UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 7.0 ESXi Security Technical Implementation Guide


Overview

Date Finding Count (75)
2023-06-21 CAT I (High): 4 CAT II (Med): 65 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-256428 High The ESXi host must have all security patches and updates installed.
V-256421 High All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.
V-256410 High The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.
V-256429 High The ESXi host must exclusively enable Transport Layer Security (TLS) 1.2 for all endpoints.
V-256381 Medium The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
V-256380 Medium The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
V-256383 Medium The ESXi host SSH daemon must be configured with the DOD logon banner.
V-256382 Medium The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
V-256385 Medium The ESXi host Secure Shell (SSH) daemon must ignore ".rhosts" files.
V-256384 Medium The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
V-256386 Medium The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
V-256389 Medium The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
V-256388 Medium The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
V-256442 Medium The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
V-256443 Medium The ESXi host must be configured with an appropriate maximum password age.
V-256440 Medium The ESXi host must configure a session timeout for the vSphere API.
V-256441 Medium The ESXi Host Client must be configured with a session timeout.
V-256446 Medium The ESXi host must require TPM-based configuration encryption.
V-256447 Medium The ESXi host must implement Secure Boot enforcement.
V-256444 Medium The ESXi host must not be configured to override virtual machine (VM) configurations.
V-256445 Medium The ESXi host must not be configured to override virtual machine (VM) logger settings.
V-256448 Medium The ESXi Common Information Model (CIM) service must be disabled.
V-256449 Medium The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers.
V-256406 Medium The ESXi host must terminate shell services after 10 minutes.
V-256407 Medium The ESXi host must log out of the console UI after two minutes.
V-256404 Medium Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
V-256405 Medium The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.
V-256424 Medium All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
V-256379 Medium The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
V-256400 Medium The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
V-256401 Medium The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
V-256375 Medium Access to the ESXi host must be limited by enabling lockdown mode.
V-256376 Medium The ESXi host must verify the DCUI.Access list.
V-256377 Medium The ESXi host must verify the exception users list for lockdown mode.
V-256408 Medium The ESXi host must enable a persistent log location for all locally stored logs.
V-256409 Medium The ESXi host must configure NTP time synchronization.
V-256420 Medium All port groups on standard switches must be configured to reject forged transmits.
V-256398 Medium The ESXi host must prohibit the reuse of passwords within five iterations.
V-256396 Medium The ESXi host must produce audit records containing information to establish what type of events occurred.
V-256397 Medium The ESXi host must be configured with a sufficiently complex password policy.
V-256392 Medium The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
V-256393 Medium The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
V-256390 Medium The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
V-256419 Medium The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
V-256418 Medium The ESXi host must configure the firewall to block network traffic by default.
V-256399 Medium The ESXi host must disable the Managed Object Browser (MOB).
V-256423 Medium Use of the dvFilter network application programming interfaces (APIs) must be restricted.
V-256403 Medium ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
V-256422 Medium All port groups on standard switches must be configured to reject guest promiscuous mode requests.
V-256411 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
V-256413 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-256412 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
V-256415 Medium The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
V-256414 Medium Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.
V-256417 Medium The ESXi host must configure the firewall to restrict access to services running on the host.
V-256425 Medium All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.
V-256433 Medium The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
V-256432 Medium The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
V-256431 Medium The ESXi host must use DOD-approved certificates.
V-256430 Medium The ESXi host must enable Secure Boot.
V-256437 Medium The ESXi host must enable strict x509 verification for SSL syslog endpoints.
V-256436 Medium The ESXi host must enable audit logging.
V-256435 Medium The ESXi host OpenSLP service must be disabled.
V-256434 Medium The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
V-256439 Medium The ESXi host must enable volatile key destruction.
V-256438 Medium The ESXi host must verify certificates for SSL syslog endpoints.
V-256427 Medium The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
V-256378 Medium Remote logging for ESXi hosts must be configured.
V-256426 Medium All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
V-256387 Low The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
V-256402 Low The ESXi host must use Active Directory for local user authentication.
V-256416 Low The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
V-256394 Low The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
V-256395 Low The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
V-256391 Low The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.