| V-68721 | High | VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by the vendor for security updates must not be installed on a system. | VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities... |
| V-15903 | Medium | Virtual machines are removed from the site without approval documentation. | From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on... |
| V-15881 | Medium | VirtualCenter logs are reviewed daily. | It is necessary to review VirtualCenter logs for suspicious activity, problems, attacks, or system warnings will go undetected. These logs provide visibility into the activities and events of the... |
| V-15882 | Medium | There is no up-to-date documentation of the virtualization infrastructure. | With the creation of virtual machines, the actual virtual network topology becomes increasingly complex. The topology changes when a virtual machine is created, added to a virtual switch or port... |
| V-15841 | Medium | ESX Server log files are not reviewed daily. | Logs form a recorded history or audit trail of the ESX Server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together... |
| V-15825 | Medium | A third party firewall is configured on ESX Server. | Third party software and services should not be installed in the service console. The service console is not intended to support the operation of additional software or services beyond what is... |
| V-15877 | Medium | VirtualCenter Server groups are not reviewed monthly | Reviewing the VirtualCenter groups will ensure that no unauthorized users have been granted access to objects. |
| V-15879 | Medium | There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles. | When pairing users or groups with permissions to an object, a role is defined for users and groups. There are two default roles defined in VirtualCenter called System roles and Sample roles.... |
| V-15878 | Medium | No documented configuration management process exists for VirtualCenter changes. | VirtualCenter objects might have multiple permissions for users and or groups. Permissions are applied hierarchically downward on these objects. For each permission the administrator must decide... |
| V-15902 | Medium | Virtual machine moved to removable media are not documented. | From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on... |
| V-15833 | Medium | Hash signatures for the /etc files are not reviewed monthly. | Several files within ESX Server should be checked for file system integrity periodically. These files have been deemed critical by VMware in maintaining file system integrity. System... |
| V-15853 | Medium | Disaster recovery plan does not include ESX Servers, VirtualCenter servers, virtual machines, and necessary peripherals associated with the system. | Disaster and recovery plans should be drafted and exercised in accordance with the MAC level of the system/Enclave as defined by the DoDI 85002. Disaster plans provide for the resumption of... |
| V-15892 | Low | VI Console is used to administer virtual machines. | The VI Console allows a user to connect to the console of a virtual machine, similar to seeing what a physical server monitor would show. However, the VI Console also provides power management and... |
| V-16851 | Low | ESX administrators have not received proper training to administer the ESX Server. | Different roles require different types of training. A skilled staff is one of the critical components to the security of an organization. The ESX Server is complex and has many components that... |
| V-15919 | Low | Virtual machine requirements are not documented before creating a virtual machine. | Guest operating systems may require different resources depending on the server function. A database or email server will require more resources than a basic Windows Domain Controller. Therefore,... |
| V-15889 | Low | The VMware-converter utility is not used for VMDK imports or exports. | There will be situations that require the import or export of VMDK files on the VMFS partition. Importing and exporting disk files can also be done through the Virtual Infrastructure Client or... |
| V-15845 | Low | The IAO/SA does not subscribe to vendor security patches and update notifications. | Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server... |
| V-15900 | Low | No policy exists to restrict copying and sharing virtual machines over networks and removable media. | As virtual machines replace real hardware they can undermine the security architecture of many organizations which often assume predictable and controlled change number of hosts, host... |
| V-15875 | Low | Users assigned to VirtualCenter groups are not documented. | Ensuring privileged group membership is controlled requires updates to group documentation, and periodic reviews to determine that unauthorized users are not members. If an unauthorized user is... |
| V-15876 | Low | Users in the VirtualCenter Server Windows Administrators group are not documented. | Users who are members of the Windows administrators group on the VirtualCenter server are granted the same access rights as any user assigned to the VirtualCenter administrator role. These users... |
| V-15898 | Low | The IAO/SA does not document and approve virtual machine renames. | It may become necessary to rename a virtual machine at some point during the course of testing to production. To rename a virtual machine, the virtual machine must be powered down before... |
| V-15905 | Low | Virtual machine rollbacks are performed when virtual machine is connected to the network. | Virtual machines may be rolled back to a previous state. Rolling back a virtual machine can re-expose patched vulnerabilities, re-enable previously disabled accounts or passwords, remove log files... |
| V-15891 | Low | No policy exists to assign virtual machines to personnel. | In traditional computing environments, servers were usually assigned to various personnel for administration. For instance, the data server is administered by the database administrator; the... |
| V-15851 | Low | There are no procedures for the backup and recovery of the ESX Server, management servers, and virtual machines. | Backup and recovery procedures are critical to the availability and protection of the virtual infrastructure. Availability of the system will be hindered if the system is compromised, shutdown, or... |
