UCF STIG Viewer Logo

VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide


Overview

Date Finding Count (51)
2017-07-11 CAT I (High): 4 CAT II (Med): 20 CAT III (Low): 27
STIG Description
The VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-39442 High The system must control virtual machine access to host resources.
V-39448 High The system must disable virtual disk shrinking.
V-39449 High The system must disable virtual disk erasure.
V-39451 High The system must not use independent, non-persistent disks.
V-39489 Medium The system must disconnect unauthorized floppy devices.
V-39490 Medium The system must disconnect unauthorized IDE devices.
V-39508 Medium The system must control access to VMs through the VMsafe CPU/memory vmsafe.enable API.
V-39503 Medium The system must use secure protocols for virtual serial port access.
V-39499 Medium The system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.
V-39498 Medium The system must minimize use of the VM console.
V-39495 Medium The system must limit VM logging records.
V-39494 Medium The system must limit sharing of console connections.
V-39496 Medium The system must limit VM logging record contents.
V-39491 Medium The system must disconnect unauthorized parallel devices.
V-39501 Medium The system must not send host information to guests.
V-39493 Medium The system must disconnect unauthorized USB devices.
V-39492 Medium The system must disconnect unauthorized serial devices.
V-39500 Medium The system must prevent unauthorized removal, connection and modification of devices.
V-39507 Medium The system must control access to VMs through the VMsafe CPU/memory vmsafe.agentPort API.
V-39506 Medium The system must control access to VMs through VMsafe CPU/memory APIs.
V-39450 Medium The system must disable HGFS file transfers.
V-39453 Medium The system must disable VM logging, unless required.
V-39452 Medium The system must disable VM-to-VM communication through VMCI.
V-39454 Medium The system must disable VM Monitor Control during normal operation.
V-39488 Low The system must disable VIX messages from the VM.
V-39482 Low The unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors.
V-39483 Low The unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors.
V-39480 Low The unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors.
V-39481 Low The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors.
V-39486 Low The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors.
V-39487 Low The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors.
V-39484 Low The unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors.
V-39485 Low The unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors.
V-39477 Low The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors.
V-39461 Low The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors.
V-39462 Low The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors.
V-39463 Low The unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors.
V-39446 Low The system must explicitly disable any GUI functionality for copy/paste operations.
V-39447 Low The system must explicitly disable paste operations.
V-39444 Low The system must explicitly disable copy operations.
V-39445 Low The system must explicitly disable drag and drop operations.
V-39443 Low The system must disable tools auto install.
V-39505 Low The system must control access to VMs through the dvfilter network APIs.
V-39504 Low The system must use templates to deploy VMs whenever possible.
V-39497 Low The system must limit informational messages from the VM to the VMX file.
V-39457 Low The unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors.
V-39456 Low The unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors.
V-39459 Low The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors.
V-39458 Low The unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors.
V-39479 Low The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors.
V-39478 Low The unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors.