UCF STIG Viewer Logo

VMware vSphere 6.7 ESXi Security Technical Implementation Guide


Overview

Date Finding Count (73)
2022-01-05 CAT I (High): 6 CAT II (Med): 49 CAT III (Low): 18
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-239271 High The ESXi host SSH daemon must not allow authentication using an empty password.
V-239314 High The virtual switch MAC Address Change policy must be set to reject on the ESXi host.
V-239326 High The ESXi host must exclusively enable TLS 1.2 for all endpoints.
V-239302 High The ESXi Image Profile and vSphere Installation Bundle (VIB) Acceptance Levels must be verified.
V-239324 High The SA must verify the integrity of the installation media before installing ESXi.
V-239325 High The ESXi host must have all security patches and updates installed.
V-239276 Medium The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.
V-239258 Medium Access to the ESXi host must be limited by enabling Lockdown Mode.
V-239278 Medium The ESXi host SSH daemon must be configured to not allow X11 forwarding.
V-239300 Medium The ESXi host must enable a persistent log location for all locally stored logs.
V-239291 Medium The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
V-239272 Medium The ESXi host SSH daemon must not permit user environment settings.
V-239275 Medium The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
V-239315 Medium The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.
V-239262 Medium The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
V-239279 Medium The ESXi host SSH daemon must not accept environment variables from the client.
V-239283 Medium The ESXi host SSH daemon must limit connections to a single session.
V-239317 Medium For the ESXi host, all port groups must be configured to a value other than that of the native VLAN.
V-239316 Medium The ESXi host must prevent unintended use of the dvFilter network APIs.
V-239287 Medium The ESXi host must prohibit the reuse of passwords within five iterations.
V-239286 Medium The ESXi host must enforce password complexity by requiring that at least one uppercase character be used.
V-239313 Medium The virtual switch Forged Transmits policy must be set to reject on the ESXi host.
V-239265 Medium The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-239269 Medium The ESXi host SSH daemon must not allow host-based authentication.
V-239267 Medium The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
V-239266 Medium The ESXi host SSH daemon must be configured with the DoD logon banner.
V-239319 Medium For the ESXi host, all port groups must not be configured to VLAN values reserved by upstream physical switches.
V-239263 Medium The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.
V-239268 Medium The ESXi host SSH daemon must ignore .rhosts files.
V-239329 Medium The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
V-239284 Medium The ESXi host must remove keys from the SSH authorized_keys file.
V-239298 Medium The ESXi host must log out of the console UI after two minutes.
V-239293 Medium ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
V-239290 Medium The ESXi host must be configured to disable nonessential capabilities by disabling SSH.
V-239288 Medium The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-239289 Medium The ESXi host must disable the Managed Object Browser (MOB).
V-239264 Medium The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the DCUI.
V-239296 Medium The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.
V-239310 Medium The ESXi host must configure the firewall to restrict access to services running on the host.
V-239311 Medium The ESXi host must configure the firewall to block network traffic by default.
V-239327 Medium The ESXi host must enable Secure Boot.
V-239280 Medium The ESXi host SSH daemon must not permit tunnels.
V-239307 Medium SNMP must be configured properly on the ESXi host.
V-239261 Medium Remote logging for ESXi hosts must be configured.
V-239297 Medium The ESXi host must terminate shell services after 10 minutes.
V-239318 Medium For the ESXi host, all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-239303 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
V-239301 Medium The ESXi host must configure NTP time synchronization.
V-239328 Medium The ESXi host must use DoD-approved certificates.
V-239331 Medium The ESXi host SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-239304 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
V-239305 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-239320 Medium For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.
V-239322 Medium All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.
V-239323 Medium The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.
V-239270 Low The ESXi host SSH daemon must not permit root logins.
V-239299 Low The ESXi host must enable kernel core dumps.
V-239259 Low The ESXi host must verify the DCUI.Access list.
V-239295 Low The ESXi host must use multifactor authentication for local DCUI access to privileged accounts.
V-239273 Low The ESXi host SSH daemon must not permit GSSAPI authentication.
V-239277 Low The ESXi host SSH daemon must be configured to not allow gateway ports.
V-239282 Low The ESXi host SSH daemon must set a timeout interval on idle sessions.
V-239274 Low The ESXi host SSH daemon must not permit Kerberos authentication.
V-239294 Low Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
V-239281 Low The ESXi host SSH daemon must set a timeout count on idle sessions.
V-239312 Low The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
V-239260 Low The ESXi host must verify the exception users list for Lockdown Mode.
V-239285 Low The ESXi host must produce audit records containing information to establish what type of events occurred.
V-239306 Low The ESXi host must protect the confidentiality and integrity of transmitted information by using different TCP/IP stacks where possible.
V-239292 Low The ESXi host must use Active Directory for local user authentication.
V-239308 Low The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.
V-239309 Low The ESXi host must disable Inter-VM transparent page sharing.
V-239321 Low All ESXi host-connected physical switch ports must be configured with spanning tree disabled.