UCF STIG Viewer Logo

The vCenter Server for Windows must disable the distributed virtual switch health check.


Overview

Finding ID Version Rule ID IA Controls Severity
V-94735 VCWN-65-000012 SV-104565r1_rule Low
Description
Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.
STIG Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2020-03-27

Details

Check Text ( C-93925r1_chk )
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify both checks are disabled.

or

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$vds = Get-VDSwitch
$vds.ExtensionData.Config.HealthCheckConfig

If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.
Fix Text (F-100853r1_fix)
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> Health Check. Click the "Edit" button and disable both health checks.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}