| V-94617 | Medium | Unauthorized parallel devices must be disconnected on the virtual machine. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-94613 | Medium | Unauthorized floppy devices must be disconnected on the virtual machine. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-94651 | Medium | Encryption must be enabled for vMotion on the virtual machine. | vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5 this transfer can be transparently... |
| V-94619 | Medium | Unauthorized serial devices must be disconnected on the virtual machine. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-94639 | Medium | Use of the virtual machine console must be minimized. | The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and... |
| V-94631 | Medium | The virtual machine must not be able to obtain host information from the hypervisor. | If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this... |
| V-94577 | Medium | HGFS file transfers must be disabled on the virtual machine. | Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system,... |
| V-94575 | Medium | Independent, non-persistent disks must be not be used on the virtual machine. | The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard... |
| V-94573 | Medium | Virtual disk erasure must be disabled on the virtual machine. | Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host... |
| V-94571 | Medium | Virtual disk shrinking must be disabled on the virtual machine. | Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and... |
| V-94647 | Medium | The virtual machine guest operating system must be locked when the last console connection is closed. | When accessing the VM console the guest OS must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with... |
| V-94629 | Medium | Unauthorized removal, connection and modification of devices must be prevented on the virtual machine. | In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings.... |
| V-94625 | Medium | Console access through the VNC protocol must be disabled on the virtual machine. | The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the VNC protocol and... |
| V-94623 | Medium | Console connection sharing must be limited on the virtual machine. | By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If... |
| V-94621 | Medium | Unauthorized USB devices must be disconnected on the virtual machine. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-94565 | Low | Drag and drop operations must be disabled on the virtual machine. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-94567 | Low | GUI functionality for copy/paste operations must be disabled on the virtual machine. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-94563 | Low | Copy operations must be disabled on the virtual machine. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-94569 | Low | Paste operations must be disabled on the virtual machine. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-94605 | Low | The unexposed feature keyword isolation.tools.unityActive.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94615 | Low | Unauthorized CD/DVD devices must be disconnected on the virtual machine. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-94599 | Low | The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94611 | Low | The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94595 | Low | The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94597 | Low | The unexposed feature keyword isolation.tools.unity.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94593 | Low | The unexposed feature keyword isolation.ghi.host.shellAction.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94635 | Low | Access to virtual machines through the dvfilter network APIs must be controlled. | An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs to use the API that need this access. |
| V-94637 | Low | System administrators must use templates to deploy virtual machines whenever possible. | By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this... |
| V-94633 | Low | Shared salt values must be disabled on the virtual machine. | When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two virtual machines both salt and the content of the page must be same. A salt value is a configurable... |
| V-94579 | Low | The unexposed feature keyword isolation.tools.ghi.autologon.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94601 | Low | The unexposed feature keyword isolation.tools.unity.push.update.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94603 | Low | The unexposed feature keyword isolation.tools.unity.taskbar.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94649 | Low | 3D features on the virtual machine must be disabled when not required. | It is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality, (e.g. most server workloads or desktops not using 3D applications). |
| V-94583 | Low | The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94581 | Low | The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94585 | Low | The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94609 | Low | The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94607 | Low | The unexposed feature keyword isolation.tools.unity.windowContents.disable must be set on the virtual machine. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-94627 | Low | Informational messages from the virtual machine to the VMX file must be limited on the virtual machine. | The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the... |
