware | CONFIGURATION MANAGEMENT |
| 6.5.5 (L1) Host SSH daemon, if enabled, must set a timeout count on idle sessions | CIS VMware ESXi 8.0 v1.2.0 L1 Unix | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 6.5.6 (L1) Host SSH daemon, if enabled, must set a timeout interval on idle sessions | CIS VMware ESXi 8.0 v1.2.0 L1 Unix | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 6.5.12 (L1) Host SSH daemon, if enabled, must not permit user environment settings | CIS VMware ESXi 8.0 v1.2.0 L1 Unix | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.20 Ensure that 'Wildfire Inline ML Action' on antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3' | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.25 Ensure that 'DNS Policies' is configured on Anti-Spyware profiles if 'DNS Security' license is available | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, MEDIA PROTECTION |
| 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, MEDIA PROTECTION |
| 7.11 (L1) Virtual machines must remove unnecessary AHCI devices | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT |
| 7.18 (L1) Virtual machines must deactivate console copy operations | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT |
| 7.20 (L1) Virtual machines must limit access through the "dvfilter" network API | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.21 (L1) Virtual machines must deactivate virtual disk shrinking operations | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.22 (L1) Virtual machines must deactivate virtual disk wiping operations | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.26 (L1) Virtual machines must limit the number of retained diagnostic logs | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | AUDIT AND ACCOUNTABILITY |
| 7.28 (L1) Virtual machines must limit informational messages from the virtual machine to the VMX file | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | AUDIT AND ACCOUNTABILITY |
| 8.2.1 Disconnect unauthorized devices - Floppy Devices | CIS VMware ESXi 5.5 v1.2.0 Level 2 | VMware | MEDIA PROTECTION |
| 8.2.5 Disconnect unauthorized devices - USB Devices | CIS VMware ESXi 5.5 v1.2.0 Level 2 | VMware | MEDIA PROTECTION |
| 8.2.7 Prevent unauthorized connection of devices. | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | ACCESS CONTROL |
| 8.4.7 Disable Guest Host Interaction Protocol Handler | CIS VMware ESXi 5.5 v1.2.0 Level 2 | VMware | CONFIGURATION MANAGEMENT |
| 8.4.24 Disable VM Console Copy operations | CIS VMware ESXi 5.5 v1.2.0 Level 1 | VMware | CONFIGURATION MANAGEMENT |
| 8.5 (L1) VMware Tools must limit the automatic addition of features | CIS VMware ESXi 8.0 v1.2.0 L1 VMware | VMware | CONFIGURATION MANAGEMENT |
| 18.10.57.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.57.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' | CIS Microsoft Windows Server 2019 Stand-alone v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |