| 1.1 Ensure ESXi is properly patched | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1 Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
| 2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the host | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure Managed Object Browser (MOB) is disabled | ACCESS CONTROL, MEDIA PROTECTION |
| 2.5 Ensure SNMP is configured properly - 'community name private does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure SNMP is configured properly - 'community name public does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure dvfilter API is not configured if not used | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory | ACCESS CONTROL |
| 3.2 Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure the maximum failed login attempts is set to 5 | ACCESS CONTROL |
| 4.4 Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
| 4.5 Ensure previous 5 passwords are prohibited | IDENTIFICATION AND AUTHENTICATION |
| 4.7 Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
| 4.8 Ensure the Exception Users list is properly configured | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1 Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
| 5.2 Ensure the ESXi shell is disabled | CONFIGURATION MANAGEMENT |
| 5.3 Ensure SSH is disabled | CONFIGURATION MANAGEMENT |
| 5.4 Ensure CIM access is limited | CONFIGURATION MANAGEMENT |
| 5.5 Ensure Normal Lockdown mode is enabled | ACCESS CONTROL |
| 5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
| 5.9 Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
| 5.10 Ensure DCUI has a trusted users list for lockdown mode | ACCESS CONTROL |
| 6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Ensure storage area network (SAN) resources are segregated properly | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure the vSwitch Forged Transmits policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure the vSwitch MAC Address Change policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure port groups are not configured to the value of the native VLAN | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.6 Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT) | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.7 Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector | SYSTEM AND INFORMATION INTEGRITY |
| 7.8 Ensure port-level configuration overrides are disabled. | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2.1 Ensure unnecessary floppy devices are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.3 Ensure unnecessary parallel ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.4 Ensure unnecessary serial ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.5 Ensure unnecessary USB devices are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.6 Ensure unauthorized modification and disconnection of devices is disabled | CONFIGURATION MANAGEMENT |
| 8.2.7 Ensure unauthorized connection of devices is disabled | CONFIGURATION MANAGEMENT |
| 8.2.8 Ensure PCI and PCIe device passthrough is disabled | CONFIGURATION MANAGEMENT |
| 8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled | CONFIGURATION MANAGEMENT |
| 8.3.2 Ensure use of the VM console is limited | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.3.3 Ensure secure protocols are used for virtual serial port access | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 8.3.4 Ensure standard processes are used for VM deployment | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 8.4.21 Ensure VM Console Copy operations are disabled | CONFIGURATION MANAGEMENT |
| 8.4.22 Ensure VM Console Drag and Drop operations is disabled | CONFIGURATION MANAGEMENT |
| 8.4.23 Ensure VM Console GUI Options is disabled | CONFIGURATION MANAGEMENT |
| 8.4.24 Ensure VM Console Paste operations are disabled | CONFIGURATION MANAGEMENT |
