Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter Server must disable the distributed virtual switch health check.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-243081 | VCTR-67-000012 | SV-243081r719486_rule | Medium |
| Description |
|---|
| Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting and turned off when troubleshooting is finished. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2021-04-16 |
Details
| Check Text ( C-46356r719484_chk ) |
|---|
| From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify that the "VLAN and MTU" and "Teaming and failover" checks are disabled. or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding. |
| Fix Text (F-46313r719485_fix) |
|---|
| From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> Health Check. Click the edit button and disable the "VLAN and MTU" and "Teaming and failover" checks. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))} |