1.1 Keep ESXi system properly patched | SYSTEM AND INFORMATION INTEGRITY |
1.2 Verify Image Profile and VIB Acceptance Levels | SYSTEM AND SERVICES ACQUISITION |
1.3 Verify no unauthorized kernel modules are loaded on the host | SYSTEM AND SERVICES ACQUISITION |
2.1 Configure NTP time synchronization | AUDIT AND ACCOUNTABILITY |
2.2 Configure the ESXi host firewall to restrict access to services running on the host | ACCESS CONTROL |
2.3 Disable Managed Object Browser (MOB) | ACCESS CONTROL, MEDIA PROTECTION |
2.4 Do not use default self-signed certificates for ESXi communication | SYSTEM AND COMMUNICATIONS PROTECTION |
2.5 Ensure proper SNMP configuration - 'community name private does not exist' | IDENTIFICATION AND AUTHENTICATION |
2.5 Ensure proper SNMP configuration - 'community name public does not exist' | IDENTIFICATION AND AUTHENTICATION |
2.6 Prevent unintended use of dvfilter network APIs | ACCESS CONTROL |
2.7 Remove expired or revoked SSL certificates from the ESXi server | CONFIGURATION MANAGEMENT |
3.1 Configure a centralized location to collect ESXi host core dumps | CONFIGURATION MANAGEMENT |
3.2 Configure persistent logging for all ESXi host | AUDIT AND ACCOUNTABILITY |
3.3 Configure remote logging for ESXi hosts | AUDIT AND ACCOUNTABILITY |
4.1 Create a non-root user account for local admin access | CONFIGURATION MANAGEMENT |
4.2 Establish a password policy for password complexity | IDENTIFICATION AND AUTHENTICATION |
4.3 Use Active Directory for local user authentication - Enabled = 'true' | IDENTIFICATION AND AUTHENTICATION |
4.3 Use Active Directory for local user authentication - Review Domain | IDENTIFICATION AND AUTHENTICATION |
4.4 Verify Active Directory group membership for the 'ESX Admins' group | ACCESS CONTROL |
5.2 Disable ESXi Shell unless needed for diagnostics or troubleshooting | CONFIGURATION MANAGEMENT |
5.3 Disable SSH | CONFIGURATION MANAGEMENT |
5.4 Limit CIM Access | CONFIGURATION MANAGEMENT |
5.5 Enable lockdown mode to restrict remote access | CONFIGURATION MANAGEMENT |
5.7 Set a timeout to automatically terminate idle ESXi Shell and SSH sessions | ACCESS CONTROL |
5.8 Set a timeout for Shell Services | ACCESS CONTROL |
5.9 Set DCUI.Access to allow trusted users to override lockdown mode | ACCESS CONTROL |
6.1 Enable bidirectional CHAP authentication for iSCSI traffic. | IDENTIFICATION AND AUTHENTICATION |
6.2 Ensure uniqueness of CHAP authentication secrets | IDENTIFICATION AND AUTHENTICATION |
6.3 Mask and zone SAN resources appropriately | SYSTEM AND COMMUNICATIONS PROTECTION |
7.1 Ensure that the vSwitch Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 Ensure that the vSwitch MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.4 Ensure that port groups are not configured to the value of the native VLAN | SYSTEM AND INFORMATION INTEGRITY |
7.5 Ensure that port groups are not configured to VLAN values reserved by upstream physical switches | SECURITY ASSESSMENT AND AUTHORIZATION |
7.6 Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | CONFIGURATION MANAGEMENT |
8.1.1 Limit informational messages from the VM to the VMX file | AUDIT AND ACCOUNTABILITY |
8.2.6 Prevent unauthorized removal and modification of devices. | ACCESS CONTROL |
8.2.7 Prevent unauthorized connection of devices. | ACCESS CONTROL |
8.3.1 Disable unnecessary or superfluous functions inside VMs | CONFIGURATION MANAGEMENT |
8.3.2 Minimize use of the VM console | CONFIGURATION MANAGEMENT |
8.3.3 Use secure protocols for virtual serial port access | CONFIGURATION MANAGEMENT |
8.3.4 Use templates to deploy VMs whenever possible | CONFIGURATION MANAGEMENT |
8.4.1 Control access to VMs through the dvfilter network APIs | ACCESS CONTROL |
8.4.2 Control VMsafe Agent Address | SYSTEM AND INFORMATION INTEGRITY |
8.4.3 Control VMsafe Agent Port | SYSTEM AND INFORMATION INTEGRITY |
8.4.4 Control VMsafe Agent Configuration | SYSTEM AND INFORMATION INTEGRITY |
8.4.24 Disable VM Console Copy operations | CONFIGURATION MANAGEMENT |
8.4.25 Disable VM Console Drag and Drop operations | CONFIGURATION MANAGEMENT |
8.4.26 Disable VM Console GUI Options | CONFIGURATION MANAGEMENT |
8.4.27 Disable VM Console Paste operations | CONFIGURATION MANAGEMENT |