| V-256375 | | Access to the ESXi host must be limited by enabling lockdown mode. | Enabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. This is done to ensure t... |
| V-256376 | | The ESXi host must verify the DCUI.Access list. | Lockdown mode disables direct host access, requiring that administrators manage hosts from vCenter Server. However, if a host becomes isolated from vC... |
| V-256377 | | The ESXi host must verify the exception users list for lockdown mode. | While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permis... |
| V-256378 | | Remote logging for ESXi hosts must be configured. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more ... |
| V-256379 | | The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. | By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is redu... |
| V-256380 | | The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out. | By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user password guessing, otherwise k... |
| V-256381 | | The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI). | Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.... |
| V-256382 | | The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH). | Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.... |
| V-256383 | | The ESXi host SSH daemon must be configured with the DOD logon banner. | The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, syste... |
| V-256384 | | The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions. | OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module that is enabled by default. For backward compatibility reasons, this c... |
| V-256385 | | The ESXi host Secure Shell (SSH) daemon must ignore ".rhosts" files. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obso... |
| V-256386 | | The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentic... |
| V-256388 | | The ESXi host Secure Shell (SSH) daemon must not permit user environment settings. | SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to present environment opt... |
| V-256389 | | The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log on the system as another user.... |
| V-256390 | | The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the ... |
| V-256392 | | The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH conne... |
| V-256393 | | The ESXi host Secure Shell (SSH) daemon must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a vir... |
| V-256396 | | The ESXi host must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage ... |
| V-256397 | | The ESXi host must be configured with a sufficiently complex password policy. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated.
The use of complex passwords reduces the a... |
| V-256398 | | The ESXi host must prohibit the reuse of passwords within five iterations. | If a user or root used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it w... |
| V-256399 | | The ESXi host must disable the Managed Object Browser (MOB). | The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed. This interface is... |
| V-256400 | | The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH). | The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to comman... |
| V-256401 | | The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. | The ESXi Shell is an interactive command line environment available locally from the Direct Console User Interface (DCUI) or remotely via SSH. Activit... |
| V-256403 | | ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. | If a host is configured to join an Active Directory domain using Host Profiles and/or Auto Deploy, the Active Directory credentials are saved in the p... |
| V-256404 | | Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. | When adding ESXi hosts to Active Directory, all user/group accounts assigned to the Active Directory group \"ESX Admins\" will have full administrativ... |
| V-256405 | | The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes. | If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely and increase the likelihoo... |
| V-256406 | | The ESXi host must terminate shell services after 10 minutes. | When the ESXi Shell or Secure Shell (SSH) services are enabled on a host, they will run indefinitely. To avoid having these services left running, set... |
| V-256407 | | The ESXi host must log out of the console UI after two minutes. | When the Direct Console User Interface (DCUI) is enabled and logged in, it should be automatically logged out if left logged on to avoid access by una... |
| V-256408 | | The ESXi host must enable a persistent log location for all locally stored logs. | ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". W... |
| V-256409 | | The ESXi host must configure NTP time synchronization. | To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including tim... |
| V-256411 | | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. | While encrypted vMotion is available, vMotion traffic should still be sequestered from other traffic to further protect it from attack. This network m... |
| V-256412 | | The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic. | The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface pro... |
| V-256413 | | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS... |
| V-256414 | | Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host. | If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly confi... |
| V-256415 | | The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host,... |
| V-256417 | | The ESXi host must configure the firewall to restrict access to services running on the host. | Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring t... |
| V-256418 | | The ESXi host must configure the firewall to block network traffic by default. | In addition to service-specific firewall rules, ESXi has a default firewall rule policy to allow or deny incoming and outgoing traffic. Reduce the ris... |
| V-256419 | | The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce the Spanning Tree Protocol ... |
| V-256420 | | All port groups on standard switches must be configured to reject forged transmits. | If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated... |
| V-256422 | | All port groups on standard switches must be configured to reject guest promiscuous mode requests. | When promiscuous mode is enabled for a virtual switch, all virtual machines (VMs) connected to the Portgroup have the potential to read all packets ac... |
| V-256423 | | Use of the dvFilter network application programming interfaces (APIs) must be restricted. | If the organization is not using products that use the dvfilter network API, the host should not be configured to send network information to a virtua... |
| V-256424 | | All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN). | ESXi does not use the concept of native VLAN. Frames with a VLAN specified in the port group will have a tag, but frames with VLAN not specified in th... |
| V-256425 | | All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required. | When a port group is set to VLAN 4095, the vSwitch passes all network frames to the attached virtual machines (VMs) without modifying the VLAN tags. I... |
| V-256426 | | All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches. | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Cat... |
| V-256427 | | The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications. | The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming int... |
| V-256430 | | The ESXi host must enable Secure Boot. | Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) firmware standard. With UEFI Secure Boot enabled, a host refuses to load any U... |
| V-256431 | | The ESXi host must use DOD-approved certificates. | The default self-signed host certificate issued by the VMware Certificate Authority (VMCA) must be replaced with a DOD-approved certificate when the h... |
| V-256432 | | The ESXi host must not suppress warnings that the local or remote shell sessions are enabled. | Warnings that local or remote shell sessions are enabled alert administrators to activity they may not be aware of and need to investigate.... |
| V-256433 | | The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities. | The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance i... |
| V-256434 | | The ESXi host Secure Shell (SSH) daemon must disable port forwarding. | While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on the ESXi hypervi... |
| V-256435 | | The ESXi host OpenSLP service must be disabled. | OpenSLP implements the Service Location Protocol to help CIM clients discover CIM servers over TCP 427. This service is not widely needed and has had ... |
| V-256436 | | The ESXi host must enable audit logging. | ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization... |
| V-256437 | | The ESXi host must enable strict x509 verification for SSL syslog endpoints. | When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verific... |
| V-256438 | | The ESXi host must verify certificates for SSL syslog endpoints. | When sending syslog data to a remote host, ESXi can be configured to use any combination of TCP, UDP and SSL transports. When using SSL, the server ce... |
| V-256439 | | The ESXi host must enable volatile key destruction. | By default, pages allocated for virtual machines (VMs), userspace applications, and kernel threads are zeroed out at allocation time. ESXi will always... |
| V-256440 | | The ESXi host must configure a session timeout for the vSphere API. | The vSphere API (VIM) allows for remote, programmatic administration of the ESXi host. Authenticated API sessions are no different from a risk perspec... |
| V-256441 | | The ESXi Host Client must be configured with a session timeout. | The ESXi Host Client is the UI served up by the host itself, outside of vCenter. It is accessed by browsing to "https://<ESX FQDN>/ui". ESXi is not us... |
| V-256442 | | The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions. | ESXi runs a reverse proxy service called rhttpproxy that front ends internal services and application programming interfaces (APIs) over one HTTPS por... |
| V-256443 | | The ESXi host must be configured with an appropriate maximum password age. | The older an ESXi local account password is, the larger the opportunity window is for attackers to guess, crack or reuse a previously cracked password... |
| V-256444 | | The ESXi host must not be configured to override virtual machine (VM) configurations. | Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host ... |
| V-256445 | | The ESXi host must not be configured to override virtual machine (VM) logger settings. | Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host ... |
| V-256446 | | The ESXi host must require TPM-based configuration encryption. | An ESXi host's configuration consists of configuration files for each service that runs on the host. The configuration files typically reside in the /... |
| V-256447 | | The ESXi host must implement Secure Boot enforcement. | Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating s... |
| V-256448 | | The ESXi Common Information Model (CIM) service must be disabled. | The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming int... |
| V-256449 | | The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. ESXi must implement cryptographic modules a... |
| V-256387 | | The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password. | Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misc... |
| V-256391 | | The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports. | SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This functi... |
| V-256394 | | The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions. | Setting a timeout ensures that a user login will be terminated as soon as the "ClientAliveCountMax" is reached.... |
| V-256395 | | The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions. | Automatically logging out idle users guards against compromises via hijacked administrative sessions.... |
| V-256402 | | The ESXi host must use Active Directory for local user authentication. | Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain multiple local user accounts. Using Active Directory for us... |
| V-256416 | | The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing. | Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try to det... |
| V-256410 | | The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified. | Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile su... |
| V-256421 | | All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes. | If the virtual machine (VM) operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This all... |
| V-256428 | | The ESXi host must have all security patches and updates installed. | Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.... |
| V-256429 | | The ESXi host must exclusively enable Transport Layer Security (TLS) 1.2 for all endpoints. | TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 should be enabled on all interfaces and SSLv3, ... |
