UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host firewall must be configured to restrict access to services running on the host.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-99999-ESXI5-000134 SRG-OS-99999-ESXI5-000134 SRG-OS-99999-ESXI5-000134_rule High
Description
Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000134_chk )
From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties".

For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed.

If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.
Fix Text (F-SRG-OS-99999-ESXI5-000134_fix)
For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.