Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239304 | ESXI-67-000049 | SV-239304r674841_rule | Medium |
Description |
---|
The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network. |
STIG | Date |
---|---|
VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2021-03-17 |
Check Text ( C-42537r674839_chk ) |
---|
Verify the Management VMkernel port group is on a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and is not accessible to anything other than management-related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configure >> Networking. Review the VLAN associated with the Management VMkernel and verify it is dedicated for that purpose and is logically separated from other functions. If the network segment is accessible, except to networks where other management-related entities such as vCenter are located, this is a finding. |
Fix Text (F-42496r674840_fix) |
---|
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Management VMkernel and click "Edit". On the Port properties tab, uncheck everything but "Management.” On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK". Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Management portgroup and click "Edit". On the properties tab, enter the appropriate VLAN ID and click "OK". |