{
"stig": {
"date": "2021-09-22",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-237065": {
"checkid": "C-40284r640030_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.copy.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.copy.disable\n\nIf the virtual machine advanced setting isolation.tools.copy.disable does not exist or is not set to true, this is a finding.",
"description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
"fixid": "F-40247r640031_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.copy.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen. \n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.copy.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.copy.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237065",
"ruleID": "SV-237065r640032_rule",
"severity": "low",
"title": "Copy operations must be disabled on the virtual machine.",
"version": "VMCH-65-000001"
},
"V-237066": {
"checkid": "C-40285r640033_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.dnd.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.dnd.disable\n\nIf the virtual machine advanced setting isolation.tools.dnd.disable does not exist or is not set to true, this is a finding.",
"description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
"fixid": "F-40248r640034_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.dnd.disable value is set to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.dnd.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237066",
"ruleID": "SV-237066r640035_rule",
"severity": "low",
"title": "Drag and drop operations must be disabled on the virtual machine.",
"version": "VMCH-65-000002"
},
"V-237067": {
"checkid": "C-40286r640036_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.setGUIOptions.enable value is set to false.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.setGUIOptions.enable\n\nIf the virtual machine advanced setting isolation.tools.setGUIOptions.enable does not exist or is not set to false, this is a finding.",
"description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
"fixid": "F-40249r640037_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.setGUIOptions.enable value and set it to false. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.setGUIOptions.enable -Value false\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.setGUIOptions.enable | Set-AdvancedSetting -Value false",
"iacontrols": null,
"id": "V-237067",
"ruleID": "SV-237067r640038_rule",
"severity": "low",
"title": "GUI functionality for copy/paste operations must be disabled on the virtual machine.",
"version": "VMCH-65-000003"
},
"V-237068": {
"checkid": "C-40287r640039_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.paste.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.paste.disable\n\nIf the virtual machine advanced setting isolation.tools.paste.disable does not exist or is not set to true, this is a finding.",
"description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
"fixid": "F-40250r640040_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.paste.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.paste.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.paste.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237068",
"ruleID": "SV-237068r640041_rule",
"severity": "low",
"title": "Paste operations must be disabled on the virtual machine.",
"version": "VMCH-65-000004"
},
"V-237069": {
"checkid": "C-40288r640042_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.diskShrink.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable\n\nIf the virtual machine advanced setting isolation.tools.diskShrink.disable does not exist or is not set to true, this is a finding.",
"description": "Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to non-administrative users operating within the VMs guest OS.",
"fixid": "F-40251r640043_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.diskShrink.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.diskShrink.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237069",
"ruleID": "SV-237069r640044_rule",
"severity": "medium",
"title": "Virtual disk shrinking must be disabled on the virtual machine.",
"version": "VMCH-65-000005"
},
"V-237070": {
"checkid": "C-40289r640045_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.diskWiper.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable\n\nIf the virtual machine advanced setting isolation.tools.diskWiper.disable does not exist or is not set to true, this is a finding.",
"description": "Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.",
"fixid": "F-40252r640046_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.diskWiper.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.diskWiper.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237070",
"ruleID": "SV-237070r640047_rule",
"severity": "medium",
"title": "Virtual disk erasure must be disabled on the virtual machine.",
"version": "VMCH-65-000006"
},
"V-237071": {
"checkid": "C-40290r640048_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the attached hard disks and verify they are not configured as independent nonpersistent disks.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSize\n\nIf the virtual machine has attached disks that are in independent nonpersistent mode and are not documented, this is a finding.",
"description": "The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, make sure that activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. \n\nThere can be valid use cases for these types of disks such as with an application presentation solution where read only disks are desired and such cases should be identified and documented.",
"fixid": "F-40253r640049_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the target hard disk and change the mode to persistent or uncheck Independent.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent\n\nor\n\nGet-VM \"VM Name\" | Get-HardDisk | Set-HardDisk -Persistence Persistent",
"iacontrols": null,
"id": "V-237071",
"ruleID": "SV-237071r640050_rule",
"severity": "medium",
"title": "Independent, non-persistent disks must be not be used on the virtual machine.",
"version": "VMCH-65-000007"
},
"V-237072": {
"checkid": "C-40291r640051_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.hgfsServerSet.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable\n\nIf the virtual machine advanced setting isolation.tools.hgfsServerSet.disable does not exist or is not set to true, this is a finding.",
"description": "Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system, such as some VIX commands, will not function. An attacker could potentially use this to transfer files inside the guest OS.",
"fixid": "F-40254r640052_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.hgfsServerSet.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237072",
"ruleID": "SV-237072r640053_rule",
"severity": "medium",
"title": "HGFS file transfers must be disabled on the virtual machine.",
"version": "VMCH-65-000008"
},
"V-237073": {
"checkid": "C-40292r640054_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.ghi.autologon.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.autologon.disable\n\nIf the virtual machine advanced setting isolation.tools.ghi.autologon.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40255r640055_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.ghi.autologon.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.ghi.autologon.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.autologon.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237073",
"ruleID": "SV-237073r640056_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.ghi.autologon.disable must be set on the virtual machine.",
"version": "VMCH-65-000009"
},
"V-237074": {
"checkid": "C-40293r640057_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.ghi.launchmenu.change value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.launchmenu.change\n\nIf the virtual machine advanced setting isolation.tools.ghi.launchmenu.change does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40256r640058_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.ghi.launchmenu.change value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.ghi.launchmenu.change -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.launchmenu.change | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237074",
"ruleID": "SV-237074r640059_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be set on the virtual machine.",
"version": "VMCH-65-000012"
},
"V-237075": {
"checkid": "C-40294r640060_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.memSchedFakeSampleStats.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.memSchedFakeSampleStats.disable\n\nIf the virtual machine advanced setting isolation.tools.memSchedFakeSampleStats.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40257r640061_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.memSchedFakeSampleStats.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.memSchedFakeSampleStats.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.memSchedFakeSampleStats.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237075",
"ruleID": "SV-237075r640062_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be set on the virtual machine.",
"version": "VMCH-65-000013"
},
"V-237076": {
"checkid": "C-40295r640063_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.ghi.protocolhandler.info.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.protocolhandler.info.disable\n\nIf the virtual machine advanced setting isolation.tools.ghi.protocolhandler.info.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40258r640064_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.ghi.protocolhandler.info.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.ghi.protocolhandler.info.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.protocolhandler.info.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237076",
"ruleID": "SV-237076r640065_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be set on the virtual machine.",
"version": "VMCH-65-000014"
},
"V-237077": {
"checkid": "C-40296r640066_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.ghi.host.shellAction.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.ghi.host.shellAction.disable\n\nIf the virtual machine advanced setting isolation.ghi.host.shellAction.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40259r640067_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.ghi.host.shellAction.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.ghi.host.shellAction.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.ghi.host.shellAction.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237077",
"ruleID": "SV-237077r640068_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.ghi.host.shellAction.disable must be set on the virtual machine.",
"version": "VMCH-65-000015"
},
"V-237078": {
"checkid": "C-40297r640069_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.ghi.trayicon.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.trayicon.disable\n\nIf the virtual machine advanced setting isolation.tools.ghi.trayicon.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40260r640070_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.ghi.trayicon.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.ghi.trayicon.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.ghi.trayicon.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237078",
"ruleID": "SV-237078r640071_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be set on the virtual machine.",
"version": "VMCH-65-000018"
},
"V-237079": {
"checkid": "C-40298r640072_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unity.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.disable\n\nIf the virtual machine advanced setting isolation.tools.unity.disable does not exist or is not set to true, this is a finding",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40261r640073_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unity.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unity.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237079",
"ruleID": "SV-237079r640074_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unity.disable must be set on the virtual machine.",
"version": "VMCH-65-000019"
},
"V-237080": {
"checkid": "C-40299r640075_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unityInterlockOperation.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unityInterlockOperation.disable\n\nIf the virtual machine advanced setting isolation.tools.unityInterlockOperation.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40262r640076_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unityInterlockOperation.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unityInterlockOperation.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unityInterlockOperation.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237080",
"ruleID": "SV-237080r640077_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be set on the virtual machine.",
"version": "VMCH-65-000020"
},
"V-237081": {
"checkid": "C-40300r640078_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unity.push.update.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.push.update.disable\n\nIf the virtual machine advanced setting isolation.tools.unity.push.update.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40263r640079_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unity.push.update.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unity.push.update.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.push.update.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237081",
"ruleID": "SV-237081r640080_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unity.push.update.disable must be set on the virtual machine.",
"version": "VMCH-65-000021"
},
"V-237082": {
"checkid": "C-40301r640081_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unity.taskbar.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.taskbar.disable\n\nIf the virtual machine advanced setting isolation.tools.unity.taskbar.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40264r640082_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unity.taskbar.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unity.taskbar.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.taskbar.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237082",
"ruleID": "SV-237082r640083_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unity.taskbar.disable must be set on the virtual machine.",
"version": "VMCH-65-000022"
},
"V-237083": {
"checkid": "C-40302r640084_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unityActive.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unityActive.disable\n\nIf the virtual machine advanced setting isolation.tools.unityActive.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40265r640085_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unityActive.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unityActive.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unityActive.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237083",
"ruleID": "SV-237083r640086_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unityActive.disable must be set on the virtual machine.",
"version": "VMCH-65-000023"
},
"V-237084": {
"checkid": "C-40303r640087_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.unity.windowContents.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.windowContents.disable\n\nIf the virtual machine advanced setting isolation.tools.unity.windowContents.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40266r640088_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.unity.windowContents.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.unity.windowContents.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.unity.windowContents.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237084",
"ruleID": "SV-237084r640089_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.unity.windowContents.disable must be set on the virtual machine.",
"version": "VMCH-65-000024"
},
"V-237085": {
"checkid": "C-40304r640090_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.vmxDnDVersionGet.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.vmxDnDVersionGet.disable\n\nIf the virtual machine advanced setting isolation.tools.vmxDnDVersionGet.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40267r640091_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.vmxDnDVersionGet.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.vmxDnDVersionGet.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.vmxDnDVersionGet.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237085",
"ruleID": "SV-237085r640092_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be set on the virtual machine.",
"version": "VMCH-65-000025"
},
"V-237086": {
"checkid": "C-40305r640093_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.tools.guestDnDVersionSet.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.guestDnDVersionSet.disable\n\nIf the virtual machine advanced setting isolation.tools.guestDnDVersionSet.disable does not exist or is not set to true, this is a finding.",
"description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
"fixid": "F-40268r640094_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.guestDnDVersionSet.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.tools.guestDnDVersionSet.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.tools.guestDnDVersionSet.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237086",
"ruleID": "SV-237086r640095_rule",
"severity": "low",
"title": "The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be set on the virtual machine.",
"version": "VMCH-65-000026"
},
"V-237087": {
"checkid": "C-40306r640096_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no floppy device is connected.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState\n\nIf a virtual machine has a floppy drive connected, this is a finding.",
"description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
"fixid": "F-40269r640097_fix",
"fixtext": "If the floppy drive is required to be present, then from the vSphere Client right-click the Virtual Machine and go to Edit Settings, make sure the drive is not connected and will not \"Connect at power on\".\n\nIf the floppy drive is not required, then from the vSphere Client power off the virtual machine, right-click the Virtual Machine and go to Edit Settings, select the floppy drive and click the circle-x to remove then OK.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-FloppyDrive | Remove-FloppyDrive",
"iacontrols": null,
"id": "V-237087",
"ruleID": "SV-237087r640098_rule",
"severity": "medium",
"title": "Unauthorized floppy devices must be disconnected on the virtual machine.",
"version": "VMCH-65-000028"
},
"V-237088": {
"checkid": "C-40307r640099_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no CD/DVD drives are connected.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent,Name\n\nIf a virtual machine has a CD/DVD drive connected other than temporarily, this is a finding.",
"description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
"fixid": "F-40270r640100_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the CD/DVD drive and uncheck \"Connected\" and \"Connect at power on\" and remove any attached ISOs.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-CDDrive | Set-CDDrive -NoMedia",
"iacontrols": null,
"id": "V-237088",
"ruleID": "SV-237088r640101_rule",
"severity": "low",
"title": "Unauthorized CD/DVD devices must be disconnected on the virtual machine.",
"version": "VMCH-65-000029"
},
"V-237089": {
"checkid": "C-40308r640102_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no parallel devices exist.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match \"parallel\"}\n\nIf a virtual machine has a parallel device present, this is a finding.",
"description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
"fixid": "F-40271r640103_fix",
"fixtext": "The VM must be powered off in order to remove a parallel device.\n\nFrom the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the parallel device and click the circle-x to remove then OK.",
"iacontrols": null,
"id": "V-237089",
"ruleID": "SV-237089r640104_rule",
"severity": "medium",
"title": "Unauthorized parallel devices must be disconnected on the virtual machine.",
"version": "VMCH-65-000030"
},
"V-237090": {
"checkid": "C-40309r640105_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no serial devices exist.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match \"serial\"}\n\nIf a virtual machine has a serial device present, this is a finding.",
"description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
"fixid": "F-40272r640106_fix",
"fixtext": "The VM must be powered off in order to remove a serial device.\n\nFrom the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the serial device and click the circle-x to remove then OK.",
"iacontrols": null,
"id": "V-237090",
"ruleID": "SV-237090r640107_rule",
"severity": "medium",
"title": "Unauthorized serial devices must be disconnected on the virtual machine.",
"version": "VMCH-65-000031"
},
"V-237091": {
"checkid": "C-40310r640108_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no USB devices exist.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:\n\nGet-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match \"usb\"}\nGet-VM | Get-UsbDevice\n\nIf a virtual machine has any USB devices or USB controllers present, this is a finding.\n\nIf USB smart card readers are used to pass smart cards through the VM console to a VM then the use of a USB controller and USB devices for that purpose is not a finding.",
"description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
"fixid": "F-40273r640109_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the USB controller and click the circle-x to remove then OK.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-USBDevice | Remove-USBDevice\n\nNote: This will not remove the USB controller just any connected devices.",
"iacontrols": null,
"id": "V-237091",
"ruleID": "SV-237091r640110_rule",
"severity": "medium",
"title": "Unauthorized USB devices must be disconnected on the virtual machine.",
"version": "VMCH-65-000032"
},
"V-237092": {
"checkid": "C-40311r640111_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the RemoteDisplay.maxConnections value is set to 1.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections\n\nIf the virtual machine advanced setting RemoteDisplay.maxConnections does not exist or is not set to 1, this is a finding.",
"description": "By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example, if a jump box is being used for an open console session and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed.",
"fixid": "F-40274r640112_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the RemoteDisplay.maxConnections value and set it to 1. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name RemoteDisplay.maxConnections -Value 1\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1",
"iacontrols": null,
"id": "V-237092",
"ruleID": "SV-237092r640113_rule",
"severity": "medium",
"title": "Console connection sharing must be limited on the virtual machine.",
"version": "VMCH-65-000033"
},
"V-237093": {
"checkid": "C-40312r640114_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the RemoteDisplay.vnc.enabled value is set to false.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name RemoteDisplay.vnc.enabled\n\nIf the virtual machine advanced setting RemoteDisplay.vnc.enabled does not exist or is not set to false, this is a finding.",
"description": "The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the VNC protocol and should be disabled.",
"fixid": "F-40275r640115_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the RemoteDisplay.vnc.enabled value and set it to false. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name RemoteDisplay.vnc.enabled -Value false\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name RemoteDisplay.vnc.enabled | Set-AdvancedSetting -Value false",
"iacontrols": null,
"id": "V-237093",
"ruleID": "SV-237093r640116_rule",
"severity": "medium",
"title": "Console access through the VNC protocol must be disabled on the virtual machine.",
"version": "VMCH-65-000034"
},
"V-237094": {
"checkid": "C-40313r640117_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the tools.setinfo.sizeLimit value is set to 1048576.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit\n\nIf the virtual machine advanced setting tools.setinfo.sizeLimit does not exist or is not set to 1048576, this is a finding.",
"description": "The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.",
"fixid": "F-40276r640118_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the tools.setinfo.sizeLimit value and set it to 1048576. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name tools.setinfo.sizeLimit -Value 1048576\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Set-AdvancedSetting -Value 1048576",
"iacontrols": null,
"id": "V-237094",
"ruleID": "SV-237094r640119_rule",
"severity": "low",
"title": "Informational messages from the virtual machine to the VMX file must be limited on the virtual machine.",
"version": "VMCH-65-000036"
},
"V-237095": {
"checkid": "C-40314r640120_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.device.connectable.disable value is set to true.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.device.connectable.disable\n\nIf the virtual machine advanced setting isolation.device.connectable.disable does not exist or is not set to true, this is a finding.",
"description": "In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: \n1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive\n2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service\n3. Modify settings on a device",
"fixid": "F-40277r640121_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.device.connectable.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237095",
"ruleID": "SV-237095r640122_rule",
"severity": "medium",
"title": "Unauthorized removal, connection and modification of devices must be prevented on the virtual machine.",
"version": "VMCH-65-000037"
},
"V-237096": {
"checkid": "C-40315r640123_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the tools.guestlib.enableHostInfo value is set to false.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo\n\nIf the virtual machine advanced setting tools.guestlib.enableHostInfo does not exist or is not set to false, this is a finding.",
"description": "If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.",
"fixid": "F-40278r640124_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the tools.guestlib.enableHostInfo value and set it to false. If the setting does not exist, add the Name and Value setting at the bottom of screen.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name tools.guestlib.enableHostInfo -Value false\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Set-AdvancedSetting -Value false",
"iacontrols": null,
"id": "V-237096",
"ruleID": "SV-237096r640125_rule",
"severity": "medium",
"title": "The virtual machine must not be able to obtain host information from the hypervisor.",
"version": "VMCH-65-000039"
},
"V-237097": {
"checkid": "C-40316r640126_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the sched.mem.pshare.salt setting does not exist.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name sched.mem.pshare.salt\n\nIf the virtual machine advanced setting sched.mem.pshare.salt exists, this is a finding.",
"description": "When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two virtual machines both salt and the content of the page must be same. A salt value is a configurable advanced option for each virtual machine. You can manually specify the salt values in the virtual machine's advanced settings with the new option sched.mem.pshare.salt. If this option is not present in the virtual machine's advanced settings, then the value of the vc.uuid option is taken as the default value. Since the vc.uuid is unique to each virtual machine, by default TPS happens only among the pages belonging to a particular virtual machine (Intra-VM).",
"fixid": "F-40279r640127_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Delete the sched.mem.pshare.salt setting.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting",
"iacontrols": null,
"id": "V-237097",
"ruleID": "SV-237097r640128_rule",
"severity": "low",
"title": "Shared salt values must be disabled on the virtual machine.",
"version": "VMCH-65-000040"
},
"V-237098": {
"checkid": "C-40317r640129_chk",
"checktext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format ethernet*.filter*.name.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name \"ethernet*.filter*.name*\"\n\nIf the virtual machine advanced setting ethernet*.filter*.name exists and dvfilters are not in use, this is a finding.\n\nIf the virtual machine advanced setting ethernet*.filter*.name exists and the value is not valid, this is a finding.",
"description": "An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs to use the API that need this access.",
"fixid": "F-40280r640130_fix",
"fixtext": "From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format ethernet*.filter*.name. Ensure only required VMs use this setting.\n\nNote: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting\n\nNote: Change the X and Y values to match the specific setting in your environment.",
"iacontrols": null,
"id": "V-237098",
"ruleID": "SV-237098r640131_rule",
"severity": "low",
"title": "Access to virtual machines through the dvfilter network APIs must be controlled.",
"version": "VMCH-65-000041"
},
"V-237099": {
"checkid": "C-40318r640132_chk",
"checktext": "Ask the SA if hardened, patched templates are used for VM creation, properly configured OS deployments, including applications both dependent and non-dependent on VM-specific configurations.\n\nIf hardened, patched templates are not used for VM creation, this is a finding.",
"description": "By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this template to create other, application-specific templates, or use the application template to deploy virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error.",
"fixid": "F-40281r640133_fix",
"fixtext": "Create hardened virtual machine templates to use for OS deployments.",
"iacontrols": null,
"id": "V-237099",
"ruleID": "SV-237099r640134_rule",
"severity": "low",
"title": "System administrators must use templates to deploy virtual machines whenever possible.",
"version": "VMCH-65-000042"
},
"V-237100": {
"checkid": "C-40319r640135_chk",
"checktext": "Remote management services, such as terminal services and SSH, must be used to interact with virtual machines. VM console access should only be granted when remote management services are unavailable or insufficient to perform necessary management tasks.\n\nAsk the SA if a VM console is used to perform VM management tasks, other than for troubleshooting VM issues. \n\nIf a VM console is used to perform VM management tasks, other than for troubleshooting VM issues, this is a finding. \n\nIf SSH and/or terminal management services are exclusively used to perform management tasks, this is not a finding.",
"description": "The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously.",
"fixid": "F-40282r640136_fix",
"fixtext": "Develop a policy prohibiting the use of a VM console for performing management services. This policy should include procedures for the use of SSH and Terminal Management services for VM management. Where SSH and Terminal Management services prove insufficient to troubleshoot a VM, access to the VM console may be temporarily granted.",
"iacontrols": null,
"id": "V-237100",
"ruleID": "SV-237100r640137_rule",
"severity": "medium",
"title": "Use of the virtual machine console must be minimized.",
"version": "VMCH-65-000043"
},
"V-237101": {
"checkid": "C-40320r640138_chk",
"checktext": "From the vSphere Web Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the \"tools.guest.desktop.autolock\" value and verify that it is set to \"true\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.guest.desktop.autolock\n\nIf the virtual machine advanced setting \"tools.guest.desktop.autolock\" does not exist or is not set to \"true\", this is a finding.\n\nIf the VM is not Windows-based, this is not a finding.",
"description": "When accessing the VM console the guest OS must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed.",
"fixid": "F-40283r640139_fix",
"fixtext": "From the vSphere Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find or create the \"tools.guest.desktop.autolock\" value and set it to \"true\".\n\nNote: The VM must be powered off to modify the advanced settings through the vSphere Web Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case the modified settings will not take effect until a cold boot of the VM.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name tools.guest.desktop.autolock -Value true\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true",
"iacontrols": null,
"id": "V-237101",
"ruleID": "SV-237101r640140_rule",
"severity": "medium",
"title": "The virtual machine guest operating system must be locked when the last console connection is closed.",
"version": "VMCH-65-000047"
},
"V-237102": {
"checkid": "C-40321r640141_chk",
"checktext": "From the vSphere Web Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the \"mks.enable3d\" value and verify it is set to \"false\".\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name mks.enable3d\n\nIf the virtual machine advanced setting \"mks.enable3d\" does not exist or is not set to \"false\", this is a finding.\n\nIf a virtual machine requires 3D features, this is not a finding.",
"description": "It is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality, (e.g. most server workloads or desktops not using 3D applications).",
"fixid": "F-40284r640142_fix",
"fixtext": "From the vSphere Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the \"mks.enable3d\" value and set it to \"false\".\n\nNote: The VM must be powered off to modify the advanced settings through the vSphere Web Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case the modified settings will not take effect until a cold boot of the VM.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nIf the setting does not exist, run:\n\nGet-VM \"VM Name\" | New-AdvancedSetting -Name mks.enable3d -Value false\n\nIf the setting exists, run:\n\nGet-VM \"VM Name\" | Get-AdvancedSetting -Name mks.enable3d | Set-AdvancedSetting -Value false",
"iacontrols": null,
"id": "V-237102",
"ruleID": "SV-237102r640143_rule",
"severity": "low",
"title": "3D features on the virtual machine must be disabled when not required.",
"version": "VMCH-65-000048"
},
"V-237103": {
"checkid": "C-40322r802904_chk",
"checktext": "Note: If the system does not have vCenter installed and utilizes vMotion, then this is Not Applicable.\n\nFrom the vSphere Web Client, select the Virtual Machine, right-click and go to Edit Settings >> VM Options Tab >> Encryption >> Encrypted vMotion.\n\nor\n\nFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:\n\nGet-VM | Where {($_.ExtensionData.Config.MigrateEncryption -ne \"opportunistic\") -and ($_.ExtensionData.Config.MigrateEncryption -ne \"required\")}\n\nIf the setting does not have a value of \"Opportunistic\" or \"Required\", this is a finding.",
"description": "vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5 this transfer can be transparently encrypted\u00a0using 256bit AES-GCM with negligible performance impact. vSphere 6.5 enables encrypted vMotion by default as 'Opportunistic', meaning that encrypted channels are used where supported but the operation will continue in plain text where encryption is not supported. For example when vMotioning between two 6.5 hosts encryption will always be utilized but since 6.0 and earlier releases do not support this feature vMotion from a 6.5 host to a 6.0 host would be allowed but would not be encrypted. If this finding is set to 'Required' then vMotions to unsupported hosts will fail. This setting must be set to 'Opportunistic' or 'Required'.",
"fixid": "F-40285r717087_fix",
"fixtext": "From the vSphere Client select the Virtual Machine, right click and go to Edit Settings >> VM Options Tab >> Encryption >> Encrypted vMotion. Set the value to \"Opportunistic\" or \"Required\".",
"iacontrols": null,
"id": "V-237103",
"ruleID": "SV-237103r802905_rule",
"severity": "medium",
"title": "Encryption must be enabled for vMotion on the virtual machine.",
"version": "VMCH-65-000049"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-237065": "true",
"V-237066": "true",
"V-237067": "true",
"V-237068": "true",
"V-237069": "true",
"V-237070": "true",
"V-237071": "true",
"V-237072": "true",
"V-237073": "true",
"V-237074": "true",
"V-237075": "true",
"V-237076": "true",
"V-237077": "true",
"V-237078": "true",
"V-237079": "true",
"V-237080": "true",
"V-237081": "true",
"V-237082": "true",
"V-237083": "true",
"V-237084": "true",
"V-237085": "true",
"V-237086": "true",
"V-237087": "true",
"V-237088": "true",
"V-237089": "true",
"V-237090": "true",
"V-237091": "true",
"V-237092": "true",
"V-237093": "true",
"V-237094": "true",
"V-237095": "true",
"V-237096": "true",
"V-237097": "true",
"V-237098": "true",
"V-237099": "true",
"V-237100": "true",
"V-237101": "true",
"V-237102": "true",
"V-237103": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "vmware_vsphere_6.5_virtual_machine",
"title": "VMware vSphere 6.5 Virtual Machine Security Technical Implementation Guide",
"version": "2"
}
}