| ESXI-65-000001 - The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode. | ACCESS CONTROL |
| ESXI-65-000002 - The ESXi host must verify the DCUI.Access list. | CONFIGURATION MANAGEMENT |
| ESXI-65-000003 - The ESXi host must verify the exception users list for lockdown mode. | CONFIGURATION MANAGEMENT |
| ESXI-65-000004 - Remote logging for ESXi hosts must be configured. | ACCESS CONTROL |
| ESXI-65-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. | ACCESS CONTROL |
| ESXI-65-000006 - The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out. | ACCESS CONTROL |
| ESXI-65-000007 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| ESXI-65-000008 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | ACCESS CONTROL |
| ESXI-65-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| ESXI-65-000031 - The ESXi host must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-65-000034 - The ESXi host must disable the Managed Object Browser (MOB). | CONFIGURATION MANAGEMENT |
| ESXI-65-000035 - The ESXi host must be configured to disable non-essential capabilities by disabling SSH. | CONFIGURATION MANAGEMENT |
| ESXI-65-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. | CONFIGURATION MANAGEMENT |
| ESXI-65-000037 - The ESXi host must use Active Directory for local user authentication. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-65-000038 - The ESXi host must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-65-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-65-000040 - The ESXi host must use multifactor authentication for local access to privileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-65-000041 - The ESXi host must set a timeout to automatically disable idle sessions after 10 minutes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000042 - The ESXi host must terminate shell services after 10 minutes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000043 - The ESXi host must logout of the console UI after 10 minutes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000045 - The ESXi host must enable a persistent log location for all locally stored logs. | AUDIT AND ACCOUNTABILITY |
| ESXI-65-000046 - The ESXi host must configure NTP time synchronization. | AUDIT AND ACCOUNTABILITY |
| ESXI-65-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000052 - The ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-65-000053 - SNMP must be configured properly on the ESXi host. | CONFIGURATION MANAGEMENT |
| ESXI-65-000054 - The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic. | CONFIGURATION MANAGEMENT |
| ESXI-65-000055 - The ESXi host must disable Inter-VM transparent page sharing. | CONFIGURATION MANAGEMENT |
| ESXI-65-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming | CONFIGURATION MANAGEMENT |
| ESXI-65-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoing | CONFIGURATION MANAGEMENT |
| ESXI-65-000058 - The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | CONFIGURATION MANAGEMENT |
| ESXI-65-000059 - The virtual switch Forged Transmits policy must be set to reject on the ESXi host. | CONFIGURATION MANAGEMENT |
| ESXI-65-000060 - The virtual switch MAC Address Change policy must be set to reject on the ESXi host. | CONFIGURATION MANAGEMENT |
| ESXI-65-000061 - The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. | CONFIGURATION MANAGEMENT |
| ESXI-65-000062 - The ESXi host must prevent unintended use of the dvFilter network APIs. | CONFIGURATION MANAGEMENT |
| ESXI-65-000063 - For the ESXi host all port groups must be configured to a value other than that of the native VLAN. | CONFIGURATION MANAGEMENT |
| ESXI-65-000064 - For the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required. | CONFIGURATION MANAGEMENT |
| ESXI-65-000065 - For the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| ESXI-65-000066 - For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. | CONFIGURATION MANAGEMENT |
| ESXI-65-000067 - All ESXi host-connected physical switch ports must be configured with spanning tree disabled. | CONFIGURATION MANAGEMENT |
| ESXI-65-000068 - All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs. | CONFIGURATION MANAGEMENT |
| ESXI-65-000070 - The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications. | CONFIGURATION MANAGEMENT |
| ESXI-65-000071 - The ESXi host must verify the integrity of the installation media before installing ESXi. | CONFIGURATION MANAGEMENT |
| ESXI-65-000072 - The ESXi host must have all security patches and updates installed. | CONFIGURATION MANAGEMENT |
| ESXI-65-000999 - The version of ESXi running on the system must be a supported version. | CONFIGURATION MANAGEMENT |
| ESXI-65-100037 - The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication. | IDENTIFICATION AND AUTHENTICATION |
