7.8 Ensure port-level configuration overrides are disabled.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Port-level configuration overrides are disabled by default. Once enabled, it allows for different security to be set ignoring what is set at the Port-Group level.

Rationale:

There are cases where unique configurations are needed, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could secretly exploit the broader access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using the vSphere Web Client,

Go to the Networking section of vCenter

After expanding each individual switch you will need to perform the following for each PortGroup.

Go to Configure then expand Settings.

Click on Properties then click on Edit.

Select Advanced then under Override port policies set each to Disabled.

Click OK.

See Also

https://workbench.cisecurity.org/files/3473