1.1 (L1) Ensure ESXi is properly patched | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.1 (L1) Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
2.2 (L1) Ensure the ESXi host firewall is configured to restrict access to services running on the host | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.3 (L1) Ensure Managed Object Browser (MOB) is disabled | ACCESS CONTROL, MEDIA PROTECTION |
2.6 (L1) Ensure dvfilter API is not configured if not used | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.8 (L1) Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory | ACCESS CONTROL |
3.2 (L1) Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
3.3 (L1) Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
4.2 (L1) Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
4.3 (L1) Ensure the maximum failed login attempts is set to 5 | ACCESS CONTROL |
4.4 (L1) Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
4.5 (L1) Ensure previous 5 passwords are prohibited | IDENTIFICATION AND AUTHENTICATION |
4.7 (L1) Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
4.8 (L1) Ensure the Exception Users list is properly configured | ACCESS CONTROL, MEDIA PROTECTION |
5.1 (L1) Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
5.2 (L1) Ensure the ESXi shell is disabled | CONFIGURATION MANAGEMENT |
5.3 (L1) Ensure SSH is disabled | CONFIGURATION MANAGEMENT |
5.4 (L1) Ensure CIM access is limited | CONFIGURATION MANAGEMENT |
5.5 (L1) Ensure Normal Lockdown mode is enabled | ACCESS CONTROL |
5.8 (L1) Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
5.9 (L1) Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
5.10 (L1) Ensure DCUI has a trusted users list for lockdown mode | ACCESS CONTROL |
6.1 (L1) Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
6.3 (L1) Ensure storage area network (SAN) resources are segregated properly | SYSTEM AND COMMUNICATIONS PROTECTION |
7.1 (L1) Ensure the vSwitch Forged Transmits policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 (L1) Ensure the vSwitch MAC Address Change policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 (L1) Ensure the vSwitch Promiscuous Mode policy is set to reject | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.4 (L1) Ensure port groups are not configured to the value of the native VLAN | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.5 (L1) Ensure port groups are not configured to VLAN values reserved by upstream physical switches | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.6 (L1) Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT) | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector | SYSTEM AND INFORMATION INTEGRITY |
7.8 (L1) Ensure port-level configuration overrides are disabled. | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
8.2.1 (L1) Ensure unnecessary floppy devices are disconnected | CONFIGURATION MANAGEMENT |
8.2.3 (L1) Ensure unnecessary parallel ports are disconnected | CONFIGURATION MANAGEMENT |
8.2.4 (L1) Ensure unnecessary serial ports are disconnected | CONFIGURATION MANAGEMENT |
8.2.5 (L1) Ensure unnecessary USB devices are disconnected | CONFIGURATION MANAGEMENT |
8.2.6 (L1) Ensure unauthorized modification and disconnection of devices is disabled | CONFIGURATION MANAGEMENT |
8.2.7 (L1) Ensure unauthorized connection of devices is disabled | CONFIGURATION MANAGEMENT |
8.2.8 (L1) Ensure PCI and PCIe device passthrough is disabled | CONFIGURATION MANAGEMENT |
8.3.1 (L1) Ensure unnecessary or superfluous functions inside VMs are disabled | CONFIGURATION MANAGEMENT |
8.3.2 (L1) Ensure use of the VM console is limited | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.3.3 (L1) Ensure secure protocols are used for virtual serial port access | CONFIGURATION MANAGEMENT, MAINTENANCE |
8.3.4 (L1) Ensure standard processes are used for VM deployment | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.4.1 (L1) Ensure access to VMs through the dvfilter network APIs is configured correctly | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.4.21 (L1) Ensure VM Console Copy operations are disabled | CONFIGURATION MANAGEMENT |
8.4.22 (L1) Ensure VM Console Drag and Drop operations is disabled | CONFIGURATION MANAGEMENT |
8.4.23 (L1) Ensure VM Console GUI Options is disabled | CONFIGURATION MANAGEMENT |
8.4.24 (L1) Ensure VM Console Paste operations are disabled | CONFIGURATION MANAGEMENT |
8.6.2 (L1) Ensure virtual disk shrinking is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
8.6.3 (L1) Ensure virtual disk wiping is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |