VMware vSphere 6.7 Virtual Machine Security Technical Implementation Guide

Overview

Version	Date	Finding Count (24)			Downloads
1	2022-01-04 2021-04-16 2021-04-16	CAT I (High): 0	CAT II (Med): 15	CAT III (Low): 9	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC I - Mission Critical Public)

Finding ID	Severity	Title	Description
V-239347	Medium	Unauthorized removal, connection and modification of devices must be prevented on the virtual machine.	In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings....
V-239344	Medium	Console connection sharing must be limited on the virtual machine.	By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window is notified about the new session. If an...
V-239345	Medium	Console access through the VNC protocol must be disabled on the virtual machine.	The VM console enables connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the VNC protocol and...
V-239342	Medium	Unauthorized serial devices must be disconnected on the virtual machine.	Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and...
V-239343	Medium	Unauthorized USB devices must be disconnected on the virtual machine.	Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and...
V-239341	Medium	Unauthorized parallel devices must be disconnected on the virtual machine.	Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and...
V-239348	Medium	The virtual machine must not be able to obtain host information from the hypervisor.	If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this...
V-242469	Medium	Encryption must be enabled for vMotion on the virtual machine.	vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5 this transfer can be transparently...
V-239339	Medium	Unauthorized floppy devices must be disconnected on the virtual machine.	Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and...
V-239338	Medium	HGFS file transfers must be disabled on the virtual machine.	Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system,...
V-239337	Medium	Independent, non-persistent disks must be not be used on the virtual machine.	The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard...
V-239336	Medium	Virtual disk erasure must be disabled on the virtual machine.	Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host...
V-239335	Medium	Virtual disk shrinking must be disabled on the virtual machine.	Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and...
V-239352	Medium	Use of the virtual machine console must be minimized.	The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and...
V-239353	Medium	The virtual machine guest operating system must be locked when the last console connection is closed.	When accessing the VM console the guest OS must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with...
V-239346	Low	Informational messages from the virtual machine to the VMX file must be limited on the virtual machine.	The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the...
V-239340	Low	Unauthorized CD/DVD devices must be disconnected on the virtual machine.	Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and...
V-239349	Low	Shared salt values must be disabled on the virtual machine.	When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two virtual machines both salt and the content of the page must be same. A salt value is a configurable...
V-239333	Low	Drag and drop operations must be disabled on the virtual machine.	Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or...
V-239332	Low	Copy operations must be disabled on the virtual machine.	Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or...
V-239351	Low	System administrators must use templates to deploy virtual machines whenever possible.	By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this...
V-239350	Low	Access to virtual machines through the dvfilter network APIs must be controlled.	An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs to use the API that need this access.
V-239334	Low	Paste operations must be disabled on the virtual machine.	Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or...
V-239354	Low	3D features on the virtual machine must be disabled when not required.	It is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality, (e.g. most server workloads or desktops not using 3D applications).