| 1.1 Ensure ESXi is properly patched | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1 Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
| 2.3 Ensure Managed Object Browser (MOB) is disabled | ACCESS CONTROL, MEDIA PROTECTION |
| 2.5 Ensure SNMP is configured properly - 'community name private does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure SNMP is configured properly - 'community name public does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure dvfilter API is not configured if not used | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory | ACCESS CONTROL |
| 2.9 Ensure VDS health check is disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure the maximum failed login attempts is set to 5 | ACCESS CONTROL |
| 4.4 Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
| 4.5 Ensure Active Directory is used for local user authentication | ACCESS CONTROL |
| 4.6 Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
| 4.7 Ensure the Exception Users list is properly configured | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1 Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
| 5.3 Ensure the ESXi shell is disabled | CONFIGURATION MANAGEMENT |
| 5.4 Ensure SSH is disabled | CONFIGURATION MANAGEMENT |
| 5.5 Ensure CIM access is limited | CONFIGURATION MANAGEMENT |
| 5.6 Ensure Lockdown mode is enabled | ACCESS CONTROL |
| 5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
| 5.9 Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
| 5.10 Ensure DCUI has a trusted users list for lockdown mode | ACCESS CONTROL |
| 6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure the uniqueness of CHAP authentication secrets for iSCSI traffic | IDENTIFICATION AND AUTHENTICATION |
| 6.3 Ensure storage area network (SAN) resources are segregated properly | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure the vSwitch Forged Transmits policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure the vSwitch MAC Address Change policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure port groups are not configured to the value of the native VLAN | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | SYSTEM AND INFORMATION INTEGRITY |
| 7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector | SYSTEM AND INFORMATION INTEGRITY |
| 7.8 Ensure port-level configuration overrides are disabled. | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.1 Ensure informational messages from the VM to the VMX file are limited | AUDIT AND ACCOUNTABILITY |
| 8.2.1 Ensure unnecessary floppy devices are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.3 Ensure unnecessary parallel ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.4 Ensure unnecessary serial ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.5 Ensure unnecessary USB devices are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.6 Ensure unauthorized modification and disconnection of devices is disabled | CONFIGURATION MANAGEMENT |
| 8.2.7 Ensure unauthorized connection of devices is disabled | CONFIGURATION MANAGEMENT |
| 8.2.8 Ensure PCI and PCIe device passthrough is disabled | CONFIGURATION MANAGEMENT |
| 8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled | CONFIGURATION MANAGEMENT |
| 8.3.2 Ensure use of the VM console is limited | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.3.3 Ensure secure protocols are used for virtual serial port access | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 8.3.4 Ensure standard processes are used for VM deployment | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.4.21 Ensure VM Console Copy operations are disabled | CONFIGURATION MANAGEMENT |
| 8.4.22 Ensure VM Console Drag and Drop operations is disabled | CONFIGURATION MANAGEMENT |
