agentAddressvmware

Introduction"vSphere5.
5SecurityHardeningGuide""GeneralAvailabilty(GA)Release"41577,"ImportantNote:ThisistheGAReleaseofthe5.
5vSphereHardeningGuide.
"ScopeofGuide""ThisguidecoversthefollowingcomponentsofvSphere","VirtualMachines","ESXihosts","VirtualNetwork","vCenterServerplusitsdatabaseandclients.
CommonvCenterandWindowsspecificguidanceishere.
,"vCenterWebClient","vCenterSSOServer","vCenterVirtualAppliance(VCSA)specificguidance","vCenterUpdateManager""EverythingelseisoutofscopeandhenceNOTcoveredbytheguide.
Thisincludes","vSphereManagementAssistant(vMA),"anyotheradd-oncomponent""Descriptionoffields""EachguidelineisuniquelyidentifiedbytheconcatenationofProduct-Version-Component-ID.
Someexamples:""vSphere-5.
5-esxi-apply-patches""vSphere-5.
5-vm-prevent-device-interaction-edit""vSphere-5.
5-vnetwork-reject-mac-change-dvportgroup""vSphere-5.
5-vcenter-isolated-vum-proxy""Whenreferringtoguidelineswithinasingleversion,theProduct-Versionmaybeomittedandthecomponent-IDusedbyitself,e.
g.
""esxi-apply-patches""TheRiskProfilefieldindicatestherelativeincreaseinsecurityprovidedbytheguidelines.
Someguidelinesdescribeanissuewithmorethanonedefense,andthesewillbeassociatedwithmorethanoneRiskProfile""RiskProfile3:guidelinesthatshouldbeimplementedinallenvironments""RiskProfile2:guidelinesthatshouldbeimplementedformoresensitiveenvironments,e.
g.
thosehandlingmoresensitivedata,thosesubjecttostrictercompliancerules,etc.
""RiskProfile1:guidelinesthatonlybeimplementedinthehighestsecurityenvironments,e.
g.
top-secretgovernmentormilitary,extremelysensitivedata,etc.
""ControlTypeindicateshowtheguidelineisimplemented""Parameter:Asystem-levelparametershouldbesettoaparticularvalue,eitherspecifiedintheguidelineorelsesite-specific""Configuration:Acertainhardwareand/orsoftwareconfigurationorcombinationofsettingsshouldbeused""Operational:Indicatesanongoingcheck,eithermonitoringforcertainactionsorconditions,orelseverifyingtheuseofproperprocedures""AssessmentProcedure""Describeshowtovalidatewhetherornottheguidelineisbeingfollowed.
Theremediationprocedureisgenerallynotdescribed,butinsomecasestheremediationstepsareavailableinanexternalreference.
""Thefollowingfieldsarefilledinwhereapplicableordeterminate""ConfigurationParameter""ConfigurationFile""DesiredValue""IsDesiredValuetheDefault""NegativeFunctionalImpact""Thisindicatesifthisguidelinehasanysideeffectsthatreduceorpreventnormalfunctionality""CLIExamples""Wherepossible,CLIcommandsforassessmentandremediationareprovided.
ThecommandsareprovidedforthevSphereCLI(vCLI),ESXiShell,andPowerCLI.
""ReferencetotheAPIwhichrelatestoaguidelineisalsoprovidedifpossible.
",,,"UseofHostProfiles""FortheESXiguidelines,aspecialcolumnindicateswhetherornottheguidelinescanbeconfiguredusingHostProfiles"VM"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommandRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""control-resource-usage","vSphere",5.
5,"VirtualMachines","Resources","Preventvirtualmachinesfromtakingoverresources.
","Bydefault,allvirtualmachinesonanESXihostsharetheresourcesequally.
ByusingtheresourcemanagementcapabilitiesofESXi,suchasproperVMsizingofmemoryandCPUandtheuseofsharesyoucancontroltheserverresourcesthatavirtualmachineconsumes.
Youcanusethismechanismtopreventadenialofservicethatcausesonevirtualmachinetoconsumesomuchofthehost'sresourcesthatothervirtualmachinesonthesamehostcannotperformtheirintendedfunctions.
","1,2","Operational","ProvisionaVMwithjustenoughresources(CPU&Memory)todothejob.
ThenusesharestoguaranteeresourcestocriticalVMs.
Grouping"like"virtualmachinesintoresourcepoolsandleavingsharessettodefaultensuresthatallvirtualmachinesinthepoolwillreceiveapproximatelythesameresourcepriority.
A"noisyneighbor"willnotbeabletousemorethananyothervirtualmachineinthepool.
PreviouslyrecommendeduseofLimitsisdiscouragedingeneralduetooperationalimpactontheover-allenvironment.
Limitsshouldonlybeusedinsituationswheretheimpactisfullyunderstood.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListallResourcesharesonallVMsGet-VM|Get-VMResourceConfiguration","N/A",,,"N/A""disable-autoinstall","vSphere",5.
5,"VirtualMachines","Tools","Disabletoolsautoinstall","Toolsautoinstallcaninitiateanautomaticreboot,disablingthisoptionwillpreventtoolsfrombeinginstalledautomaticallyandpreventautomaticmachinereboots","1,2","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
autoinstall.
disableissettoTRUE","VMX","isolation.
tools.
autoInstall.
disable",TRUE,"modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
autoInstall.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
diskWiper.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
autoInstall.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
autoInstall.
disable"-value$true","Thisoptiondisablestoolsautoinstall,alltoolsinstallswillhavetobemanuallystarted.
",,"N/A""disable-console-copy","vSphere",5.
5,"VirtualMachines","Monitor","Explicitlydisablecopy/pasteoperations","Copyandpasteoperationsaredisabledbydefaulthoweverbyexplicitlydisablingthisfeatureitwillenableauditcontrolstocheckthatthissettingiscorrect.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatoptionismissingorsettotrue","VMX","isolation.
tools.
copy.
disable",TRUE,"AddorModify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
copy.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
copy.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
copy.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
copy.
disable"-value$true","Thisisthedefaultsettingsofunctionalityremainsthesame",,"N/A""disable-console-dnd","vSphere",5.
5,"VirtualMachines","Monitor","Explicitlydisablecopy/pasteoperations","Copyandpasteoperationsaredisabledbydefaulthoweverbyexplicitlydisablingthisfeatureitwillenableauditcontrolstocheckthatthissettingiscorrect.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatoptionismissingorsettotrue","VMX","isolation.
tools.
dnd.
disable",TRUE,"AddorModify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-iisolation.
tools.
dnd.
disable[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
dnd.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
dnd.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
dnd.
disable"-value$true",,,"N/A""disable-console-gui-options","vSphere",5.
5,"VirtualMachines","Monitor","Explicitlydisablecopy/pasteoperations","Copyandpasteoperationsaredisabledbydefaulthoweverbyexplicitlydisablingthisfeatureitwillenableauditcontrolstocheckthatthissettingiscorrect.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatoptionismissingorsettofalse","VMX","isolation.
tools.
setGUIOptions.
enable",FALSE,"AddorModify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-iisolation.
tools.
setGUIOptions.
enable[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
setGUIOptions.
enable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
setGUIOptions.
enable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
setGUIOptions.
enable"-value$false",,,"N/A""disable-console-paste","vSphere",5.
5,"VirtualMachines","Monitor","Explicitlydisablecopy/pasteoperations","Copyandpasteoperationsaredisabledbydefaulthoweverbyexplicitlydisablingthisfeatureitwillenableauditcontrolstocheckthatthissettingiscorrect.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatoptionismissingorsettotrue","VMX","isolation.
tools.
paste.
disable",TRUE,"AddorModify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-iisolation.
tools.
paste.
disable[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
paste.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
paste.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
paste.
disable"-value$true","Thisisthedefaultsettingsofunctionalityremainsthesame",,"N/A""disable-disk-shrinking-shrink","vSphere",5.
5,"VirtualMachines","Storage","Disablevirtualdiskshrinking.
","Shrinkingavirtualdiskreclaimsunusedspaceinit.
Ifthereisemptyspaceinthedisk,thisprocessreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.
Normalusersandprocesses—thatis,usersandprocesseswithoutrootoradministratorprivileges—withinvirtualmachineshavethecapabilitytoinvokethisprocedure.
However,ifthisisdonerepeatedly,thevirtualdiskcanbecomeunavailablewhilethisshrinkingisbeingperformed,effectivelycausingadenialofservice.
Inmostdatacenterenvironments,diskshrinkingisnotdone,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.
Repeateddiskshrinkingcanmakeavirtualdiskunavailable.
Capabilityisavailabletononadministrativeusersintheguest.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
diskShrink.
disableissettoTRUE","VMX","isolation.
tools.
diskShrink.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
diskShrink.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
diskWiper.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
diskShrink.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
diskShrink.
disable"-value$true","Inabilitytoshrinkvirtualmachinedisksintheeventthatadatastorerunsoutofspace.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vm_admin.
doc/GUID-685722FA-9009-439C-9142-18A9E7C592EA.
html","N/A""disable-disk-shrinking-wiper","vSphere",5.
5,"VirtualMachines","Storage","Disablevirtualdiskshrinking.
","Shrinkingavirtualdiskreclaimsunusedspaceinit.
Ifthereisemptyspaceinthedisk,thisprocessreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.
Normalusersandprocesses—thatis,usersandprocesseswithoutrootoradministratorprivileges—withinvirtualmachineshavethecapabilitytoinvokethisprocedure.
However,ifthisisdonerepeatedly,thevirtualdiskcanbecomeunavailablewhilethisshrinkingisbeingperformed,effectivelycausingadenialofservice.
Inmostdatacenterenvironments,diskshrinkingisnotdone,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.
Repeateddiskshrinkingcanmakeavirtualdiskunavailable.
Capabilityisavailabletononadministrativeusersintheguest.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
diskWiper.
disableissettoTRUE","VMX","isolation.
tools.
diskWiper.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
diskWiper.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
diskWiper.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
diskWiper.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
diskWiper.
disable"-value$true","Inabilitytoshrinkvirtualmachinedisksintheeventthatadatastorerunsoutofspace.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vm_admin.
doc/GUID-685722FA-9009-439C-9142-18A9E7C592EA.
html","N/A""disable-hgfs","vSphere",5.
5,"VirtualMachines","Monitor","DisableHGFSfiletransfers","Certainautomatedoperationssuchasautomatedtoolsupgradesuseacomponentintothehypervisorcalled"HostGuestFileSystem"andanattackercouldpotentiallyusethistotransferfilesinsidetheguestOS",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
hgfsServerSet.
disableissettoTRUE","VMX","isolation.
tools.
hgfsServerSet.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
hgfsServerSet.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
hgfsServerSet.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
hgfsServerSet.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
hgfsServerSet.
disable"-value$true","ThiswillcausetheVMXprocesstonotrespondtocommandsfromthetoolsprocess,thismayhaveanegativeimpactonoperationssuchasautomatedtoolsupgrades","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vm_admin.
doc/GUID-685722FA-9009-439C-9142-18A9E7C592EA.
html","N/A""disable-independent-nonpersistent","vSphere",5.
5,"VirtualMachines","Storage","Avoidusingindependentnonpersistentdisks.
","Thesecurityissuewithnonpersistentdiskmodeisthatsuccessfulattackers,withasimpleshutdownorreboot,mightundoorremoveanytracesthattheywereeveronthemachine.
Tosafeguardagainstthisrisk,productionvirtualmachinesshouldbesettousepersistentdiskmode;additionally,makesurethatactivitywithintheVMisloggedremotelyonaseparateserver,suchasasyslogserverorequivalentWindows-basedeventcollector.
WithoutapersistentrecordofactivityonaVM,administratorsmightneverknowwhethertheyhavebeenattackedorhacked.
","1,2","Parameter","Ifremoteloggingofeventsandactivityisnotconfiguredfortheguest,scsiX:Y.
modeshouldbeeither:1.
Notpresent(defaultstoPersistentifblank)2.
ExplicitlysettoPersistent3.
SettoIndependent-PersistentItshouldNOTbesettoindependentnonpersistentforthesetypesofsensitiveworkloads.
","VMX","scsiX:Y.
mode","1.
Notpresent(defaultstoPersistentifblank)2.
ExplicitlysettoPersistent3.
SettoIndependent-Persistent","remove,modify",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"^scsi[0-9]*:[0-9]*.
mode"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^scsi[0-9]*:[0-9]*.
mode"[VMX]","N/A","#ListtheVM'sandtheirdisktypesGet-VM|Get-HardDisk|SelectParent,Name,Filename,DiskType,Persistence","#AltertheparametersforthefollowingcmdlettosettheVMDiskType:Get-VM|Get-HardDisk|Set-HardDisk","Won'tbeabletomakeuseofnonpersistentmode,whichallowsrollbacktoaknownstatewhenrebootingtheVM.
",,"N/A""disable-intervm-vmci","vSphere",5.
5,"VirtualMachines","Communication","DisableVM-to-VMcommunicationthroughVMCI.
","Iftheinterfaceisnotrestricted,aVMcandetectandbedetectedbyallotherVMswiththesameoptionenabledwithinthesamehost.
Thismightbetheintendedbehavior,butcustom-builtsoftwarecanhaveunexpectedvulnerabilitiesthatmightpotentiallyleadtoanexploit.
Additionally,itispossibleforaVMtodetecthowmanyotherVMsarewithinthesameESXIsystembysimplyregisteringtheVM.
Thisinformationmightalsobeusedforapotentiallymaliciousobjective.
Bydefault,thesettingisFALSE.
TheVMcanbeexposedtootherVMswithinthesamesystemaslongasthereisatleastoneprogramconnectedtotheVMCIsocketinterface.
THISCONTROLHASNOEFFECTINVersion5.
1ANDGREATER.
WHETHERSETTOENABLEDORDISABLED,THECOMMUNICATIONISDISABLED.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatvmci0.
unrestrictedissettoFALSE","VMX","vmci0.
unrestricted",FALSE,"Modify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"vmci0.
unrestricted"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfovmci0.
unrestricted","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"vmci0.
unrestricted"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"vmci0.
unrestricted"-value$false","VirtualmachineswillbeunabletocommunicateusingVMCItechnology.
","docreferenceforvmciobsoletion","N/A""disable-logging","vSphere",5.
5,"VirtualMachines","Tools","DisableVMlogging","Youcanusethesesettingstolimitthetotalsizeandnumberoflogfiles.
Normallyanewlogfileiscreatedonlywhenahostisrebooted,sothefilecangrowtobequitelarge.
Youcanensurethatnewlogfilesarecreatedmorefrequentlybylimitingthemaximumsizeofthelogfiles.
Ifyouwanttorestrictthetotalsizeofloggingdata,VMwarerecommendssaving10logfiles,eachonelimitedto1,000KB.
Datastoresarelikelytobeformattedwithablocksizeof2MBor4MB,soasizelimittoofarbelowthissizewouldresultinunnecessarystorageutilization.
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked;ifitisoverthelimit,thenextentryiswrittentoanewlog.
Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldestlogfileisdeleted.
Adenial-of-serviceattackthatavoidstheselimitsmightbeattemptedbywritinganenormouslogentry.
Buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthantheconfiguredlimit.
Asecondoptionistodisableloggingforthevirtualmachine.
Disablingloggingforavirtualmachinemakestroubleshootingchallengingandsupportdifficult.
Youshouldnotconsiderdisablingloggingunlessthelogfilerotationapproachprovesinsufficient.
Uncontrolledloggingcanleadtodenialofserviceduetothedatastore'sbeingfilled.
",1,"Parameter","CheckvirtualmachineconfigurationsettingsandverifythatloggingissettoFALSE","VMX","logging",FALSE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"^logging"[VMX]","N/A","N/A","N/A","N/A","N/A","VMlogsunavailablefortroubleshootingandsupport.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-D1CF72E8-BD73-4239-B40A-36BBD3482038.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vm_admin.
doc/GUID-685722FA-9009-439C-9142-18A9E7C592EA.
html","N/A""disable-monitor-control","vSphere",5.
5,"VirtualMachines","Monitor","DisableVMMonitorControl","WhenVirtualMachinesarerunningonahypervisortheyare"aware"thattheyarerunninginavirtualenvironmentandthisandthisinformationisavailabletotoolsinsidetheguestOS.
Thiscangiveattackersinformationabouttheplatformthattheyarerunningonthattheymaynotgetfromanormalphysicalserver.
ThisoptioncompletelydisablesallhooksforavirtualmachineandtheguestOSwillnotbeawarethatitisrunninginavirtualenvironmentatall.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
monitor.
control.
disableissettoTRUE","VMX","isolation.
monitor.
control.
disable",TRUE,"AddorModify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
monitor.
control.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
monitor.
control.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
monitor.
control.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
monitor.
control.
disable"-value$true","Thisconfigurationoptionmaycauseunexpectedresults,thevirtualmachinewillbecompletelyunawarethatitisrunninginavirtualizedsetting.
VMwaretoolswillnotinstallorfunction.
",,"N/A""disable-unexposed-features-autologon","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
ghi.
autologon.
disableissettoTRUE","VMX","isolation.
tools.
ghi.
autologon.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
ghi.
autologon.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
ghi.
autologon.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
ghi.
autologon.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
ghi.
autologon.
disable"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-biosbbs","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
bios.
bbs.
disableissettoTRUE","VMX","isolation.
bios.
bbs.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
bios.
bbs.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
bios.
bbs.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
bios.
bbs.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
bios.
bbs.
disable"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-getcreds","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
getCreds.
disableissettoTRUE","VMX","isolation.
tools.
getCreds.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
getCreds.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
getCreds.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
getCreds.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
getCreds.
disable"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-launchmenu","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
ghi.
launchmenu.
changeissettoTRUE","VMX","isolation.
tools.
ghi.
launchmenu.
change",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
ghi.
launchmenu.
change"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
ghi.
launchmenu.
change","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
ghi.
launchmenu.
change"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
ghi.
launchmenu.
change"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-memsfss","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","BecauseVMwarevirtualmachinesaredesignedtoworkonbothvSphereaswellashostedvirtualizationplatformssuchasWorkstationandFusion,therearesomeVMXparametersthatdon'tapplywhenrunningonvSphere.
AlthoughthefunctionalitygovernedbytheseparametersisnotexposedonESX,explicitlydisablingthemwillreducethepotentialforvulnerabilities.
Disablingthesefeaturesreducesthenumberofvectorsthroughwhichaguestcanattempttoinfluencethehost,andthusmayhelppreventsuccessfulexploits.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
memSchedFakeSampleStats.
disableissettoTRUE","VMX","isolation.
tools.
memSchedFakeSampleStats.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
memSchedFakeSampleStats.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
memSchedFakeSampleStats.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
memSchedFakeSampleStats.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
memSchedFakeSampleStats.
disable"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-protocolhandler","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
ghi.
protocolhandler.
info.
disableissettoTRUE","VMX","isolation.
tools.
ghi.
protocolhandler.
info.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
ghi.
protocolhandler.
info.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
ghi.
protocolhandler.
info.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
ghi.
protocolhandler.
info.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
ghi.
protocolhandler.
info.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-shellaction","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
ghi.
host.
shellAction.
disableissettoTRUE","VMX","isolation.
ghi.
host.
shellAction.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
ghi.
host.
shellAction.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
ghi.
host.
shellAction.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
ghi.
host.
shellAction.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
ghi.
host.
shellAction.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-toporequest","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
dispTopoRequest.
disableissettoTRUE","VMX","isolation.
tools.
dispTopoRequest.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
dispTopoRequest.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
dispTopoRequest.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
dispTopoRequest.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
dispTopoRequest.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-trashfolderstate","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
trashFolderState.
disableissettoTRUE","VMX","isolation.
tools.
trashFolderState.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
trashFolderState.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
trashFolderState.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
trashFolderState.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
trashFolderState.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-trayicon","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
ghi.
trayicon.
disableissettoTRUE","VMX","isolation.
tools.
ghi.
trayicon.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
ghi.
trayicon.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
ghi.
trayicon.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
ghi.
trayicon.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
ghi.
trayicon.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unity","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unity.
disableissettoTRUE","VMX","isolation.
tools.
unity.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unity.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unity.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unity.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unity.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unity-interlock","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unityInterlockOperation.
disableissettoTRUE","VMX","isolation.
tools.
unityInterlockOperation.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unityInterlockOperation.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unityInterlockOperation.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unityInterlockOperation.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unityInterlockOperation.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unity-taskbar","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unity.
taskbar.
disableissettoTRUE","VMX","isolation.
tools.
unity.
taskbar.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unity.
taskbar.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unity.
taskbar.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unity.
taskbar.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unity.
taskbar.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unity-unityactive","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unityActive.
disableissettoTRUE","VMX","isolation.
tools.
unityActive.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unityActive.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unityActive.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unityActive.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unityActive.
disable"-value$True","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unity-windowcontents","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unity.
windowContents.
disableissettoTRUE","VMX","isolation.
tools.
unity.
windowContents.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unity.
windowContents.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unity.
windowContents.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unity.
windowContents.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unity.
windowContents.
disable"-value$True","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-unitypush","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
unity.
push.
update.
disableissettoTRUE","VMX","isolation.
tools.
unity.
push.
update.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
unity.
push.
update.
disable"","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
unity.
push.
update.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
unity.
push.
update.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
unity.
push.
update.
disable"-value$true",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-versionget","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
vmxDnDVersionGet.
disableissettoTRUE","VMX","isolation.
tools.
vmxDnDVersionGet.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
vmxDnDVersionGet.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
vmxDnDVersionGet.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
vmxDnDVersionGet.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
vmxDnDVersionGet.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unexposed-features-versionset","vSphere",5.
5,"VirtualMachines","Monitor","Disablecertainunexposedfeatures.
","SomeVMXparametersdon'tapplyonvSpherebecauseVMwarevirtualmachinesworkonvSphereandhostedvirtualizationplatformssuchasWorkstationandFusion.
Explicitlydisablingthesefeaturesreducesthepotentialforvulnerabilitiesbecauseitreducesthenumberofwaysinwhichaguestcanaffectthehost.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
guestDnDVersionSet.
disableissettoTRUE","VMX","isolation.
tools.
guestDnDVersionSet.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
guestDnDVersionSet.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
guestDnDVersionSet.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
guestDnDVersionSet.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
guestDnDVersionSet.
disable"-value$true","Someautomatedtoolsandprocessmayceasetofunction","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.
html","N/A""disable-unnecessary-functions","vSphere",5.
5,"VirtualMachines","Guest","DisableunnecessaryorsuperfluousfunctionsinsideVMs.
","Bydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservicerunningonthesystem,youreducethenumberofpartsthatcanbeattacked.
VMsoftendon'trequireasmanyservicesorfunctionsasordinaryphysicalservers;sowhenvirtualizing,youshouldevaluatewhetheraparticularserviceorfunctionistrulyneeded.
AnyservicerunninginaVMprovidesapotentialavenueofattack.
","1,2,3","Operational","Someofthesestepsinclude:1.
Disableunusedservicesintheoperatingsystem.
Forexample,ifthesystemrunsafileserver,makesuretoturnoffanyWebservices.
2.
Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadaptors.
Thisisdescribedinthe"RemovingUnnecessaryHardwareDevices"sectionintheESXIConfigurationGuide.
3.
Turnoffanyscreensavers.
IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheXWindowsystemunlessitisnecessary.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6BFA8CA7-610F-4E6B-9FC6-D656917B7E7A.
html","N/A""disable-vix-messages","vSphere",5.
5,"VirtualMachines","Tools","DisableVIXmessagesfromtheVM","TheVIXAPIisalibraryforwritingscriptsandprogramstomanipulatevirtualmachines.
IfyoudonotmakeuseofcustomVIXprogramminginyourenvironment,thenyoushouldconsiderdisablingcertainfeaturestoreducethepotentialforvulnerabilities.
TheabilitytosendmessagesfromtheVMtothehostisoneofthesefeatures.
NotethatdisablingthisfeaturedoesNOTadverselyaffectthefunctioningofVIXoperationsthatoriginateoutsidetheguest,socertainVMwareand3rdpartysolutionsthatrelyuponthiscapabilityshouldcontinuetowork.
Thisisadeprecatedinterface.
EnablingthissettingisforProfile1only,toensurethatanydeprecatedinterfaceisturnedoffforauditpurposes.
",1,"Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
tools.
vixMessage.
disableissettoTRUE","VMX","isolation.
tools.
vixMessage.
disable",TRUE,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
tools.
vixMessage.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
tools.
vixMessage.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
tools.
vixMessage.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
tools.
vixMessage.
disable"-value$true","GuestwillnolongerbeabletosendmessagesviaVIXAPI",,"N/A""disconnect-devices-floppy","vSphere",5.
5,"VirtualMachines","Device","Disconnectunauthorizeddevices","Ensurethatnodeviceisconnectedtoavirtualmachineifitisnotrequired.
Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevicesthatarenotrequired,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.
NOTE:Theparameterslistedarenotsufficienttoensurethatadeviceisusable;otherrequiredparametersspecifyhoweachdeviceisinstantiated.
Anyenabledorconnecteddevicerepresentsapotentialattackchannel.
","1,2","Parameter","EnsurethatthefollowingparameterisNOTpresentorissettoFALSE,unlessFloppydrivesarerequired:floppyX.
present","VMX","floppyX.
present","notpresentorFALSE","remove,modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
vm.
device.
VirtualDevice.
html","grep-i"^floppy[0-9]*.
present"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^floppy[0-9]*.
present"[VMX]","N/A","#CheckforFloppyDevicesattachedtoVMsGet-VM|Get-FloppyDrive|SelectParent,Name,ConnectionState","#RemoveallFloppydrivesattachedtoVMsGet-VM|Get-FloppyDrive|Remove-FloppyDrive","Virtualmachinewillneedtobepoweredofftoreversechangeifanyofthesedevicesareneededatalatertime.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.
html","N/A""disconnect-devices-ide","vSphere",5.
5,"VirtualMachines","Device","Disconnectunauthorizeddevices","Ensurethatnodeviceisconnectedtoavirtualmachineifitisnotrequired.
Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevicesthatarenotrequired,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.
NOTE:Theparameterslistedarenotsufficienttoensurethatadeviceisusable;otherrequiredparametersspecifyhoweachdeviceisinstantiated.
Anyenabledorconnecteddevicerepresentsapotentialattackchannel.
","1,2","Parameter","EnsurethatthefollowingparameterisNOTpresentorissettoFALSE,unlessCD-ROMisrequired:ideX:Y.
present","VMX","ideX:Y.
present","notpresentorFALSE","remove,modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
vm.
device.
VirtualDevice.
html","grep-i"^ide[0-9]*.
present"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^ide[0-9]*.
present"[VMX]","N/A","#CheckforCD/DVDDrivesattachedtoVMsGet-VM|Get-CDDrive","#RemoveallCD/DVDDrivesattachedtoVMsGet-VM|Get-CDDrive|Remove-CDDrive","Virtualmachinewillneedtobepoweredofftoreversechangeifanyofthesedevicesareneededatalatertime.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.
html","N/A""disconnect-devices-parallel","vSphere",5.
5,"VirtualMachines","Device","Disconnectunauthorizeddevices","Ensurethatnodeviceisconnectedtoavirtualmachineifitisnotrequired.
Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevicesthatarenotrequired,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.
NOTE:Theparameterslistedarenotsufficienttoensurethatadeviceisusable;otherrequiredparametersspecifyhoweachdeviceisinstantiated.
Anyenabledorconnecteddevicerepresentsapotentialattackchannel.
","1,2","Parameter","EnsurethatthefollowingparameterisNOTpresentorissettoFALSE,unlessParallelportsarerequired:parallelX.
present","VMX","parallelX.
present","notpresentorFALSE","remove,modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
vm.
device.
VirtualDevice.
html","grep-i"^parallel[0-9]*.
present"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^parallel[0-9]*.
present"[VMX]","N/A","#InthisExampleyouwillneedtoaddthefunctionsfromthispost:http://blogs.
vmware.
com/vipowershell/2012/05/working-with-vm-devices-in-powercli.
html#CheckforParallelportsattachedtoVMsGet-VM|Get-ParallelPort","#InthisExampleyouwillneedtoaddthefunctionsfromthispost:http://blogs.
vmware.
com/vipowershell/2012/05/working-with-vm-devices-in-powercli.
html#RemoveallParallelPortsattachedtoVMsGet-VM|Get-ParallelPort|Remove-ParallelPort","Virtualmachinewillneedtobepoweredofftoreversechangeifanyofthesedevicesareneededatalatertime.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.
html","N/A""disconnect-devices-serial","vSphere",5.
5,"VirtualMachines","Device","Disconnectunauthorizeddevices","Ensurethatnodeviceisconnectedtoavirtualmachineifitisnotrequired.
Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevicesthatarenotrequired,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.
NOTE:Theparameterslistedarenotsufficienttoensurethatadeviceisusable;otherrequiredparametersspecifyhoweachdeviceisinstantiated.
Anyenabledorconnecteddevicerepresentsapotentialattackchannel.
","1,2","Parameter","EnsurethatthefollowingparameterisNOTpresentorissettoFALSE,unlessSerialportsarerequired:serialX.
present","VMX","serialX.
present","notpresentorFALSE","remove,modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
vm.
device.
VirtualDevice.
html","grep-i"^serial[0-9]*.
present"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^floppy[0-9]*.
present"[VMX]","N/A","#InthisExampleyouwillneedtoaddthefunctionsfromthispost:http://blogs.
vmware.
com/vipowershell/2012/05/working-with-vm-devices-in-powercli.
html#CheckforSerialportsattachedtoVMsGet-VM|Get-SerialPort","#InthisExampleyouwillneedtoaddthefunctionsfromthispost:http://blogs.
vmware.
com/vipowershell/2012/05/working-with-vm-devices-in-powercli.
html#RemoveallSerialPortsattachedtoVMsGet-VM|Get-SerialPort|Remove-SerialPort","Virtualmachinewillneedtobepoweredofftoreversechangeifanyofthesedevicesareneededatalatertime.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.
html","N/A""disconnect-devices-usb","vSphere",5.
5,"VirtualMachines","Device","Disconnectunauthorizeddevices","Ensurethatnodeviceisconnectedtoavirtualmachineifitisnotrequired.
Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevicesthatarenotrequired,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.
NOTE:Theparameterslistedarenotsufficienttoensurethatadeviceisusable;otherrequiredparametersspecifyhoweachdeviceisinstantiated.
Anyenabledorconnecteddevicerepresentsapotentialattackchannel.
","1,2","Parameter","EnsurethatthefollowingparameterisNOTpresentorissettoFALSE,unlessUSBcontrollersarerequired:usb.
present","VMX","usb.
present","notpresentorFALSE","remove,modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
vm.
device.
VirtualDevice.
html","grep-i"^usb[0-9]*.
present"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^usb[0-9]*.
present"[VMX]","N/A","#CheckforUSBDevicesattachedtoVMsGet-VM|Get-USBDevice","#RemoveallUSBDevicesattachedtoVMsGet-VM|Get-USBDevice|Remove-USBDevice","Virtualmachinewillneedtobepoweredofftoreversechangeifanyofthesedevicesareneededatalatertime.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.
html","N/A""limit-console-connections-one","vSphere",5.
5,"VirtualMachines","Communication","Limitsharingofconsoleconnections","Bydefault,remoteconsolesessionscanbeconnectedtobymorethanoneuseratatime.
Whenmultiplesessionsareactivated,eachterminalwindowgetsanotificationaboutthenewsession.
IfanadministratorintheVMlogsinusingaVMwareremoteconsoleduringtheirsession,anon-administratorintheVMcanconnecttotheconsoleandobservetheadministrator'sactions.
Also,thiscouldresultinanadministratorlosingconsoleaccesstoavirtualmachine.
Forexampleifajumpboxisbeingusedforanopenconsolesession,andtheadminlosesconnectiontothatbox,thentheconsolesessionremainsopen.
Allowingtwoconsolesessionspermitsdebuggingviaasharedsession.
Forhighestsecurity,onlyoneremoteconsolesessionatatimeshouldbeallowed","1,2","Parameter","CheckvirtualmachineconfigurationsettingsandverifythatRemoteDisplay.
maxConnectionsissetto1","VMX","RemoteDisplay.
maxConnections",1,"modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"RemoteDisplay.
maxConnections"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoRemoteDisplay.
maxConnections","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"RemoteDisplay.
maxConnections"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"RemoteDisplay.
maxConnections"-value1","OnlyoneremoteconsoleconnectiontotheVMwillbepermitted.
Otherattemptswillberejecteduntilthefirstsessiondisconnects.
",,"N/A""limit-console-connections-two","vSphere",5.
5,"VirtualMachines","Communication","Limitsharingofconsoleconnections","Bydefault,remoteconsolesessionscanbeconnectedtobymorethanoneuseratatime.
Whenmultiplesessionsareactivated,eachterminalwindowgetsanotificationaboutthenewsession.
IfanadministratorintheVMlogsinusingaVMwareremoteconsoleduringtheirsession,anonadministratorintheVMmightconnecttotheconsoleandobservetheadministrator'sactions.
Also,thiscouldresultinanadministratorlosingconsoleaccesstoavirtualmachine.
Forexampleifajumpboxisbeingusedforanopenconsolesession,andtheadminlosesconnectiontothatbox,thentheconsolesessionremainsopen.
Allowingtwoconsolesessionspermitsdebuggingviaasharedsession.
Forhighestsecurity,onlyoneremoteconsolesessionatatimeshouldbeallowed",3,"Parameter","CheckvirtualmachineconfigurationsettingsandverifythatRemoteDisplay.
maxConnectionsissetto2","VMX","RemoteDisplay.
maxConnections",2,"modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"RemoteDisplay.
maxConnections"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoRemoteDisplay.
maxConnections","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"RemoteDisplay.
maxConnections"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"RemoteDisplay.
maxConnections"-value2","OnlytworemoteconsoleconnectionstotheVMwillbepermitted.
Otherattemptswillberejecteduntiltheonesessiondisconnects.
Thisstillallowssharingbutkeepstheamountofconnectionslimited",,"N/A""limit-log-number","vSphere",5.
5,"VirtualMachines","Tools","LimitVMlogging","Youcanuselogsettingstolimitthetotalsizeandnumberoflogfiles.
Normallyanewlogfileiscreatedonlywhenahostisrebooted,sothefilecangrowtobequitelarge.
Youcanensurethatnewlogfilesarecreatedmorefrequentlybylimitingthemaximumsizeofthelogfiles.
Ifyouwanttorestrictthetotalsizeofloggingdata,VMwarerecommendssaving10logfiles,eachonelimitedto1,000KB.
Datastoresarelikelytobeformattedwithablocksizeof2MBor4MB,soasizelimittoofarbelowthissizewouldresultinunnecessarystorageutilization.
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked;ifitisoverthelimit,thenextentryiswrittentoanewlog.
Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldestlogfileisdeleted.
Adenial-of-serviceattackthatavoidstheselimitsmightbeattemptedbywritinganenormouslogentry.
Buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthantheconfiguredlimit.
Asecondoptionistodisableloggingforthevirtualmachine.
Disablingloggingforavirtualmachinemakestroubleshootingchallengingandsupportdifficult.
Youshouldnotconsiderdisablingloggingunlessthelogfilerotationapproachprovesinsufficient.
Uncontrolledloggingcanleadtodenialofserviceduetothedatastore'sbeingfilled.
","2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatlog.
keepOldissetto10","VMX","log.
keepOld",10,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"log.
keepOld"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfolog.
keepOld","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"log.
keepOld"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"log.
keepOld"-value"10"",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-F465D340-6556-49E8-B137-C0B4A060E83B.
html","N/A""limit-log-size","vSphere",5.
5,"VirtualMachines","Tools","LimitVMlogging","Youcanuselogsettingstolimitthetotalsizeandnumberoflogfiles.
Normallyanewlogfileiscreatedonlywhenahostisrebooted,sothefilecangrowtobequitelarge.
Youcanensurethatnewlogfilesarecreatedmorefrequentlybylimitingthemaximumsizeofthelogfiles.
Ifyouwanttorestrictthetotalsizeofloggingdata,VMwarerecommendssaving10logfiles,eachonelimitedto1,000KB.
Datastoresarelikelytobeformattedwithablocksizeof2MBor4MB,soasizelimittoofarbelowthissizewouldresultinunnecessarystorageutilization.
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked;ifitisoverthelimit,thenextentryiswrittentoanewlog.
Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldestlogfileisdeleted.
Adenial-of-serviceattackthatavoidstheselimitsmightbeattemptedbywritinganenormouslogentry.
Buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthantheconfiguredlimit.
Asecondoptionistodisableloggingforthevirtualmachine.
Disablingloggingforavirtualmachinemakestroubleshootingchallengingandsupportdifficult.
Youshouldnotconsiderdisablingloggingunlessthelogfilerotationapproachprovesinsufficient.
Uncontrolledloggingcanleadtodenialofserviceduetothedatastore'sbeingfilled.
","2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatlog.
rotateSizeissetto100000","VMX","log.
rotateSize",100000,"Add","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"log.
rotateSize"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfolog.
rotateSize","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"log.
rotateSize"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"log.
rotateSize"-value"100000"",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-F465D340-6556-49E8-B137-C0B4A060E83B.
html","N/A""limit-setinfo-size","vSphere",5.
5,"VirtualMachines","Communication","LimitinformationalmessagesfromtheVMtotheVMXfile.
","Theconfigurationfilecontainingthesename-valuepairsislimitedtoasizeof1MB.
This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalueifnecessary.
Youmightincreasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.
Thedefaultlimitis1MB;thislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.
vmxfile.
UncontrolledsizefortheVMXfilecanleadtodenialofserviceifthedatastoreisfilled.
","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythattools.
setInfo.
sizeLimitissetto1048576","VMX","tools.
setInfo.
sizeLimit",1048576,"AddorModify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"tools.
setInfo.
sizeLimit"[VMX}","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfotools.
setInfo.
sizeLimit","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"tools.
setInfo.
sizeLimit"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"tools.
setInfo.
sizeLimit"-value1048576",,,"N/A""minimize-console-use","vSphere",5.
5,"VirtualMachines","Guest","MinimizeuseoftheVMconsole.
","TheVMconsoleenablesyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitoronaphysicalserverwouldshow.
TheVMconsolealsoprovidespowermanagementandremovabledeviceconnectivitycontrols,whichmightpotentiallyallowamalicioususertobringdownavirtualmachine.
","1,2,3","Operational","InsteadofVMconsole,usenativeremotemanagementservices,suchasterminalservicesandssh,tointeractwithvirtualmachines.
GrantVMconsoleaccessonlywhennecessary.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-1D0C095D-0552-42B5-8F01-60ECFFF15833.
htmlMoreinformationoncheckingforConsoleAccessinthevCentereventlogcanbefoundhere:http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
event.
VmRemoteConsoleConnectedEvent.
htmlhttp://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
event.
VmRemoteConsoleDisconnectedEvent.
html","N/A""prevent-device-interaction-connect","vSphere",5.
5,"VirtualMachines","Device","Preventunauthorizedremoval,connectionandmodificationofdevices.
","Inavirtualmachine,usersandprocesseswithoutrootoradministratorprivilegescanconnectordisconnectdevices,suchasnetworkadaptorsandCD-ROMdrives,andcanmodifydevicesettings.
Usethevirtualmachinesettingseditororconfigurationeditortoremoveunneededorunusedhardwaredevices.
Ifyouwanttousethedeviceagain,youcanpreventauserorrunningprocessinthevirtualmachinefromconnecting,disconnecting,ormodifyingadevicefromwithintheguestoperatingsystem.
Bydefault,arogueuserwithnonadministratorprivilegesinavirtualmachinecan:-ConnectadisconnectedCD-ROMdriveandaccesssensitiveinformationonthemedialeftinthedrive-Disconnectanetworkadaptortoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice-Modifysettingsonadevice","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
device.
connectable.
disableissettoTRUE","VMX","isolation.
device.
connectable.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
device.
connectable.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
device.
connectable.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
device.
connectable.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
device.
connectable.
disable"-value$true","DeviceinteractionisblockedinsidetheguestOSusingVMwaretools","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-F88A5FED-552B-44F9-A168-C62D9306DBD6.
html","N/A""prevent-device-interaction-edit","vSphere",5.
5,"VirtualMachines","Device","Preventunauthorizedremoval,connectionandmodificationofdevices.
","Inavirtualmachine,usersandprocesseswithoutrootoradministratorprivilegescanconnectordisconnectdevices,suchasnetworkadaptorsandCD-ROMdrives,andcanmodifydevicesettings.
Usethevirtualmachinesettingseditororconfigurationeditortoremoveunneededorunusedhardwaredevices.
Ifyouwanttousethedeviceagain,youcanpreventauserorrunningprocessinthevirtualmachinefromconnecting,disconnecting,ormodifyingadevicefromwithintheguestoperatingsystem.
Bydefault,arogueuserwithnonadministratorprivilegesinavirtualmachinecan:-ConnectadisconnectedCD-ROMdriveandaccesssensitiveinformationonthemedialeftinthedrive-Disconnectanetworkadaptortoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice-Modifysettingsonadevice","1,2,3","Parameter","Checkvirtualmachineconfigurationsettingsandverifythatisolation.
device.
edit.
disableissettoTRUE","VMX","isolation.
device.
edit.
disable",TRUE,"Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"isolation.
device.
edit.
disable"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoisolation.
device.
edit.
disable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"isolation.
device.
edit.
disable"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"isolation.
device.
edit.
disable"-value$true","DeviceinteractionisblockedinsidetheguestOSusingVMwaretools","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-F88A5FED-552B-44F9-A168-C62D9306DBD6.
html","N/A""restrict-host-info","vSphere",5.
5,"VirtualMachines","Tools","Donotsendhostinformationtoguests.
","ByenablingaVMtogetdetailedinformationaboutthephysicalhost,anadversarycouldpotentiallyusethisinformationtoinformfurtherattacksonthehost.
IfsettoTRUEaVMcanobtaindetailedinformationaboutthephysicalhost.
ThedefaultvaluefortheparameterisFALSE.
ThissettingshouldnotbeTRUEunlessaparticularVMrequiresthisinformationforperformancemonitoring.
","1,2","Parameter","Checkvirtualmachineconfigurationsettingsandverifythattools.
guestlib.
enableHostInfoissettoFALSE","VMX","tools.
guestlib.
enableHostInfo",FALSE,"Modify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"tools.
guestlib.
enableHostInfo"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfotools.
guestlib.
enableHostInfo","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"tools.
guestlib.
enableHostInfo"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"tools.
guestlib.
enableHostInfo"-value$false","Unabletoretrieveperformanceinformationaboutthehostfrominsidetheguest,therearetimeswhenthiscanbeusefulfortroubleshooting.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-2CF880DA-2435-4201-9AFB-A16A11951A2D.
html","N/A""secure-guest-os","vSphere",5.
5,"VirtualMachines","Guest","Securevirtualmachinesasyouwouldsecurephysicalmachines.
","Akeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtualmachineis,inmostrespects,theequivalentofaphysicalserver.
Therefore,itiscriticalthatyouemploythesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers.
Theguestoperatingsystemthatrunsinthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.
","1,2,3","Operational","Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtualmachineinyourvirtualinfrastructure.
Makesuretokeepallsecuritymeasuresup-to-date,includingapplyingappropriatepatches.
Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatarepoweredoff,becauseitcanbeeasytooverlookthem.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-CF45F448-2036-4BE3-8829-4A9335072349.
html","N/A""use-secure-serial-communication","vSphere",5.
5,"VirtualMachines","Guest","Usesecureprotocolsforvirtualserialportaccess.
","Serialportsareinterfacesforconnectingperipheralstothevirtualmachine.
Theyareoftenusedonphysicalsystemstoprovideadirect,low-levelconnectiontotheconsoleofaserver,andavirtualserialportallowsforthesameaccesstoavirtualmachine.
Serialportsallowforlow-levelaccess,whichoftendoesnothavestrongcontrolslikeloggingorprivileges.
","1,2,3","Operational","UseasecureprotocollikeTelnets(TelnetwithSSL)asopposedtoTelnettoaccessvirtualserialports.
",,"N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vm_admin.
doc/GUID-462B8B04-29DF-406B-9585-12D2588A6A48.
html","N/A""use-vm-templates","vSphere",5.
5,"VirtualMachines","Guest","UsetemplatestodeployVMswheneverpossible.
","Bycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcanensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.
Youcanthenusethistemplatetocreateother,application-specifictemplates,oryoucanusetheapplicationtemplatetodeployvirtualmachines.
ManualinstallationoftheOSandapplicationsintoaVMintroducestheriskofmisconfigurationduetohumanorprocesserror.
","1,2,3","Operational","ProvidetemplatesforVMcreationthatcontainhardened,patched,andproperlyconfiguredOSdeployments.
Ifpossible,predeployapplicationsintemplatesaswell,althoughcareshouldbetakenthattheapplicationdoesn'tdependuponVM-specificinformationtobedeployed.
InvSphere,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakesupdatingtemplatesquiteeasy.
VMwareUpdateManageralsoprovidestheabilitytoautomaticallypatchtheoperatingsystemandcertainapplicationsinatemplate,therebyensuringthattheyremainuptodate.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-3399BC47-45E8-494B-9B57-E498DD294A47.
html","N/A""verify-network-filter","vSphere",5.
5,"VirtualMachines","Monitor","ControlaccesstoVMsthroughthedvfilternetworkAPIs.
","AnattackermightcompromiseaVMbymakingusethedvFilterAPI.
ConfigureonlythoseVMstousetheAPIthatneedthisaccess.
","1,2,3","Parameter","IfaVMisnotsupposedtobeprotectedbyaproductusingthedvfilterAPI,ensurethatthefollowingisnotpresentinitsVMXfile:ethernet0.
filter1.
name=dv-filter1where"ethernet0"isthenetworkadaptorinterfaceofthevirtualmachinethatistobeprotected,"filter1"isthenumberofthefilterthatisbeingused,and"dv-filter1"isthenameoftheparticulardatapathkernelmodulethatisprotectingtheVM.
IftheVMissupposedtobeprotected,ensurethatthenameofthedatapathkernelissetcorrectly.
","VMX","ethernetn.
filtern.
name=filtername","undefinedunlessusingdvfilter","modifyorremove","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"^ethernet[0-9]*.
filter[0-9]*.
name"[VMX]","N/A","1.
vifs--server[SERVER]--username[USERNAME]--password[PASSWORD]-g"[DATASTORE]VM/VM.
vmx"VM.
vmx2.
grep-i"^ethernet[0-9]*.
filter[0-9]*.
name"[VMX]","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"ethernetn.
filtern.
name*"|SelectEntity,Name,Value",,"incorrectlyconfiguringthisoptioncannegativelyimpactfunctionalityoftoolsthatusevmsafeAPI.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-CD0783C9-1734-4B9A-B821-ED17A77B0206.
html","N/A""verify-vmsafe-cpumem-agentaddress","vSphere",5.
5,"VirtualMachines","Monitor","ControlaccesstoVMsthroughVMsafeCPU/memoryAPIs.
","TheVMsafeCPU/memoryAPIallowsasecurityvirtualmachinetoinspectandmodifythecontentsofthememoryandCPUregistersonotherVMs,forthepurposeofdetectingandpreventingmalwareattacks.
However,anattackermightcompromisetheVMbymakinguseofthisintrospectionchannel;thereforeyoushouldmonitorforunauthorizedusageofthisAPI.
AVMmustbeconfiguredexplicitlytoacceptaccessbytheVMsafeCPU/memoryAPI.
Thisinvolvesthreeparameters:onetoenabletheAPI,onetosettheIPaddressusedbythesecurityvirtualapplianceontheintrospectionvSwitch,andonetosettheportnumberforthatIPaddress.
IftheVMisbeingprotectedbysuchaproduct,thenmakesurethelattertwoparametersaresetcorrectly.
ThisshouldbedoneonlyforspecificVMsforwhichyouwantthisprotection.
","1,2,3","Parameter","IftheVMisnotbeingprotectedbyaVMsafeCPU/memoryproduct,thenCheckvirtualmachineconfigurationsettingsandverifythatvmsafe.
agentAddressisnotpresent.
IfitisbeingprotectbyaVMsafeCPU/Memoryproduct,makesurethisissettothecorrectvalue","VMX","vmsafe.
agentAddress","notpresent,orsite-specific","modifyorremove","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-ivmsafe.
agentAddress[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfovmsafe.
agentAddress","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"vmsafe.
agentAddress"|SelectEntity,Name,Value",,"incorrectlyconfiguringthisoptioncannegativelyimpactfunctionalityoftoolsthatusevmsafeAPI.
",,"N/A""verify-vmsafe-cpumem-agentport","vSphere",5.
5,"VirtualMachines","Monitor","ControlaccesstoVMsthroughVMsafeCPU/memoryAPIs.
","TheVMsafeCPU/memoryAPIallowsasecurityvirtualmachinetoinspectandmodifythecontentsofthememoryandCPUregistersonotherVMs,forthepurposeofdetectingandpreventingmalwareattacks.
However,anattackermightcompromisetheVMbymakinguseofthisintrospectionchannel;thereforeyoushouldmonitorforunauthorizedusageofthisAPI.
AVMmustbeconfiguredexplicitlytoacceptaccessbytheVMsafeCPU/memoryAPI.
Thisinvolvesthreeparameters:onetoenabletheAPI,onetosettheIPaddressusedbythesecurityvirtualapplianceontheintrospectionvSwitch,andonetosettheportnumberforthatIPaddress.
IftheVMisbeingprotectedbysuchaproduct,thenmakesurethelattertwoparametersaresetcorrectly.
ThisshouldbedoneonlyforspecificVMsforwhichyouwantthisprotection.
","1,2,3","Parameter","IftheVMisnotbeingprotectedbyaVMsafeCPU/memoryproduct,thenCheckvirtualmachineconfigurationsettingsandverifythatvmsafe.
agentPortisnotpresent.
IfitisbeingprotectbyaVMsafeCPU/Memoryproduct,makesurethisissettothecorrectvalue","VMX","vmsafe.
agentPort","notpresent,orsite-specific","modifyorremove","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-ivmsafe.
agentPort[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfovmsafe.
agentPort","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"vmsafe.
agentPort"|SelectEntity,Name,Value",,"incorrectlyconfiguringthisoptioncannegativelyimpactfunctionalityoftoolsthatusevmsafeAPI.
",,"N/A""verify-vmsafe-cpumem-enable","vSphere",5.
5,"VirtualMachines","Monitor","ControlaccesstoVMsthroughVMsafeCPU/memoryAPIs.
","TheVMsafeCPU/memoryAPIallowsasecurityvirtualmachinetoinspectandmodifythecontentsofthememoryandCPUregistersonotherVMs,forthepurposeofdetectingandpreventingmalwareattacks.
However,anattackermightcompromisetheVMbymakinguseofthisintrospectionchannel;thereforeyoushouldmonitorforunauthorizedusageofthisAPI.
AVMmustbeconfiguredexplicitlytoacceptaccessbytheVMsafeCPU/memoryAPI.
Thisinvolvesthreeparameters:onetoenabletheAPI,onetosettheIPaddressusedbythesecurityvirtualapplianceontheintrospectionvSwitch,andonetosettheportnumberforthatIPaddress.
IftheVMisbeingprotectedbysuchaproduct,thenmakesurethelattertwoparametersaresetcorrectly.
ThisshouldbedoneonlyforspecificVMsforwhichyouwantthisprotection.
","1,2,3","Parameter","IftheVMisnotbeingprotectedbyaVMsafeCPU/memoryproduct,thenCheckvirtualmachineconfigurationsettingsandverifythatvmsafe.
enableiseithernotpresent,orsettoFALSE","VMX","vmsafe.
enable","FALSEornotpresent","modifyorremove","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-ivmsafe.
enable[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfovmsafe.
enable","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"vmsafe.
enable"|SelectEntity,Name,Value",,"incorrectlyconfiguringthisoptioncannegativelyimpactfunctionalityoftoolsthatusevmsafeAPI.
",,"N/A""minimize-console-VNC-use","vSphere","5.
5","VirtualMachines","Monitor","ControlaccesstoVMconsoleviaVNCprotocol","TheVMconsoleenablesyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitoronaphysicalserverwouldshow.
ThisconsoleisalsoavailabeviatheVNCprotocol.
SettingupthisaccessalsoinvolvessettingupfirewallrulesoneachESXiserverthevirtualmachinewillrunon.
","1,2,3","Parameter","InsteadofopeningupaccesstoaVNCsession,usenativeremotemanagementservices,suchasterminalservicesandssh,tointeractwithvirtualmachines.
GrantVNCaccessonlywhennecessary.
","VMX","RemoteDisplay.
vnc.
enabled","FALSEornotpresent","modifyorremove","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionValue.
html","grep-i"RemoteDisplay.
vnc.
enabled"[VMX]","N/A","vmware-cmd--server[SERVER]--username[USERNAME]--password[PASSWORD]/vmfs/volumes/[DATASTORE]/[VM]/[VM].
vmxgetguestinfoRemoteDisplay.
vnc.
enabled","N/A","#ListtheVMsandtheircurrentsettingsGet-VM|Get-AdvancedSetting-Name"RemoteDisplay.
vnc.
enabled"|SelectEntity,Name,Value","#AddthesettingtoallVMsGet-VM|New-AdvancedSetting-Name"RemoteDisplay.
vnc.
enabled"-value$false","ConfiguringVMsettingsandopeningupthefirewallmeansmulitplestepstobeconfiguredandmonitored.
",,ESXi"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommandRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""apply-patches","vSphere",5.
5,"ESXI","Install","KeepESXisystemproperlypatched.
","BystayinguptodateonESXipatches,vulnerabilitiesinthehypervisorcanbemitigated.
AneducatedattackercanexploitknownvulnerabilitieswhenattemptingtoattainaccessorelevateprivilegesonanESXihost.
","1,2,3","Operational","EmployaprocesstokeepESXihostsuptodatewithpatchesinaccordancewithindustry-standardsandinternalguidelines.
VMwareUpdateManagerisanautomatedtoolthatcangreatlyassistwiththis.
VMwarealsopublishesAdvisoriesonsecuritypatches,andoffersawaytosubscribetoemailalertsforthem.
","N/A","N/A","N/A","Update","N/A","N/A","#esxclisoftwareprofileget/#esxclisoftwarevibget","#esxclisoftwareprofileupdate/#esxclisoftwarevibupdate","#esxclisoftwareprofileget/#esxclisoftwarevibget","#esxclisoftwareprofileupdate/#esxclisoftwarevibupdate","#VMwareUpdateManagerPowerCLICmdletscanbeusedtocheckthisfeature","#VMwareUpdateManagerPowerCLICmdletscanbeusedtocheckthisfeature",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
update_manager.
doc/GUID-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.
html","NO""config-firewall-access","vSphere",5.
5,"ESXI","Communication","ConfiguretheESXihostfirewalltorestrictaccesstoservicesrunningonthehost","UnrestrictedaccesstoservicesrunningonanESXihostcanexposeahosttooutsideattacksandunauthorizedaccess.
ReducetheriskbyconfiguringtheESXifirewalltoonlyallowaccessfromauthorizednetworks.
","1,2,3","Configuration","FromthevSpherewebclient,selectthehostandgoto"Manage"->"SecurityProfile".
Inthe"Firewall"sectionselect"Edit.
.
.
".
Foreachenabledservice,(e.
g.
ssh,vSphereWebAccess,httpclient)providearangeofallowedIPaddresses.
","N/A","N/A","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ServiceSystem.
html","#Listallservices:ls/etc/init.
d#getservicestatus:/etc/init.
d/[SERVICE]status","#/etc/init.
d/[SERVICE]STOP","N/A","N/A","#ListallservicesforahostGet-VMHostHOST1|Get-VMHostService#ListtheserviceswhichareenabledandhaverulesdefinedforspecificIPrangestoaccesstheserviceGet-VMHostHOST1|Get-VMHostFirewallException|Where{$_.
Enabled-and(-not$_.
ExtensionData.
AllowedHosts.
AllIP)}#ListtheserviceswhichareenabledanddonothaverulesdefinedforspecificIPrangestoaccesstheserviceGet-VMHostHOST1|Get-VMHostFirewallException|Where{$_.
Enabled-and($_.
ExtensionData.
AllowedHosts.
AllIP)}","N/A","OnlysystemsintheIPwhitelist/ACLwillbeabletoconnecttoservicesontheESXiserver","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-DD4322FF-3DC4-4716-8819-6688938F99D7.
html","YES""config-ntp","vSphere",5.
5,"ESXI","Communication","ConfigureNTPtimesynchronization","Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed-upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder'sactionswhenreviewingtherelevantlogfiles.
Incorrecttimesettingscanmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andcanmakeauditinginaccurate.
","1,2,3","Parameter","FromthevSpherewebclientselectthehostandclick"Manage"->"TimeConfiguration"andclickthe"Edit.
.
.
"button.
Providethename/IPofyourNTPservers,starttheNTPserviceandchangethestartuppolicyto"Startandstopwithhost".
Notes:verifytheNTPfirewallportsareopen.
ItisrecommendedtosynchronizetheESXiclockwithatimeserverthatislocatedonthemanagementnetworkratherthandirectlywithatimeserveronapublicnetwork.
Thistimeservercanthensynchronizewithapublicsourcethroughastrictlycontrollednetworkconnectionwithafirewall.
","/etc/ntp.
conf","N/A","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
DateTimeSystem.
html","N/A","N/A","#vicfg-ntp--list","#vicfg-ntp--add","#ListtheNTPSettingsforallhostsGet-VMHost|SelectName,@{N="NTPSetting";E={$_|Get-VMHostNtpServer}}","#SettheNTPSettingsforallhosts$NTPServers="pool.
ntp.
org","pool2.
ntp.
org"Get-VMHost|Add-VmHostNtpServer$NTPServers",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-2553C86E-7981-4F79-B9FC-A6CECA52F6CC.
html","YES""config-persistent-logs","vSphere",5.
5,"ESXI","Logging","ConfigurepersistentloggingforallESXihost","ESXicanbeconfiguredtostorelogfilesonanin-memoryfilesystem.
Thisoccurswhenthehost's"/scratch"directoryislinkedto"/tmp/scratch".
Whenthisisdoneonlyasingleday'sworthoflogsarestoredatanytime,inadditionlogfileswillbereinitializeduponeachreboot.
Thispresentsasecurityriskasuseractivityloggedonthehostisonlystoredtemporarilyandwillnotpersistentacrossreboots.
Thiscanalsocomplicateauditingandmakeithardertomonitoreventsanddiagnoseissues.
ESXihostloggingshouldalwaysbeconfiguredtoapersistentdatastore.
","1,2,3","Parameter","LogontotheESXishellandrun"ls-al/"toverify"/scratch"isnotlinkedto"/tmp/scratch".
If"/scratch"islinkedto"/tmp/scratch"changeittoapersistentdatastore.
First,Identifythedatastorepathwhereyouwanttoplacescratch,thenlogintothevSpherewebclient,navigatingtothehostandselect"Manage"->"AdvancedSystemSettings",enter"Syslog.
global.
LogDir"inthefilter.
Setthe"Syslog.
global.
LogDir"tothedesireddatastorepath.
Note:theSyslog.
global.
LogDirmustbesetforeachhost.
ThehostsyslogparameterscanalsobeconfiguredthevCLIorPowerCLI,orusinganAPIclient.
","N/A","Syslog.
global.
logDir","SiteSpecific","Modify","WhenbootingfromalocaldiskYES.
WhenbootingfromUSB/SDorwhenusingAutoDeployNO.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","#esxclisystemsyslogconfigget","#esxclisystemsyslogconfigset--logDir","#esxclisystemsyslogconfigget","#esxclisystemsyslogconfigset--logDir","#ListSyslog.
global.
logDirforeachhostGet-VMHost|SelectName,@{N="Syslog.
global.
logDir";E={$_|Get-VMHostAdvancedConfigurationSyslog.
global.
logDir|Select-ExpandPropertyValues}}","#SetSyslog.
global.
logDirforeachhostGet-VMHost|Foreach{Set-VMHostAdvancedConfiguration-VMHost$_-NameSyslog.
global.
logDir-Value"NewLocation"}",,"http://kb.
vmware.
com/kb/1033696http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.
html","YES""config-snmp","vSphere",5.
5,"ESXI","Communication","EnsureproperSNMPconfiguration","IfSNMPisnotbeingused,itshouldremaindisabled.
Ifitisbeingused,thepropertrapdestinationshouldbeconfigured.
IfSNMPisnotproperlyconfigured,monitoringinformationcanbesenttoamalicioushostthatcanthenusethisinformationtoplananattack.
Note:ESXi5.
1andlatersupportsSNMPv3whichprovidesstrongersecuritythanSNMPv1orSNMPv2,includingkeyauthenticationandencryption.
","1,2,3","Parameter","FromtheESXiShellorvCLIrun"esxclisystemsnmpget"todetermineifSNMPisbeingused.
IfSNMPisnotbeingused,makesurethatitisdisabledbyrunning"esxclisystemsnmpset--enablefalse".
IfSNMPisbeingused,refertothevSphereMonitoringandPerformanceguide,chapter8forstepstoconfiguretherequiredparameters.
Notes:(1)SNMPmustbeconfiguredoneachESXihost.
(2)youcanalsosetSNMPsettingsusingHostProfiles.
","/etc/vmware/snmp.
xml","N/A","site-specific","Modify","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
SnmpSystem.
html","#esxclisystemsnmpget","#ConfigureCommunityStringesxclisystemsnmpset--communities[COMMUNITY]#ConfigureSNMPTargetesxclisystemsnmpset--targets[TARGET]@[PORT]/[COMMUNITY]#EnableSNMPesxclisystemsnmpset--enabletrue","#esxclisystemsnmpget","#ConfigureCommunityStringesxclisystemsnmpset--communities[COMMUNITY]#ConfigureSNMPTargetesxclisystemsnmpset--targets[TARGET]@[PORT]/[COMMUNITY]#EnableSNMPesxclisystemsnmpset--enabletrue","#ListtheSNMPConfigurationofahost(singlehostconnectionrequired)Get-VMHost|Get-VMHostSnmp","#UpdatethehostSNMPConfiguration(singlehostconnectionrequired)Get-VmHostSNMP|Set-VMHostSNMP-Enabled:$true-ReadOnlyCommunity'secret'",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
monitoring.
doc/GUID-8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.
html","YES""create-local-admin","vSphere",5.
5,"ESXi","Access","Createanon-rootuseraccountforlocaladminaccess","BydefaulteachESXihosthasasingle"root"adminaccountthatisusedforlocaladministrationandtoconnectthehosttovCenterServer.
Toavoidsharingacommonrootaccountitisrecommendedoneachhosttocreateatleastonenameduseraccountandassignitfulladminprivilegesandtousethisaccountinlieuofashared"root"account.
Setahighlycomplexpasswordforthe"root"accountandsecureitinasafelocation.
Limittheuseof"root"butdonotremovethe"root"account.
","1.
2.
3","Configuration","LocalESXiuseraccountscannotbecreatedusingthevSpherewebclient,youmustusethevSphereclient.
ConnectdirectlytotheESXihostusingthevSphereClient.
Loginasroot.
Selectthe"LocalUsers&Groups"tabandaddalocaluser,besuretograntshellaccesstothisuser.
Thenselectthe"Permissions"tabandassignthe"Administrator"roletotheuser.
RepeatthisforeachESXihosts.
Notes:(1)evenifyouaddyourESXihosttoanActiveDirectorydomainitisstillrecommendedtoaddatleastonelocaluseraccounttoensureadminscanstillloginintheeventthehosteverbecomesisolatedandunabletoaccessActiveDirectory.
(2)addinglocaluseraccountscanbeautomatedusingHostProfiles.
","N/A","N/A","N/A","N/A","NO","N/A","N/A","N/A","N/A","N/A","N/A",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
hostclient.
doc/GUID-670B9B8C-3810-4790-AC83-57142A9FE16F.
html","YES""disable-dcui","vSphere",5.
5,"ESXI","Console","DisableDCUItopreventlocaladministrativecontrol.
","TheDCUIallowsforlow-levelhostconfigurationsuchasconfiguringIPaddress,hostnameandrootpasswordaswellasdiagnosticcapabilitiessuchasenablingtheESXishell,viewinglogfiles,restartingagents,andresettingconfigurations.
ActionsperformedfromtheDCUIarenottrackedbyvCenterServer.
EvenifLockdownModeisenabled,userswhoaremembersoftheDCUI.
AccesslistcanperformadministrativetasksintheDCUIbypassingRBACandauditingcontrolsprovidedthroughvCenter.
DCUIaccesscanbedisabled.
DisablingitpreventsalllocalactivityandthusforcesactionstobeperformedinvCenterServerwheretheycanbecentrallyauditedandmonitored.
",1,"Parameter","FromthevSpherewebclientselectthehostandselect"Manage"->"SecurityProfile".
Scrolldownto"Services"andclick"Edit.
.
.
".
Select"DirectConsoleUI",click"Stop"andchangetheStartupPolicy"toStartandStopManually".
Note,considerusingLockdownmodetorestrictaccesstotheDCUIopposedtodisablingtheDCUI.
IftheDCUIisdisabledandthehostbecomesisolatedfromvCenteryoucouldbecomelockedout.
","N/A","N/A","Stopped","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ServiceSystem.
html","#chkconfig--listDCUI","#chkconfigDCUIoff","N/A","N/A","#ListDCUIsettingsforallhostsGet-VMHost|Get-VMHostService|Where{$_.
key-eq"DCUI"}","#SetDCUItostartmanuallyratherthanautomaticforallhostsGet-VMHost|Get-VMHostService|Where{$_.
key-eq"DCUI"}|Set-VMHostService-PolicyOff","DisablingtheDCUIcancreateapotential"lockout"situationshouldthehostbecomeisolatedfromvCenterServer.
Torecoverfroma"lockout"scenariorequiresre-installingESXi.
ConsiderleavingDCUIenabledandinsteadenablelockdownmodeandlimittheusersallowedtoaccesstheDCUIusingtheDCUI.
Accesslist.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6779F098-48FE-4E22-B116-A8353D19FF56.
html","YES""disable-esxi-shell","vSphere",5.
5,"ESXI","Console","DisableESXiShellunlessneededfordiagnosticsortroubleshooting.
","ESXiShellisaninteractivecommandlineenvironmentavailablefromtheDCUIorremotelyviaSSH.
Accesstothismoderequirestherootpasswordoftheserver.
TheESXiShellcanbeturnedonandoffforindividualhosts.
ActivitiesperformedfromtheESXiShellbypassvCenterRBACandauditcontrols.
TheESXishellshouldonlybeturnedonwhenneededtotroubleshoot/resolveproblemsthatcannotbefixedthroughthevSphereclientorvCLI/PowerCLI.
","1,2,3","Parameter","FromtheDCUI:select"TroubleshootingOptions"fromthemainmenuandselect"EnableESXiShell".
FromthevSpherewebclientselectthehostandselect"Manage"->"SecurityProfile".
Scrolldownto"Services"andclick"Edit.
.
.
".
Select"ESXiShell",click"Stop"andchangetheStartupPolicy"toStartandStopManually".
.
Note:AhostwarningisdisplayedinthevSpherewebclientanytimetheESXiShellisenabledonahost.
IftheESXishelliseverenabledbesuretosettheESXiShellTimeOutandESXiShellInteractiveTimeOut.
","N/A","N/A","Stopped","Modify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ServiceSystem.
html","#chkconfig--listESXShell","#stopESXiShell:/etc/init.
d/ESXShellstop#disableESXiShell:chkconfigESXShelloff","N/A","N/A","#CheckifESXiShellisrunningandsettostartGet-VMHost|Get-VMHostService|Where{$_.
key-eq"TSM"}|SelectVMHost,Key,Label,Policy,Running,Required","#SetESXiShelltostartmanuallyratherthanautomaticforallhostsGet-VMHost|Get-VMHostService|Where{$_.
key-eq"TSM"}|Set-VMHostService-PolicyOff",,"http://kb.
vmware.
com/kb/2004746http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-B5144CE9-F8BB-494D-8F5D-0D5621D65DAE.
html","YES""disable-mob","vSphere",5.
5,"ESXI","Communication","DisableManagedObjectBrowser(MOB)","Themanagedobjectbrowser(MOB)providesawaytoexploretheobjectmodelusedbytheVMkerneltomanagethehost;itenablesconfigurationstobechangedaswell.
ThisinterfaceismeanttobeusedprimarilyfordebuggingthevSphereSDKbutbecausetherearenoaccesscontrolsitcouldalsobeusedasamethodobtaininformationaboutahostbeingtargetedforunauthorizedaccess.
","1,2,3","Parameter","TodetermineiftheMOBisenabledrunthefollowingcommandfromtheESXishell:"vim-cmdproxysvc/service_list".
TodisabletheMOBrun'vim-cmdproxysvc/remove_service"/mob""httpsWithRedirect"'.
Note:YoucannotdisabletheMOBwhileahostisinlockdownmode.
","N/A","N/A","RemoveService","Remove","NO","N/A","vim-cmdproxysvc/service_list","vim-cmdproxysvc/remove_service"/mob""httpsWithRedirect"","N/A","N/A","N/A","N/A","TheMOBwillnolongerbeavailablefordiagnostics.
Some3rdpartytoolsusethisinterfacetogatherinformation.
TestingshouldbedoneafterdisablingtheMOBtoverify3rdpartyapplicationsarestillfunctioningasexpected.
Tore-enabletheMOB:~#vim-cmdproxysvc/add_np_service"/mob"httpsWithRedirect/var/run/vmware/proxy-mob","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-0EF83EA7-277C-400B-B697-04BDC9173EA3.
html","NO""disable-ssh","vSphere",5.
5,"ESXi","Console","DisableSSH","TheESXishell,whenenabled,canbeaccesseddirectlyfromthehostconsolethroughtheDCUIorremotelyusingSSH.
RemoteaccesstothehostshouldbelimitedtothevSphereClient,remotecommand-linetools(vCLI/PowerCLI),andthroughthepublishedAPIs.
UndernormalcircumstancesremoteaccesstothehostusingSSHshouldbedisabled.
","1,2,3","Parameter","FromtheDCUImainmenuselect"TroubleshootingOptions->DisableESXiSSH".
FromthevSpherewebclientselectthehostandselect"Manage"->"SecurityProfile".
Scrolldownto"Services"andclick"Edit.
.
.
".
Select"SSH",click"Stop"andchangetheStartupPolicy"toStartandStopManually".
Notes:AhostwarningisdisplayedinthevSpherewebclientanytimeSSHisenabledonahost.
IftheSSHiseverenabledbesuretosettheESXiShellTimeOutandESXiShellInteractiveTimeOut.
","N/A","N/A","Stopped","Modify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ServiceSystem.
html","#chkconfig--listSSH","#/etc/init.
d/ESXShellstop#chkconfigSSHoff","N/A","N/A","#CheckifSSHisrunningandsettostartGet-VMHost|Get-VMHostService|Where{$_.
key-eq"TSM-SSH"}|SelectVMHost,Key,Label,Policy,Running,Required","#SetSSHtostartmanuallyratherthanautomaticforallhostsGet-VMHost|Get-VMHostService|Where{$_.
key-eq"TSM-SSH"}|Set-VMHostService-PolicyOff",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-12E27BF3-3769-4665-8769-DA76C2BC9FFE.
html","YES""enable-ad-auth","vSphere",5.
5,"ESXI","Access","UseActiveDirectoryforlocaluserauthentication.
","JoinESXihoststoanActiveDirectory(AD)domaintoeliminatetheneedtocreateandmaintainmultiplelocaluseraccounts.
UsingADforuserauthenticationsimplifiestheESXihostconfiguration,ensurespasswordcomplexityandreusepoliciesareenforcedandreducestheriskofsecuritybreachesandunauthorizedaccess.
Note:iftheADgroup"ESXAdmins"(default)iscreatedallusersandgroupsthatareassignedasmemberstothisgroupwillhavefulladministrativeaccesstoallESXihoststhedomain.
Refertothe"verify-admin-group"recommendationformoreinformation.
","1,2,3","Configuration","FromthevSphereWebClient,selectthehostandgoto"Manage"->"AuthenticationServices"andclickthe"JoinDomain"button.
ProvidethedomainnamealongwiththeusercredentialsforanADuserthathastherightstojoincomputerstothedomain.
Notes:(1)youcanuseHostProfilestoautomateaddinghoststoanADdomain.
(3)ConsiderusingthevSphereAuthenticationproxytoavoidtransmittingADcredentialsoverthenetwork.
Refertothe"enable-auth-proxy"recommendationformoreinformation.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ActiveDirectoryAuthentication.
html","TBD","TBD","vicfg-authconfig--authschemeAD--currentdomain","vicfg-authconfig--authschemeAD--joindomain","#CheckeachhostandtheirdomainmembershipstatusGet-VMHost|Get-VMHostAuthentication|SelectVmHost,Domain,DomainMembershipStatus","#JointheESXIHosttotheDomainGet-VMHostHOST1|Get-VMHostAuthentication|Set-VMHostAuthentication-Domaindomain.
local-UserAdministrator-PasswordPassw0rd-JoinDomain",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-28650C2C-93E3-4C00-B78A-7B785AA42D92.
html","YES""enable-auth-proxy","vSphere",5.
5,"ESXI","Communication","WhenaddingESXihoststoActiveDirectoryusethevSphereAuthenticationProxytoprotectpasswords","IfyouconfigureyourhosttojoinanActiveDirectorydomainusingHostProfilestheactivedirectorycredentialsaresavedinthehostprofileandaretransmittedoverthenetwork.
ToavoidhavingtosaveactivedirectorycredentialsintheHostProfileandtoavoidtransmittingactivedirectorycredentialsoverthenetworkusethevSphereAuthenticationProxy.
","1,2,3","Parameter","InstallandconfiguretheAuthenticationproxy.
FromthevSpherewebclient,navigateto"HostProfiles",selectthehostprofile,select"Manage"->"EditHostprofile".
Expand"SecurityandServices"->"SecuritySettings"->"AuthenticationConfiguration".
Select"ActiveDirectoryconfiguration"andsetthe"JoinDomainMethod"to"UsevSphereAuthenticationProxytoaddthehostdodomain"andprovidetheIPaddressoftheauthenticationproxy.
","N/A","N/A","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ActiveDirectoryAuthentication.
html","N/A","N/A","#vicfg-authconfig--authschemeAD--currentdomain","#vicfg-authconfig--authschemeAD--joindomain","#CheckthehostprofileisusingvSphereAuthenticationproxytoaddthehosttothedomainGet-VMHost|SelectName,`@{N="HostProfile";E={$_|Get-VMHostProfile}},`@{N="JoinADEnabled";E={($_|Get-VmHostProfile).
ExtensionData.
Config.
ApplyProfile.
Authentication.
ActiveDirectory.
Enabled}},`@{N="JoinDomainMethod";E=Get-VMHostProfile).
ExtensionData.
Config.
ApplyProfile.
Authentication.
ActiveDirectory|Select-ExpandPropertyPolicy|Where{$_.
Id-eq"JoinDomainMethodPolicy"}).
Policyoption.
Id}}#CheckeachhostandtheirdomainmembershipstatusGet-VMHost|Get-VMHostAuthentication|SelectVmHost,Domain,DomainMembershipStatus","#JointheESXIHosttotheDomainGet-VMHostHOST1|Get-VMHostAuthentication|Set-VMHostAuthentication-Domaindomain.
local-UserAdministrator-PasswordPassw0rd-JoinDomain",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-084B74BD-40A5-4A4B-A82C-0C9912D580DC.
html","YES""enable-chap-auth","vSphere",5.
5,"ESXI","Storage","EnablebidirectionalCHAP,alsoknownasMutualCHAP,authenticationforiSCSItraffic.
","vSphereallowsfortheuseofbidirectionalauthenticationofboththeiSCSItargetandhost.
ChoosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkorVLANtoserviceallyouriSCSIdevices.
BynotauthenticatingboththeiSCSItargetandhost,thereisapotentialforaMiTMattackinwhichanattackermightimpersonateeithersideoftheconnectiontostealdata.
Bidirectionalauthenticationcanmitigatethisrisk.
IftheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itislessvulnerabletoexploitation.
","1,2,3","Parameter","InthevSphereclientnavigatetothehostandselect"Configuration"->"StorageAdaptors"->"iSCSIInitiatorProperties"->"CHAP"->"CHAP(TargetAuthenticatesHost)".
Verify"UseChap"isselectedwitha"Name"anda"Secret"configured.
","N/A","UseChap,Name,Secret","SiteSpecific","modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
InternetScsiHba.
AuthenticationProperties.
html","#esxcliiscsiadapterauthchapget","#esxcliiscsiadapterauthchapset","#esxcliiscsiadapterauthchapget","#esxcliiscsiadapterauthchapset","#ListIscsiInitiatorandCHAPNameifdefinedGet-VMHost|Get-VMHostHba|Where{$_.
Type-eq"Iscsi"}|SelectVMHost,Device,ChapType,@{N="CHAPName";E={$_.
AuthenticationProperties.
ChapName}}","#SettheChapsettingsfortheIscsiAdapterGet-VMHost|Get-VMHostHba|Where{$_.
Type-eq"Iscsi"}|Set-VMHostHba#Usedesiredparametershere",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
storage.
doc/GUID-AC65D747-728F-4109-96DD-49B433E2F266.
html","NO""enable-host-profiles","vSphere",5.
5,"ESXi","Logging","ConfigureHostProfilestomonitorandalertonconfigurationchanges","MonitoringforconfigurationdriftandunauthorizedchangesiscriticaltoensuringthesecurityofanESXihost.
HostProfilesprovideanautomatedmethodformonitoringhostconfigurationsagainstanestablishedtemplateandforprovidingnotificationifdeviationsaredetected.
","1,2,3","Parameter","ConfigureareferenceESXihostwiththedesiredconfigurationandusethehosttocreateaHostProfile.
Attachthehostprofiletootherhostswithidenticalhardwareconfigurations.
MonitorhostscompliancetothehostprofilefromthevSphereClient.
Note:aseparateHostProfileisneededfordifferenthardwareconfigurations.
","N/A","N/A","N/A","N/A","NO","http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
profile.
host.
HostProfile.
html","N/A","N/A","N/A","N/A","","",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
hostprofiles.
doc/GUID-78BB234A-D735-4356-9CCF-19DD55DB8060.
html","NO""enable-lockdown-mode","vSphere",5.
5,"ESXI","Console","Enablelockdownmodetorestrictremoteaccess.
","EnablinglockdownmodedisablesdirectaccesstoanESXihostrequiringthehostbemanagedremotelyfromvCenterServer.
ThisisdonetoensuretherolesandaccesscontrolsimplementedinvCenterarealwaysenforcedanduserscannotbypassthembyloggingintoahostdirectly.
ByforcingallinteractiontooccurthroughvCenterServer,theriskofsomeoneinadvertentlyattainingelevatedprivilegesorperformingtasksthatarenotproperlyauditedisgreatlyreduced.
Note:Lockdownmodedoesnotapplytouserswhologinusingauthorizedkeys.
Whenyouuseanauthorizedkeyfileforrootuserauthentication,rootusersarenotpreventedfromaccessingahostwithSSHevenwhenthehostisinlockdownmode.
NotethatuserslistedintheDCUI.
AccesslistforeachhostareallowedtooverridelockdownmodeandlogintotheDCUI.
Bydefaultthe"root"useristheonlyuserlistedintheDCUI.
Accesslist.
","1,2,3","Parameter","FromtheDCUI1.
LogindirectlytotheESXihost.
2.
OpenDCUIonthehost.
3.
PressF2forInitialSetup.
4.
ToggletheConfigureLockdownModesetting.
FromthevSpherewebclient,selectthehostthenselect"Manage"->"SecurityProfile".
Scrolldownto"LockdownMode"andclick"Edit.
.
.
".
SelecttheEnableLockdownModecheckbox.
DONOTusewith"dcui-disable"guideline.
IftheDCUIisdisabledandthehostbecomesisolatedfromvCenteryoucouldbecomelockedout.
","N/A","vimsvc/auth/lockdown_is_enabled","Enabled","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
HostSystem.
html","#TocheckifLockdownmodeisenabled:vim-cmd-Udcuivimsvc/auth/lockdown_is_enabled","#TodisableLockdownmode:vim-cmd-Udcuivimsvc/auth/lockdown_mode_exit#ToenableLockdownmode:vim-cmd-Udcuivimsvc/auth/lockdown_mode_enter","N/A","N/A","#TocheckifLockdownmodeisenabledGet-VMHost|SelectName,@{N="Lockdown";E={$_.
Extensiondata.
Config.
adminDisabled}}","#EnablelockdownmodeforeachhostGet-VMHost|Foreach{$_.
EnterLockdownMode()}","Therearesomeoperations,suchasbackupandtroubleshooting,thatrequiredirectaccesstothehost.
InthesecasesLockdownModecanbedisabledonatemporarybasisforspecifichostsasneeded,andthenre-enabledwhenthetaskiscompleted.
Note:LockdownmodedoesnotapplytouserslistedintheDCUI.
Accesslist,whichbydefaultincludestherootuser.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.
htmlhttp://kb.
vmware.
com/kb/1008077","NO""enable-nfc-ssl","vSphere",5.
5,"ESXI","Communication","EnableSSLforNetworkFilecopy(NFC)","NFC(NetworkFileCopy)isthenameofthemechanismusedtomigrateorcloneaVMbetweentwoESXihostsoverthenetwork.
Bydefault,SSLisusedonlyfortheauthenticationofthetransfer,butIfdesired,SSLcanalsobeenabledonthedatatransfer.
WithoutthissettingVMcontentscouldpotentiallybesniffedifthemanagementnetworkisnotadequatelyisolatedandsecured.
","1","Parameter","InthevSpherewebclient,opentheAdvancedSettingsofyourvCenterserver.
Checkifthe"config.
nfc.
useSSL"keyexistandifsoverifyitissetto"true".
Ifthekeydoesnotexist,addittothelistofkeyssettingthevalueto"true".
","Windows=C:\ProgramData\VMware\VMwareVirtualCenter\vpxd.
cfgVCSA=/etc/vmware-vpx/vpxd.
cfg","config.
nfc.
useSSL","True","Add","NO","N/A","N/A","N/A","N/A","N/A","#CheckNetworkFileCopyNFCusesSSL.
OSAdministratorPrivilegeswillbeneededonyourserverforthistocomplete$vCenter="MyvCenterFQDN"[XML]$file=Get-Content"\\$vCenter\C$\ProgramData\VMware\VMwareVirtualCenter\vpxd.
cfg"if($file.
config.
nfc.
Usessl){"SSLSettingiscompliant"}Else{"SSLSettingisnotsetorunreadable"}","N/A","UsingSSLmayreduceperformanceofactionsinvolvingNFC,suchasVMcloneormigration.
IthasalsonotbeenextensivelytestedandmaycauseHAandotheroperationstofailincertaincircumstances.
","http://kb.
vmware.
com/kb/2010332","NO""enable-remote-dump","vSphere",5.
5,"ESXi","Logging","ConfigureacentralizedlocationtocollectESXihostcoredumpsusingthe"ESXiDumpCollector"","Whenahostcrashes,ananalysisoftheresultantcoredumpisessentialtobeingabletoidentifythecauseofthecrashtoidentifyaresolution.
InstallingacentralizeddumpcollectorhelpsensurethatcorefilesaresuccessfullysavedandmadeavailableintheeventanESXihostshouldeverpanic.
","1,2,3","Parameter","Step1:Installandconfigureadumpcollector(ESXiDumpCollector).
Step2:FromtheESXiShellorvCLIenableremotedumpcollectionforeachhostusingthe"esxclisystemcoredumpnetworkset"command.
","N/A","N/A","N/A","Modify","NO","N/A","esxclisystemcoredumpnetworkget","#ConfigureremoteDumpCollectorServeresxclisystemcoredumpnetworkset-v[VMK#]-i[DUMP_SERVER]-o[PORT]#EnableremoteDumpCollectoresxclisystemcoredumpnetworkset-etrue","esxclisystemcoredumpnetworkget","#ConfigureremoteDumpCollectorServeresxclisystemcoredumpnetworkset-v[VMK#]-i[DUMP_SERVER]-o[PORT]#EnableremoteDumpCollectoresxclisystemcoredumpnetworkset-etrue","Foreach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$esxcli.
system.
coredump.
network.
get()}","Foreach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$esxcli.
system.
coredump.
network.
set($null,"[VMK#]","[DUMPSERVER]","[PORT]")$esxcli.
system.
coredump.
network.
set($true)}",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-64213886-7181-4767-9ED5-D8C989B9ECAE.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-775F602C-7432-4259-B132-4EC1F38A7EE7.
htmlhttp://www.
youtube.
com/watchv=veE6M7Na8-A","YES""enable-remote-syslog","vSphere",5.
5,"ESXI","Logging","ConfigureremoteloggingforESXihosts","Remoteloggingtoacentralloghostprovidesasecure,centralizedstoreforESXilogs.
Bygatheringhostlogfilesontoacentralhostyoucanmoreeasilymonitorallhostswithasingletool.
Youcanalsodoaggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
Loggingtoasecure,centralizedlogserveralsohelpspreventlogtamperingandalsoprovidesalong-termauditrecord.
TofacilitateremoteloggingprovidesthevSphereSyslogCollector.
","1,2,3","Parameter","Step1:Install/Enableasysloghost(vSphereSyslogCollectorrecommended).
Step2:FromthevSpherewebclientselectthehostandclick"Manage"->"AdvancedSytemSettings",andenter"Syslog.
global.
logHost"inthefilter.
Setthe"Syslog.
global.
logHost"tothehostnameofyoursyslogserver.
Note:whensettingaremoteloghostitisalsorecommendedtosetthe"Syslog.
global.
logDirUnique"totrue.
Youmustconfigurethesyslogsettingsforeachhost.
ThehostsyslogparameterscanalsobeconfiguredthevCLIorPowerCLI,orusinganAPIclient.
","N/A","Syslog.
global.
logHost","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","#esxclisystemsyslogconfigget","#esxclisystemsyslogconfigset–loghost#esxclisystemsyslogreload","#esxclisystemsyslogconfigget","#esxclisystemsyslogconfigset–loghost#esxclisystemsyslogreload","#ListSyslog.
global.
logHostforeachhostGet-VMHost|SelectName,@{N="Syslog.
global.
logHost";E={$_|Get-VMHostAdvancedConfigurationSyslog.
global.
logHost|Select-ExpandPropertyValues}}","#SetSyslog.
global.
logHostforeachhostGet-VMHost|Foreach{Set-VMHostAdvancedConfiguration-VMHost$_-NameSyslog.
global.
logHost-Value"NewLocation"}",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-775F602C-7432-4259-B132-4EC1F38A7EE7.
html","YES""esxi-no-self-signed-certs","vSphere",5.
5,"ESXI","Communication","Donotusedefaultself-signedcertificatesforESXicommunication.
","Usingthedefaultself-signedcertificatesleavestheSSLconnectionopentoMan-in-The-Middle(MiTM)attacks.
Replacedefaultself-signedcertificateswiththosefromatrustedCA,eithercommercialororganizational.
","1,2,3","Configuration","ConnecttoeachESX/ESXihostwithaninternetbrowser,https:///.
ViewthedetailsoftheSSLcertificate,determineifitisissuedbyatrustedCA,eithercommercialororganizational.
TochangeSSLcertificatesrefertoKBhttp://kb.
vmware.
com/kb/2057340","N/A","N/A","N/A","Configuration","NO","N/A","N/A","N/A","N/A","N/A","functionTest-WebServerSSL{#Functionoriginallocation:http://en-us.
sysadmins.
lv/Lists/Posts/Post.
aspxList=332991f0-bfed-4143-9eea-f521167d287c&ID=60[CmdletBinding()]param([Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)][string]$URL,[Parameter(Position=1)][ValidateRange(1,65535)][int]$Port=443,[Parameter(Position=2)][Net.
WebProxy]$Proxy,[Parameter(Position=3)][int]$Timeout=15000,[switch]$UseUserContext)Add-Type@"usingSystem;usingSystem.
Net;usingSystem.
Security.
Cryptography.
X509Certificates;namespacePKI{namespaceWeb{publicclassWebSSL{publicUriOriginalURi;publicUriReturnedURi;publicX509Certificate2Certificate;//publicX500DistinguishedNameIssuer;//publicX500DistinguishedNameSubject;publicstringIssuer;publicstringSubject;publicstring[]SubjectAlternativeNames;publicboolCertificateIsValid;//publicX509ChainStatus[]ErrorInformation;publicstring[]ErrorInformation;publicHttpWebResponseResponse;}}}"@$ConnectString="https://$url`:$port"$WebRequest=[Net.
WebRequest]::Create($ConnectString)$WebRequest.
Proxy=$Proxy$WebRequest.
Credentials=$null$WebRequest.
Timeout=$Timeout$WebRequest.
AllowAutoRedirect=$true[Net.
ServicePointManager]::ServerCertificateValidationCallback={$true}try{$Response=$WebRequest.
GetResponse()}catch{}if($WebRequest.
ServicePoint.
Certificate-ne$null){$Cert=[Security.
Cryptography.
X509Certificates.
X509Certificate2]$WebRequest.
ServicePoint.
Certificate.
Handletry{$SAN=($Cert.
Extensions|Where-Object{$_.
Oid.
Value-eq"2.
5.
29.
17"}).
Format(0)-split","}catch{$SAN=$null}$chain=New-ObjectSecurity.
Cryptography.
X509Certificates.
X509Chain-ArgumentList(!
$UseUserContext)[void]$chain.
ChainPolicy.
ApplicationPolicy.
Add("1.
3.
6.
1.
5.
5.
7.
3.
1")$Status=$chain.
Build($Cert)New-ObjectPKI.
Web.
WebSSL-Property@{OriginalUri=$ConnectString;ReturnedUri=$Response.
ResponseUri;Certificate=$WebRequest.
ServicePoint.
Certificate;Issuer=$WebRequest.
ServicePoint.
Certificate.
Issuer;Subject=$WebRequest.
ServicePoint.
Certificate.
Subject;SubjectAlternativeNames=$SAN;CertificateIsValid=$Status;Response=$Response;ErrorInformation=$chain.
ChainStatus|ForEach-Object{$_.
Status}}$chain.
Reset()[Net.
ServicePointManager]::ServerCertificateValidationCallback=$null}else{Write-Error$Error[0]}}#CheckforHostCertificatesGet-VMHost|Foreach{Test-WebServerSSL-URL$_.
Name|SelectOriginalURi,CertificateIsValid,Issuer,@{N="Expires";E={$_.
Certificate.
NotAfter}},@{N="DaysTillExpire";E={(New-TimeSpan-Start(Get-Date)-End($_.
Certificate.
NotAfter)).
Days}}}#CheckforvCenterCertificateTest-WebServerSSL-URL$DefaultVIServer|SelectOriginalURi,CertificateIsValid,Issuer,@{N="Expires";E={$_.
Certificate.
NotAfter}},@{N="DaysTillExpire";E={(New-TimeSpan-Start(Get-Date)-End($_.
Certificate.
NotAfter)).
Days}}","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-AC7E6DD7-F984-4E0F-983A-463031BA5FE7.
html","NO""limit-cim-access","vSphere",5.
5,"ESXI","Console","Donotprovideadministratorlevelaccess(i.
e.
root)toCIM-basedhardwaremonitoringtoolsorother3rdpartyapplications.
","TheCIMsystemprovidesaninterfacethatenableshardware-levelmanagementfromremoteapplicationsviaasetofstandardAPIs.
ToensurethattheCIMinterfaceremainssecureprovideonlytheminimumaccessnecessarytotheseapplications.
DonotprovisionCIMandother3rdpartytoolstorunasrootoranotheradministratoraccount.
Instead,useadedicatedserviceaccountwithalimitedprivilegesetIfCIMorother3rdpartyaregrantedunneededadministratorlevelaccesstheycouldpotentiallybecomeabackdoorandcompromisesecurityofthehost.
","1,2,3","Operational","Createalimited-privilegedserviceaccountforCIMandother3rdpartyapplications.
ThisaccountshouldaccessthesystemviavCenter,andneedstobeprovidedonlythe"CIMInteraction"privilege.
ThiswillenabletheaccounttoobtainaCIMticket,whichcanthenbeusedtoperformbothreadandwriteCIMoperationsonthetargethostIfanaccountmustconnecttothehostdirectly,thenthisaccountmustbegrantedthefull"Administrator"roleonthehost.
Thisisnotrecommendedunlessrequiredbythemonitoringsoftwarebeingused.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
LocalAccountManager.
html","N/A","N/A","N/A","N/A","#ListalluseraccountsontheHost-HostLocalconnectionrequired-Get-VMHostAccount","#Createanewhostuseraccount-HostLocalconnectionrequired-New-VMHostAccount-IDServiceUser-Passwordpass-UserAccount",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
cimsdk.
smashpg.
doc/03_CIM_SMASH_PG_Use_Cases.
5.
1.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-645EBD81-CF86-44D7-BE77-224EF963D145.
html","NO""mask-zone-san","vSphere",5.
5,"ESXI","Storage","MaskandzoneSANresourcesappropriately.
","YoushouldusezoningandLUNmaskingtosegregateSANactivity.
Forexample,youmanagezonesdefinedfortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.
Similarly,youcansetupdifferentzonesfordifferentdepartments.
ZoningmusttakeintoaccountanyhostgroupsthathavebeensetupontheSANdevice.
","1,2,3","Operational","ZoningandmaskingcapabilitiesforeachSANswitchanddiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-BFE9046A-2278-4026-809A-ED8F9D8FDACE.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
storage.
doc/GUID-39A4551F-4B03-43A6-BEDF-FAB1528C070D.
html","NO""remove-authorized-keys","vSphere",5.
5,"ESXi","Console","RemovekeysfromSSHauthorized_keysfile.
","ESXihostscomewithSSHwhichcanbeenabledtoallowremoteaccesswithoutrequiringuserauthentication.
Toenablepasswordfreeaccesscopytheremoteuserspublickeyintothe"/etc/ssh/keys-root/authorized_keys"fileontheESXihost.
Thepresenceoftheremoteuser'spublickeyinthe"authorized_keys"fileidentifiestheuserastrusted,meaningtheuserisgrantedaccesstothehostwithoutprovidingapassword.
Note:Lockdownmodedoesnotapplytorootuserswhologinusingauthorizedkeys.
Whenyouuseanauthorizedkeyfileforrootuserauthentication,rootusersarenotpreventedfromaccessingahostwithSSHevenwhenthehostisinlockdownmode.
","1,2,3","Configuration","Forday-to-dayoperationsdisableSSHonyourESXihosts.
IntheeventthatSSHisenabled,eventemporarily,monitorthecontentsofthe"/etc/ssh/keys-root/authorized_keys"toensurenousersareallowedtoaccessthehostwithoutproperauthentication.
TocheckforSSHkeysaddedtotheauthorized_keysfilelogontotheESXishellasrootandverifythe/etc/ssh/keys-root/authorized_keysfileisempty.
Ifthefileisnotemptyremoveanykeysfoundinthefile.
","/etc/ssh/keys-root/authorized_keys","N/A","N/A","N/A","YES","N/A","N/A","N/A","N/A","N/A","N/A","N/A","DisablingtheSSH"authorized_keys"accessmaylimityourabilitytoremotelyruncommandsonahostwithoutprovidingavalidlogin(e.
g.
preventtheabilitytorununattendedremotescripting).
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-ED477079-1E7E-4EBA-AAFE-019FB335DABC.
html","NO""remove-revoked-certificates","vSphere","5.
5","ESXi","Communication","RemoverevokedSSLcertificatesfromtheESXiserver","Bydefault,eachESXihostdoesnothaveCRLcheckingavailable.
Revokedcertificatesmustbecheckedandremovedmanually.
Thesearetypicallycustomgeneratedcertificatesfromacorporatecertificateauthorityor3rdpartyauthority.
","1,2,3","Operational","Usingthescriptcalledoutin"verify-ssl-certificates"inthevCenterServersectiontoassessiftherearerevokedSSLcertificatesonyourESXiserver.
Ifarevokedcertificateisfound,replacetheSSLcertificatewithavalidone.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/a","UsethescriptinthevCenterServer-verify-SSL-certificatesguidelinetoassessthestatusofinstalledcertificates","N/A","Useofarevokedcertificatescountleaveyoursystemopentoattack.
",,"set-dcui-access","vSphere",5.
5,"ESXi","Console","SetDCUI.
Accesstoallowtrusteduserstooverridelockdownmode","LockdowndisablesdirecthostaccessrequiringthatadminsmanagehostsfromvCenterServer.
However,ifahostbecomesisolatedfromvCenterServer,theadminislockedoutandcannolongermanagethehost.
ToavoidbecominglockedoutofanESXihoststhatisrunninginlockdownmode,settheDCUI.
AccesstoalistofhighlytrusteduserswhocanoverridelockdownmodeandaccesstheDCUI.
","1,2,3","Parameter","FromthevSphereclient,selectthehostandselect"Manage"->"AdvancedSystemSettings".
Type"DCUI.
Acces"inthefilter.
Setthe"DCUI.
Access"attributetoacommaseparatedlisttheuserswhoareallowedtooverridelockdownmode.
Notes:bydefaultonlythe"root"userisamemberoftheDCUI.
Accesslist.
ItisnotrecommendedtoremoverootfromtheDCUI.
Accesslistasthiswillrevoketherootusersadminprivilegesonthehost.
","N/A","DCUI.
Access","N/Aorlistofauthorizedusers","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","vim-cmdhostsvc/advopt/viewDCUI.
Access","vim-cmdhostsvc/advopt/updateDCUI.
Accessstring[USERS]","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6779F098-48FE-4E22-B116-A8353D19FF56.
html","YES""set-password-complexity","vSphere",5.
5,"ESXI","Access","Establishapasswordpolicyforpasswordcomplexity.
","ESXiusesthepam_passwdqc.
soplug-intosetpasswordstrengthandcomplexity.
Itisimportanttousepasswordsthatarenoteasilyguessedandthataredifficultforpasswordgeneratorstodetermine.
Note,ESXiimposesnorestrictionsontherootpassword.
Passwordstrengthandcomplexityrulesonlyapplytonon-rootusers.
","1,2,3","Parameter","Editthe"passwordrequisite/lib/security/$ISA/pam_passwdqc.
soretry=Nmin=N0,N1,N2,N3,N4"entryinthe/etc.
/pam.
d/passwdfileasoutlinedinthevSphereSecurityGuide,"UsersandPermissions"chapter.
Verifytheexpectedsettingsareconfiguredinthe/etc/pam.
d/passwdfile.
","/etc/pam.
d/passwd","passwordrequisite/lib/security/$ISA/pam_passwdqc.
so","Sitespecific","Modify","YES","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.
html","NO""set-shell-interactive-timeout","vSphere",5.
5,"ESXI","Console","SetatimeouttoautomaticallyterminateidleESXiShellandSSHsessions.
","IfauserforgetstologoutoftheirSSHsessiontheidleconnectionwillremainindefinitely,increasingthepotentialforsomeonetogainprivilegedaccesstothehost.
TheESXiShellInteractiveTimeOutallowsyoutoautomaticallyterminateidleshellsessions.
","1,2,3","Parameter","FromtheDCUI:select"TroubleshootingOptions"->"ModifyESXiShellandSSHTimeouts".
ModifytheESXiShellInteractiveTimeouttothedesiredvalue.
Note:theESXiShellandSSHservicesmustbedisabledinordertomodifythesettingfromtheDCUI.
FromthevSpherewebclientselectthehostandclick"Manage"->"AdvancedSystemSettings"andtypeESXiShellInteractiveTimeOutinthefilter.
Settheattributetothedesiredvalue.
Note:Avalueof0disablestheESXiShellInteractiveTimeOut.
ItisrecommendedtosettheESXiShellTimeOuttogetherwithESXiShellInteractiveTimeOut.
","N/A","UserVars.
ESXiShellInteractiveTimeOut","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/UserVars/ESXiShellInteractiveTimeOut","#esxclisystemsettingsadvancedset-o/UserVars/ESXiShellInteractiveTimeOut-i","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/UserVars/ESXiShellInteractiveTimeOut","#esxclisystemsettingsadvancedset-o/UserVars/ESXiShellInteractiveTimeOut-i","#ListUserVars.
ESXiShellInteractiveTimeOutforeachhostGet-VMHost|SelectName,@{N="UserVars.
ESXiShellInteractiveTimeOut";E={$_|Get-VMHostAdvancedConfigurationUserVars.
ESXiShellInteractiveTimeOut|Select-ExpandPropertyValues}}","#SetRemoveUserVars.
ESXiShellInteractiveTimeOutto900onallhostsGet-VMHost|Foreach{Set-VMHostAdvancedConfiguration-VMHost$_-NameUserVars.
ESXiShellInteractiveTimeOut-Value900}",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-94F0C54F-05E3-4E16-8027-0280B9ED1009.
htmlhttp://kb.
vmware.
com/kb/2004746","NO""set-shell-timeout","vSphere",5.
5,"ESXI","Console","SetatimeouttolimithowlongtheESXiShellandSSHservicesareallowedtorun","WhentheESXiShellorSSHservicesareenabledonahosttheywillrunindefinitely.
ToavoidhavingtheseservicesleftrunningsettheESXiShellTimeOut.
TheESXiShellTimeOutdefinesawindowoftimeafterwhichtheESXiShellandSSHserviceswillautomaticallybeterminated.
","1,2,3","Parameter","FromtheDCUI:select"TroubleshootingOptions"->"ModifyESXiShellandSSHTimeouts".
ModifytheESXiShellTimeouttothedesiredvalue.
Note:theESXiShellandSSHservicesmustbedisabledinordertomodifythesettingfromtheDCUI.
FromthevSpherewebclientselectthehostandclick"Manage"->"AdvancedSystemSettings"andtypeESXiShellTimeOutinthefilter.
Settheattributetothedesiredvalue.
Note:Avalueof0disablestheESXiShellTimeOut.
ItisrecommendedtosettheESXiShellInteractiveTimeOuttogetherwithESXiShellTimeOut.
","N/A","UserVars.
ESXiShellTimeOut","SiteSpecific","Modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/UserVars/ESXiShellTimeOut","#esxclisystemsettingsadvancedset-o/UserVars/ESXiShellTimeOut-i","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/UserVars/ESXiShellTimeOut","#esxclisystemsettingsadvancedset-o/UserVars/ESXiShellTimeOut-i","#ListUserVars.
ESXiShellTimeOutforeachhostGet-VMHost|SelectName,@{N="UserVars.
ESXiShellTimeOut";E={$_|Get-VMHostAdvancedConfigurationUserVars.
ESXiShellTimeOut|Select-ExpandPropertyValues}}","#SetRemoveUserVars.
ESXiShellTimeOutto900onallhostsGet-VMHost|Foreach{Set-VMHostAdvancedConfiguration-VMHost$_-NameUserVars.
ESXiShellTimeOut-Value900}",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-94F0C54F-05E3-4E16-8027-0280B9ED1009.
htmlhttp://kb.
vmware.
com/kb/2004746","NO""unique-chap-secrets","vSphere",5.
5,"ESXI","Storage","EnsureuniquenessofCHAPauthenticationsecrets.
","Themutualauthenticationsecretforeachhostshouldbedifferent;ifpossible,thesecretshouldbedifferentforeachclientauthenticatingtotheserveraswell.
Thisensuresthatifasinglehostiscompromised,anattackercannotcreateanotherarbitraryhostandauthenticatetothestoragedevice.
Withasinglesharedsecret,compromiseofonehostcanallowanattackertoauthenticatetothestoragedevice.
","1,2,3","Parameter","InthevSphereWebClientnavigatetothehostandselect"Manage"->"StorageAdaptors"->"iSCSIInitiatorProperties"->"Authentication"->"Edit"".
VerifythatadifferentauthenticationsecretisconfiguredforeachESXihost.
",,"Secret","site-dependent","modify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
InternetScsiHba.
AuthenticationProperties.
html","#esxcliiscsiadapterauthchapget","#esxcliiscsiadapterauthchapsetNote:Youcanincludetheoption--directionunior--directionmutualaccordinglyforshellandvCLIcommands.
","#esxcliiscsiadapterauthchapget","#esxcliiscsiadapterauthchapset","#ListIscsiInitiatorandCHAPNameifdefinedGet-VMHost|Get-VMHostHba|Where{$_.
Type-eq"Iscsi"}|SelectVMHost,Device,ChapType,@{N="CHAPName";E={$_.
AuthenticationProperties.
ChapName}}","#SettheChapsettingsfortheIscsiAdapterGet-VMHost|Get-VMHostHba|Where{$_.
Type-eq"Iscsi"}|Set-VMHostHba#Usedesiredparametershere",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
storage.
doc/GUID-AC65D747-728F-4109-96DD-49B433E2F266.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
storage.
doc/GUID-2F1E64DB-20BB-4D18-A083-8E65FE380899.
html","NO""verify-acceptance-level-accepted","vSphere",5.
5,"ESXI","Install","VerifyImageProfileandVIBAcceptanceLevels.
","VerifytheESXiImageProfiletoonlyallowsignedVIBs.
AnunsignedVIBrepresentsuntestedcodeinstalledonanESXihost.
TheESXiImageprofilesupportsfouracceptancelevels:(1)VMwareCertified-VIBscreated,testedandsignedbyVMware,(2)VMwareAccepted-VIBscreatedbyaVMwarepartnerbuttestedandsignedbyVMware,(3)PartnerSupported-VIBscreated,testedandsignedbyacertifiedVMwarepartner,and(4)CommunitySupported-VIBsthathavenotbeentestedbyVMwareoraVMwarepartner.
CommunitySupportedVIBsarenotsupportedanddonothaveadigitalsignature.
ToprotectthesecurityandintegrityofyourESXihostsdonotallowunsigned(CommunitySupported)VIBstobeinstalledonyourhosts.
",2,"Parameter","STEP1:ConnecttoeachESX/ESXihostusingtheESXiShellorvCLIandexecutethecommand"esxclisoftwareacceptanceget"toverifytheacceptancelevelforthehostforthehostissettoeither"VMwareCertified"or"VMwareAccepted".
STEP2:ConnecttoeachESX/ESXihostusingthevCLIandexecutethecommand"esxclisoftwareviblist"andverifytheacceptancelevelforeachVIBissetto"VMwareCertified"or"VMwareAccepted".
","N/A","N/A","VMwareCertifiedVMwareAccepted","Verify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ImageConfigManager.
html","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#ListtheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$VMHost|SelectName,@{N="AcceptanceLevel";E={$ESXCli.
software.
acceptance.
get()}}}#Listonlythevibswhicharenotat"VMwareCertified"or"VMwareAccepted"acceptancelevelForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
vib.
list()|Where{($_.
AcceptanceLevel-ne"VMwareCertified")-and($_.
AcceptanceLevel-ne"VMwareAccepted")}}","#SettheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
acceptance.
Set("VMwareCertified")}","ThirdpartyVIBstestedbyVMwarepartnersarenotallowedonthehost.
Thiscouldincludesomedevicedrivers,CIMmodules,andotheradd-onsoftware.
HostcustomizationusingcustomVIBsisnotallowed.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-56600593-EC2E-4125-B1A0-065BDD16CF2D.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-751034F3-5337-4DB2-8272-8DAC0980EACA.
html","NO""verify-acceptance-level-certified","vSphere",5.
5,"ESXI","Install","VerifyImageProfileandVIBAcceptanceLevels.
","VerifytheESXiImageProfiletoonlyallowsignedVIBs.
AnunsignedVIBrepresentsuntestedcodeinstalledonanESXihost.
TheESXiImageprofilesupportsfouracceptancelevels:(1)VMwareCertified-VIBscreated,testedandsignedbyVMware,(2)VMwareAccepted-VIBscreatedbyaVMwarepartnerbuttestedandsignedbyVMware,(3)PartnerSupported-VIBscreated,testedandsignedbyacertifiedVMwarepartner,and(4)CommunitySupported-VIBsthathavenotbeentestedbyVMwareoraVMwarepartner.
CommunitySupportedVIBsarenotsupportedanddonothaveadigitalsignature.
ToprotectthesecurityandintegrityofyourESXihostsdonotallowunsigned(CommunitySupported)VIBstobeinstalledonyourhosts.
",1,"Parameter","STEP1:ConnecttoeachESX/ESXihostusingtheESXiShellorvCLIandexecutethecommand"esxclisoftwareacceptanceget"toverifytheacceptancelevelforthehostissetto"VMwareCertified".
STEP2:ConnecttoeachESX/ESXihostusingthevCLIandexecutethecommand"esxclisoftwareviblist"andverifytheacceptancelevelforeachVIBissetto"VMwareCertified".
","N/A","N/A","VMwareCertified","Verify","NO","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ImageConfigManager.
html","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#ListtheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$VMHost|SelectName,@{N="AcceptanceLevel";E={$ESXCli.
software.
acceptance.
get()}}}#Listonlythevibswhicharenotat"VMwareCertified"acceptancelevelForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
vib.
list()|Where{$_.
AcceptanceLevel-ne"VMwareCertified"}}","#SettheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
acceptance.
Set("VMwareCertified")}","NoVMwarepartnerVIBsareallowedonthehost,toincludenon-VMwarewrittendevicedrivers,CIMmodules,andotherthirdpartysoftware.
HostcustomizationusingcustomVIBsisnotallowed.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-56600593-EC2E-4125-B1A0-065BDD16CF2D.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-751034F3-5337-4DB2-8272-8DAC0980EACA.
html","NO""verify-acceptance-level-supported","vSphere",5.
5,"ESXI","Install","VerifyImageProfileandVIBAcceptanceLevels.
","VerifytheESXiImageProfiletoonlyallowsignedVIBs.
AnunsignedVIBrepresentsuntestedcodeinstalledonanESXihost.
TheESXiImageprofilesupportsfouracceptancelevels:(1)VMwareCertified-VIBscreated,testedandsignedbyVMware,(2)VMwareAccepted-VIBscreatedbyaVMwarepartnerbuttestedandsignedbyVMware,(3)PartnerSupported-VIBscreated,testedandsignedbyacertifiedVMwarepartner,and(4)CommunitySupported-VIBsthathavenotbeentestedbyVMwareoraVMwarepartner.
CommunitySupportedVIBsarenotsupportedanddonothaveadigitalsignature.
ToprotectthesecurityandintegrityofyourESXihostsdonotallowunsigned(CommunitySupported)VIBstobeinstalledonyourhosts.
",3,"Parameter","STEP1:ConnecttoeachESX/ESXihostusingtheESXiShellorvCLIandexecutethecommand"esxclisoftwareacceptanceget"toverifytheacceptancelevelforthehostisateither"VMwareCertified","VMwareSupported",or"PartnerSupported".
STEP2:ConnecttoeachESX/ESXihostusingthevCLIandexecutethecommand"esxclisoftwareviblist"andverifytheacceptancelevelforeachVIBiseither"VMwareCertified","VMwareSupported",or"PartnerSupported"","N/A","N/A","VMwareCertifiedVMwareAcceptedPartnerSupported","Verify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
ImageConfigManager.
html","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#esxclisoftwareacceptanceget#esxclisoftwareviblist","#esxclisoftwareacceptanceset--level","#ListtheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$VMHost|SelectName,@{N="AcceptanceLevel";E={$ESXCli.
software.
acceptance.
get()}}}#Listonlythevibswhicharenotat"VMwareCertified"or"VMwareAccepted"or"PartnerSupported"acceptancelevelForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
vib.
list()|Where{($_.
AcceptanceLevel-ne"VMwareCertified")-and($_.
AcceptanceLevel-ne"VMwareAccepted")-and($_.
AcceptanceLevel-ne"PartnerSupported")}}","#SettheSoftwareAcceptanceLevelforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
software.
acceptance.
Set("VMwareCertified")}","HostcustomizationusingcustomVIBsisnotallowed.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-56600593-EC2E-4125-B1A0-065BDD16CF2D.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-751034F3-5337-4DB2-8272-8DAC0980EACA.
html","NO""verify-admin-group","vSphere",5.
5,"ESXI","Access","VerifyActiveDirectorygroupmembershipforthe"ESXiAdmins"group.
","TheADgroupusedbyvSphereisdefinedbythe"esxAdminsGroup"attribute,bydefaultthisattributeissetto"ESXAdmins".
Allmembersofthe"ESXAdmins"grouparegrantedfulladministrativeaccesstoallESXihostsinthedomain.
MonitorADforthecreationofthisgroupandlimitmembershiptohighlytrustedusersandgroups.
","1,2,3","Configuration","FromActiveDirectorymonitorthemembershipofthegroupnamethatisdefinedbytheadvancedhostsetting:"Config.
HostAgent.
plugins.
hostsvc.
esxAdminsGroup"(defaultisESXAdmins.
Aswithanydefaultgroup,considerchangingthisnametoavoidpossibleexploits)andverifyonlyauthorizeduserandgroupaccountsaremembersofthisgroup.
IffulladminaccessfortheADESXadminsgroupisnotdesiredyoucandisablethisbehaviorusingtheadvancedhostsetting:"Config.
HostAgent.
plugins.
hostsvc.
esxAdminsGroupAutoAdd"","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
AuthenticationManager.
html","NO""verify-config-files","vSphere",5.
5,"ESXI","Console","Verifycontentsofexposedconfigurationfiles","AlthoughmostconfigurationsonESXiarecontrolledviaanAPI,therearealimitedsetofconfigurationfilesthatareuseddirectlytogovernhostbehavior.
ThesespecificfilesareexposedviathevSphereHTTPS-basedfiletransferAPI.
Anychangestothesefilesshouldbecorrelatedwithanapprovedadministrativeaction,suchasanauthorizedconfigurationchange.
Tamperingwiththesefileshasthepotentialtoenableunauthorizedaccesstothehostconfigurationandvirtualmachines.
WARNING:donotattempttomonitorfilesthatareNOTexposedviathisfile-transferAPI,sincethiscanresultinadestabilizedsystem",1,"Operational","ESXiConfigurationfilescanbefoundbybrowsingtohttps:///host(notavailableifMOBisdisabled).
NOTE:notallthefileslistedaremodifiable.
ThefilescanalsoberetrievedusingthevCLIorPowerCLI.
Implementaproceduretotrackthefilesandtheircontentsovertimetoensurethattheyarenotimproperlymodified.
Besurenottomonitorlogfilesandotherfileswhosecontentisexpectedtochangeregularlyduetosystemactivity.
Also,accountforconfigurationfilechangesthatareduetodeliberateadministrativeactivity.
Itisrecommendedtokeepreoccurringbackupsofahostconfiguration.
Note:HostProfilesmayalsobeusedtotrackconfigurationchangesonthehost;howeverHostProfilesdonottrackallconfigurationchanges","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vcli.
examples.
doc/cli_manage_hosts.
4.
4.
html","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
hostprofiles.
doc/GUID-78BB234A-D735-4356-9CCF-19DD55DB8060.
htmlhttp://kb/vmware.
com/kb/2042141","NO""verify-dvfilter-bind","vSphere",5.
5,"ESXI","Communication","PreventunintendeduseofdvfilternetworkAPIs.
","IfyouarenotusingproductsthatmakeuseofthedvfilternetworkAPI(e.
g.
VMSafe),thehostshouldnotbeconfiguredtosendnetworkinformationtoaVM.
IftheAPIisenabled,anattackermightattempttoconnectaVMtoit,therebypotentiallyprovidingaccesstothenetworkofotherVMsonthehost.
IfyouareusingaproductthatmakesuseofthisAPIthenverifythatthehosthasbeenconfiguredcorrectly.
","1,2,3","Parameter","Ifadvfilter-basednetworksecurityapplianceisnotbeingusedonthehost,ensurethatthefollowingkernelparameterhasablankvalue:/Net/DVFilterBindIpAddress.
FromthevSpherewebclientselectthehostandclick"Manage"->"AdvancedSystemSettings".
Enter"Net.
DVFilterBindIpAddress"inthefilterandverify"Net.
DVFilterBindIpAddress"hasanemptyvalue.
Ifanapplianceisbeingused,thenmakesurethevalueofthisparameterissettotheproperIPaddress.
Note:thismustbedoneforeachESXihost.
","N/A","Net.
DVFilterBindIpAddress","empty","Modify","YES","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/Net/DVFilterBindIpAddress","#esxclisystemsettingsadvancedset-o/Net/DVFilterBindIpAddress-d","#esxcli--formatter=csv--format-param=fields="Path,IntValue"systemsettingsadvancedlist|grep/Net/DVFilterBindIpAddress","#esxclisystemsettingsadvancedset-o/Net/DVFilterBindIpAddress-d","#ListNet.
DVFilterBindIpAddressforeachhostGet-VMHost|SelectName,@{N="Net.
DVFilterBindIpAddress";E={$_|Get-VMHostAdvancedConfigurationNet.
DVFilterBindIpAddress|Select-ExpandPropertyValues}}","#SetRemoveNet.
DVFilterBindIpAddresstonullonallhostsGet-VMHostHOST1|Foreach{Set-VMHostAdvancedConfiguration-VMHost$_-NameNet.
DVFilterBindIpAddress-Value""}","Thiswillpreventadvfilter-basednetworksecurityappliancefromfunctioning","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
ext_solutions.
doc/GUID-6013E15D-92CE-4970-953C-ACCB36ADA8AD.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-CD0783C9-1734-4B9A-B821-ED17A77B0206.
html","NO""verify-install-media","vSphere",5.
5,"ESXI","Install","VerifytheintegrityoftheinstallationmediabeforeinstallingESXi","AlwayschecktheSHA1hashafterdownloadinganISO,offlinebundle,orpatchtoensureintegrityandauthenticityofthedownloadedfiles.
IfyouobtainphysicalmediafromVMwareandthesecuritysealisbroken,returnthesoftwaretoVMwareforareplacement.
","1,2,3","Operational","AfterdownloadingmediausetheMD5sumvaluetoverifytheintegrityofthedownload.
ComparetheMD5sumoutputwiththevaluepostedontheVMwarewebsite.
Notes:eachoperatingsystemwillhaveadifferentmethod/toolforcheckingMD5sumvalues.
Formicrosoftyoucandownloadanadd-onproductasidentifiedinhttp:/support.
microsoft.
com/kb/841290.
ForMacOSusethe"md5"command.
ForLinuxusethe"md5sum"command.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ChecktheSHA1hasofthedownloadwiththefollowingfunctionFunctionGet-SHA1{Param($Filename)begin{[Reflection.
Assembly]::LoadWithPartialName("System.
Security")|out-null$sha1=new-ObjectSystem.
Security.
Cryptography.
SHA1Managed}Process{$file=[System.
IO.
File]::Open($filename,"open","read")$filehash=$sha1.
ComputeHash($file)|Foreach{write-host-NoNewLine$_.
ToString("x2")}$file.
Dispose()}}Get-SHA1-Filename"C:\Sources\ESX5.
ISO"","N/A",,"http://kb.
vmware.
com/kb/1537","NO""verify-kernel-modules","vSphere",5.
5,"ESXI","Install","Verifynounauthorizedkernelmodulesareloadedonthehost.
","VMwareprovidesdigitalsignaturesforkernelmodules.
BydefaulttheESXihostdoesnotpermitloadingofkernelmodulesthatlackavaliddigitalsignature.
However,thisbehaviorcanbeoverriddenallowingunauthorizedkernelmodulestobeloaded.
UntestedormaliciouskernelmodulesloadedontheESXihostcanputthehostatriskforinstabilityand/orexploitation.
","1,2,3","Operational","EachESXihostshouldbemonitoredforunsignedkernelmodules.
TolistalltheloadedkernelmodulesfromtheESXiShellorvCLIrun:"esxclisystemmodulelist".
ForeachmoduleverifytheSignedStatusfieldcontainsatrustedvalue,forexample"VMwareSigned",byrunning"esxclisystemmoduleget-m".
SecurethehostbydisablingunsignedmodulesandremovingtheoffendingVIBsfromthehost.
Note:evacuateVMsandplacethehostintomaintenancemodebeforedisablingkernelmodules.
NotethereareknowndiscrepancieswithunsignedkernelmodulesinESXi5.
0u1and5.
1,seehttp://kb.
vmware.
com/kb/2042473.
","N/A","N/A","N/A",,"YES","N/A","#esxclisystemmodulesget-m","#esxclisystemmodulesset-efalse-m","#esxclisystemmodulesget-m","#esxclisystemmodulesset-efalse-m","#ListthesystemmodulesandSignatureInfoforeachhostForeach($VMHostinGet-VMHost){$ESXCli=Get-EsxCli-VMHost$VMHost$ESXCli.
system.
module.
list()|Foreach{$ESXCli.
system.
module.
get($_.
Name)|Select@{N="VMHost";E={$VMHost}},Module,License,Modulefile,Version,SignedStatus,SignatureDigest,SignatureFingerPrint}}","#Todisableamodule:$ESXCli=Get-EsxCli-VMHostMyHost$ESXCli.
system.
module.
set($false,$false,"MyModuleName")",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.
htmlhttp://kb.
vmware.
com/kb/2042473","NO""vmdk-zero-out","vSphere",5.
5,"ESXi","Storage","ZerooutVMDKfilespriortodeletion","TohelppreventsensitivedatainVMDKfilesfrombeingreadoffthephysicaldiskafteritisdeleted,thevirtualdiskshouldbezeroedoutpriortodeletion.
ThiswillmakeitmoredifficultforsomeonetoreconstructthecontentsoftheVMDKfile.
TheCLIcommand'vmkfstools-writezeroes'canbeusedtowritezerostotheentirecontentsofaVMDKfilepriortoitsdeletion.
","1,2","Operational","WhendeletingaVMDKfilewithsensitivedata,shutdownorstopthevirtualmachine,andthenissuetheCLIcommand'vmkfstools-writezeroes'onthatfilepriortodeletingitfromthedatastore.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
VirtualDiskManager.
html","N/A","#vmkfstools-w","N/A","#vmkfstools-w",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
storage.
doc/GUID-050C0FEE-2C75-4356-B9E0-CC802333FF41.
html","NO""vpxuser-password-age","vSphere",5.
5,"ESXI","Access","Ensurethatvpxuserauto-passwordchangemeetspolicy.
","Bydefault,thevpxuserpasswordwillbeautomaticallychangedbyvCenterevery30days.
Ensurethatthissettingmeetsyourpolicies;ifnot,configuretomeetpasswordagingpolicies.
NOTE:Itisveryimportantthatthepasswordagingpolicynotbeshorterthantheintervalthatissettoautomaticallychangethevpxuserpassword,toprecludethepossibilitythatvCentermightgetlockedoutofanESXihost.
Ifanattackerobtainsthevpxuserpassword,thepasswordcanbeusedonlyforalimitedamountoftime.
","1,2,3","Parameter","FromthevSpherewebclient,selectthevCenterServerandgoto"Manage"->"AdvancedSettings".
Enter"VimPasswordExpirationInDays"inthefilter.
Set"VirtualCenter.
VimPasswordExpirationInDays"tocomplywithyourrequirements.
Defaultis30days.
","OnWindows:C:\DocumentsandSettings\AllUsers\ApplicationData\VMware\VMwareVirtualCenter\vpxd.
cfgVCSA:/etc/vmware-vpx/vpxd.
cfg","VirtualCenter.
VimPasswordExpirationInDays","SiteSpecific","Modify","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","N/A","N/A","N/A","N/A","#ListthevCenterPasswordExpirationValueGet-AdvancedSetting-Entity$defaultVIServer-Name"VirtualCenter.
VimPasswordExpirationInDays"","#SetthevCenterPasswordExpirationValueto10Get-AdvancedSetting-Entity$defaultVIServer-Name"VirtualCenter.
VimPasswordExpirationInDays"|Set-AdvancedSetting-Value10",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-96210743-0C17-4AE9-89FC-76778EC9D06E.
html","NO"vNetwork"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommandRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""disable-dvportgroup-autoexpand","vSphere",5.
5,"vNetwork","VDS","VerifythattheautoexpandoptionforVDSdvPortgroupsisdisabled","Ifthe"no-unused-dvports"guidelineisfollowed,thereshouldbeonlytheamountofportsonaVDSthatareactuallyneeded.
TheAutoexpandfeatureonVDSdvPortgroupscanoverridethatlimit.
ThefeatureallowsdvPortgroupstoautomaticallyadd10vSphereDistributedSwitchportstoadvPortgroupthathasrunoutofavailableports.
Theriskisthatmaliciouslyorinadvertently,avirtualmachinethatisnotsupposedtobepartofthatportgroupisabletoaffectconfidentiality,integrityorauthenticityofdataofothervirtualmachinesonthatportgroup.
ToreducetheriskofinappropriatedvPortgroupaccess,theautoexpandoptiononVDSshouldbedisabled.
Bydefaulttheoptionisdisabled,butregularmonitoringshouldbeimplementedtoverifythishasnotbeenchanged.
","1,2","Configuration","ConnecttothevCenterServerusingtheWebClient.
VerifythatintheNetworking>(vDSname)>(dvPortgroupname)>Manage>EditSettings>General>"Portallocation"issetto"Fixed"andthe"NumberofPorts"isonlytheamountrequiredforlegitimatevirtualmachineconnectionstothatdvPortgroup.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
DistributedVirtualPortgroup.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
alarm.
AlarmManager.
html","N/A","N/A","N/A","N/A","#CheckifautoexpandisenabledonvDSGet-VirtualPortGroup-Distributed|SelectName,@{N="AutoExpand";E={$_.
ExtensionData.
Config.
AutoExpand}}",,,"http://kb.
vmware.
com/kb/1022312","N/A""document-pvlans","vSphere",5.
5,"vNetwork","VDS","EnsurethatprivateVLANIDsforalldvSwitchesarefullydocumented","dvSwitchPrivateVLANs(PVLANs)requireprimaryandsecondaryVLANIDs.
TheseneedtocorrespondtotheIDsonexternalPVLAN-awareupstreamswitchesifany.
IfVLANIDsarenottrackedcompletely,mistakenre-useofIDscouldallowfortraffictobeallowedbetweeninappropriatephysicalandvirtualmachines.
Similarly,wrongormissingPVLANIDsmayleadtotrafficnotpassingbetweenappropriatephysicalandvirtualmachines.
","1,2,3","Operational","FromthevSphereClientlogintovCS.
Home>Inventory>Networking.
SelectdvSwitchandEditSettings.
OrfromthevSphereWebclientgotoNetworking>(vDSname)>(dvPortgroupname)>Manage>EditSettings>VLAN.
VerifyandrecordPVLANlabelsandIDs.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
VMwareDistributedVirtualSwitch.
ConfigInfo.
html","N/A","N/A","N/A","N/A","#ListalldvSwitchesandtheirPortgroups,VLANTypeandIdsForeach($dPGin(Get-VirtualPortGroup-Distributed)){Switch((($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan).
GetType()).
Name){VMwareDistributedVirtualSwitchPvlanSpec{$Type="PrivateVLAN"$VLAN=$dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
pVlanID}VMwareDistributedVirtualSwitchTrunkVlanSpec{$Type="VLANTrunk"$VLAN=($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
VlanID|SelectStart,End)}VMwareDistributedVirtualSwitchVlanIdSpec{$Type="VLAN"$VLAN=$dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
vlanID}default{$Type=(($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan).
GetType()).
Name$VLAN="Unknown"}}$dpg|SelectvirtualSwitch,Name,@{N="Type";E={$Type}},@{N="VLanId";E={$VLAN}}}",,,"http://kb.
vmware.
com/KB/1010691","N/A""document-vlans","vSphere",5.
5,"vNetwork","vSwitch","EnsurethatallvSwitchandVLANSIDsarefullydocumented","IfyouareusingVLANtaggingonavSwitch,theseneedtocorrespondtotheIDsonexternalVLAN-awareupstreamswitchesifany.
IfVLANIDsarenottrackedcompletely,mistakenre-useofIDscouldallowfortraffictobeallowedbetweeninappropriatephysicalandvirtualmachines.
Similarly,wrongormissingVLANIDsmayleadtotrafficnotpassingbetweenappropriatephysicalandvirtualmachines.
","1,2,3","Operational","VerifybyusingthevSphereClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>HostsandClusters".
2.
SelecteachESXihostwithvirtualswitchesconnectedtoactiveVM'srequiringsecuring.
3.
Goto"Configuration>Network>vSwitch()>Properties>Ports>[PortgroupName]>VLANID"4.
VerifyandrecordVLANIDsinatrackingsystemapprovedbyyourorganizationorfollowingindustrybestpractices.
","N/A","N/A","N/A","N/A","N/A",,"#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallvSwitches,theirPortgroupsandVLANIdsGet-VirtualPortGroup-Standard|SelectvirtualSwitch,Name,VlanID",,,,"N/A""document-vlans-vds","vSphere",5.
5,"vNetwork","VDS","EnsurethatVLANIDsforalldvPortgroupsarefullydocumented","IfyouareusingVLANtaggingonadvPortgrouptheseneedtocorrespondtotheIDsonexternalVLAN-awareupstreamswitchesifany.
IfVLANIDsarenottrackedcompletely,mistakenre-useofIDscouldallowfortraffictobeallowedbetweeninappropriatephysicalandvirtualmachines.
Similarly,wrongormissingVLANIDsmayleadtotrafficnotpassingbetweenappropriatephysicalandvirtualmachines.
","1,2,3","Operational","FromthevSphereClientlogintovCS.
Home>Inventory>Networking.
SelectdvSwitchanddvPortgroupand"EditSettings>Policies>VLAN>VLANID".
OrfromthevSphereWebclientgotoNetworking>(vDSname)>(dvPortgroupname)>Manage>EditSettings>VLAN.
VerifyandrecordVLANNamesandIDs.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
VMwareDistributedVirtualSwitch.
VlanSpec.
html","N/A","N/A","N/A","N/A","#ListalldvSwitchesandtheirPortgroups,VLANTypeandIdsForeach($dPGin(Get-VirtualPortGroup-Distributed)){Switch((($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan).
GetType()).
Name){VMwareDistributedVirtualSwitchPvlanSpec{$Type="PrivateVLAN"$VLAN=$dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
pVlanID}VMwareDistributedVirtualSwitchTrunkVlanSpec{$Type="VLANTrunk"$VLAN=($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
VlanID|SelectStart,End)}VMwareDistributedVirtualSwitchVlanIdSpec{$Type="VLAN"$VLAN=$dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan.
vlanID}default{$Type=(($dPG.
ExtensionData.
Config.
DefaultPortConfig.
Vlan).
GetType()).
Name$VLAN="Unknown"}}$dpg|SelectvirtualSwitch,Name,@{N="Type";E={$Type}},@{N="VLanId";E={$VLAN}}}",,,,"N/A""enable-bpdu-filter","vSphere",5.
5,"vNetwork","Physical","EnableBPDUfilterontheESXihosttopreventbeinglockedoutofphysicalswitchportswithPortfastandBPDUGuardenabled","BPDUGuardandPortfastarecommonlyenabledonthephysicalswitchtowhichtheESXihostisdirectlyconnectedtoreducetheSTPconvergencedelay.
IfaBPDUpacketissentfromavirtualmachineontheESXihosttothephysicalswitchsoconfigured,acascadinglockoutofalltheuplinkinterfacesfromtheESXihostcanoccur.
Topreventthistypeoflockout,BPDUFiltercanbeenabledontheESXihosttodropanyBPDUpacketsbeingsenttothephysicalswitch.
ThecaveatisthatcertainSSLVPNwhichuseWindowsbridgingcapabilitycanlegitimatelygenerateBPDUpackets.
TheadministratorshouldverifythattherearenolegitimateBPDUpacketsgeneratedbyvirtualmachinesontheESXihostpriortoenablingBPDUFilter.
IfBPDUFilterisenabledinthissituation,enablingRejectForgedTransmitsonthevirtualswitchportgroupaddsprotectionagainstSpanningTreeloops.
","1,2,3","Configuration","VerifythattherearenovirtualmachinesrequiredtosendBPDUontheESXihost.
Thiswouldbevirtualmachineswithbridgingenabled,suchasvirtualnetworkdevicesandvirtualmachineswithbridgingVPNSSLsoftwareinstalled.
FromthevSphereClientorvSphereWebClient,selecttheESXihostininventoryandinAdvancedSettingssettheNetBlockGuestBPDUvalueto1.
Detailedstepsandanexplanationcanbefoundinthereferencelinkprovided.
",,"Net.
BlockGuestBPDU","1",,"no","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
option.
OptionManager.
html","esxclisystemsettingsadvancedlist-o/Net/BlockGuestBPDU","esxclisystemsettingsadvancedset-o/Net/BlockGuestBPDU-i0","esxclisystemsettingsadvancedlist-o/Net/BlockGuestBPDU","esxclisystemsettingsadvancedset-o/Net/BlockGuestBPDU-i0",,,,"http://kb.
vmware.
com/selfservice/microsites/search.
dolanguage=en_US&cmd=displayKC&externalId=2017193http://kb.
vmware.
com/selfservice/microsites/microsite.
docmd=displayKCPopup&docType=kc&externalId=2047822","N/A""enable-portfast","vSphere",5.
5,"vNetwork","Physical","EnsurethatphysicalswitchportsareconfiguredwithPortfastifspanningtreeisenabled.
","SinceVMwarevirtualswitchesdonotsupportSTP,theESXihost-connectedphysicalswitchportsmusthaveportfastconfiguredifspanningtreeisenabledtoavoidloopswithinthephysicalswitchnetwork.
Ifthesearenotset,potentialperformanceandconnectivityissuesmightarise.
","1,2,3","Operational","Logintothephysicalswitchandensurethatspanningtreeprotocolisdisabledand/orportfastisconfiguredforallphysicalportsconnectedtoESXihosts.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""isolate-mgmt-network-airgap","vSphere",5.
5,"vNetwork","Architecture","EnsurethatvSpheremanagementtrafficisonarestrictednetwork.
","ThevSpheremanagementnetworkprovidesaccesstothevSpheremanagementinterfaceofeachvSpherecomponent.
ServicesrunningonthemanagementinterfaceprovideanopportunityforanattackertogainprivilegedaccesstodataofthevirtualmachinesrunninginvSphere.
Remoteattackswouldprioritizegettingaccesstothisnetwork.
ExamplesofcomponentsthatshouldbeonanisolatedmanagementnetworkarevCenterServer,mangementconsolesofVMwaresolutions(vSpherewebclient,VUM,SSO,AutoDeploy,etc),managementconsolesofhardwareandsoftwarecomponentssuchasstorageandnetwork.
Also,managementconsolesofkeyinfrastructureserviceslikesyslog,NTP,ADandotherlegitimate3rdpartyproducts.
Thisisnotmeanttobeanexhaustivelist.
",1,"Configuration","ThevSpheremanagementportgroupshouldbeonamanagement-onlyvSpherestandardswitch(VSS)orvSphereDistributedSwitch(VDS).
DoingsoavoidsdependencyonVLANsforisolation,whichmightbeappropriateforcertainenvironments.
Checkthatthemanagement-onlyVSSorDVSdoesnotcontainanynon-managementportgroups.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Atleastoneadditionalphysicalnetworkadaptormustbededicatedtomanagement(moreifnetworkadaptorteamingisused).
Thismightgreatlyincreasethecostofthephysicalnetworkinginfrastructurerequired.
Inresource-constrainedenvironments(suchasblades),thismightnotbepossibletoachieve.
","","N/A""isolate-mgmt-network-vlan","vSphere",5.
5,"vNetwork","Architecture","EnsurethatvSpheremanagementtrafficisonarestrictednetwork.
","ThevSpheremanagementnetworkprovidesaccesstothevSpheremanagementinterfaceoneachcomponent.
Servicesrunningonthemanagementinterfaceprovideanopportunityforanattackertogainprivilegedaccesstothesystems.
Anyremoteattackmostlikelywouldbeginwithgainingentrytothisnetwork.
","2,3","Configuration","ThevSpheremanagementportgroupshouldbeinadedicatedVLANonacommonvSwitch.
ThevSwitchcanbesharedwithproduction(virtualmachine)traffic,aslongasthevSpheremanagementportgroup'sVLANisnotusedbyproductionvirtualmachines.
Checkthatthenetworksegmentisnotrouted,exceptpossiblytonetworkswhereothermanagement-relatedentitiesarefound.
(Example:vSphereReplication)Inparticular,makesurethatproductionvirtualmachinetrafficcannotberoutedtothisnetwork.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"vSphereReplicationreference:http://kb.
vmware.
com/selfservice/microsites/search.
dolanguage=en_US&cmd=displayKC&externalId=1009562","N/A""isolate-storage-network-airgap","vSphere",5.
5,"vNetwork","Architecture","EnsurethatIP-basedstoragetrafficisisolated.
","VirtualmachinesmightsharevirtualswitchesandVLANswiththeIP-basedstorageconfigurations.
IP-basedstorageincludesiSCSIandNFS.
ThistypeofconfigurationmightexposeIP-basedstoragetraffictounauthorizedvirtualmachineusers.
IP-basedstoragefrequentlyisnotencrypted.
Itcanbeviewedbyanyonewithaccesstothisnetwork.
TorestrictunauthorizedusersfromviewingtheIP-basedstoragetraffic,theIP-basedstoragenetworkshouldbelogicallyseparatedfromtheproductiontraffic.
ConfiguringtheIP-basedstorageadaptorsonseparateVLANsornetworksegmentsfromtheVMkernelmanagementandserviceconsolenetworkwilllimitunauthorizedusersfromviewingthetraffic.
",1,"Configuration","ThevSpherestoragetypeportgroupsshouldeachbeontheirownvSpherestandardswitch(VSS)orvSphereDistributedSwitch(VDS).
DoingsoavoidsdependencyonVLANsforisolation,whichmightbeappropriateforcertainenvironments.
Checkthatthestorage-onlyVSSorDVSdoesnotcontainanynon-storageportgroups.
Checkthatthephysicalnetworkisnotaccessedbyanyothernon-storageentity.
CheckthatthestorageportgroupvSwitchdoesnotcontainanynon-storageportgroups.
Checkthatthephysicalnetworkisnotaccessedbyanyothernon-storageentity.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Atleastoneadditionalphysicalnetworkadaptormustbededicatedtomanagement(moreifnetworkadaptorteamingisused).
Thismightgreatlyincreasethecostofthephysicalnetworkinginfrastructurerequired.
Inresource-constrainedenvironments(suchasblades),thismightnotbepossibletoachieve.
",,"N/A""isolate-storage-network-vlan","vSphere",5.
5,"vNetwork","Architecture","EnsurethatIP-basedstoragetrafficisisolated.
","VirtualmachinesmightsharevirtualswitchesandVLANswiththeIP-basedstorageconfigurations.
IP-basedstorageincludesiSCSIandNFS.
ThistypeofconfigurationmightexposeIP-basedstoragetraffictounauthorizedvirtualmachineusers.
IP-basedstoragefrequentlyisnotencrypted.
Itcanbeviewedbyanyonewithaccesstothisnetwork.
TorestrictunauthorizedusersfromviewingtheIP-basedstoragetraffic,theIP-basedstoragenetworkshouldbelogicallyseparatedfromtheproductiontraffic.
ConfiguringtheIP-basedstorageadaptorsonseparateVLANsornetworksegmentsfromtheVMkernelmanagementandserviceconsolenetworkwilllimitunauthorizedusersfromviewingthetraffic.
","2,3","Configuration","StorageportgroupsshouldbeinadedicatedVLANonacommonvSwitch.
ThevSwitchcanbesharedwithproduction(virtualmachine)traffic,aslongasthestorageportgroup'sVLANisnotusedbyproductionvirtualmachines.
CheckforusageoftheVLANIDonnon-storageportgroups.
CheckthattheVLANisisolatedandnotroutedinthephysicalnetwork.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""isolate-vmotion-network-airgap","vSphere",5.
5,"vNetwork","Architecture","EnsurethatvMotiontrafficisisolated.
","ThesecurityissuewithvMotionmigrationsisthatinformationistransmittedinplaintext,andanyonewithaccesstothenetworkoverwhichthisinformationflowscanviewit.
PotentialattackerscaninterceptvMotiontraffictoobtainmemorycontentsofavirtualmachine.
TheymightalsopotentiallystageaMiTMattackinwhichthecontentsaremodifiedduringmigration.
EnsurethatvMotiontrafficisseparatefromproductiontrafficonanisolatednetwork.
Thisnetworkshouldbenonroutable(nolayer-3routerspanningthisandothernetworks),whichwillpreventanyoutsideaccesstothenetwork.
",1,"Configuration","ThevMotionportgroupshouldbeonavMotion-onlyvSphereStandardSwitch(VSS)orDistributedSwitch(VDS).
DoingsoavoidsdependencyonVLANsforisolation,whichmightbeappropriateforcertainenvironments.
CheckthatthevMotionportgroupvSwitchdoesnotcontainanynon-vMotionportgroups.
Checkthatthephysicalnetworkisnotaccessedbyanyothernon-vMotionentity.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Atleastoneadditionalphysicalnetworkadaptormustbededicatedtomanagement(moreifnetworkadaptorteamingisused).
Thismightgreatlyincreasethecostofthephysicalnetworkinginfrastructurerequired.
Inresource-constrainedenvironments(suchasblades),thismightnotbepossibletoachieve.
",,"N/A""isolate-vmotion-network-vlan","vSphere",5.
5,"vNetwork","Architecture","EnsurethatvMotiontrafficisisolated.
","ThesecurityissuewithvMotionmigrationsisthatinformationistransmittedinplaintext,andanyonewithaccesstothenetworkoverwhichthisinformationflowscanviewit.
PotentialattackerscaninterceptvMotiontraffictoobtainmemorycontentsofavirtualmachine.
TheymightalsopotentiallystageaMiTMattackinwhichthecontentsaremodifiedduringmigration.
EnsurethatvMotiontrafficisseparatefromproductiontrafficonanisolatednetwork.
Thisnetworkshouldbenonroutable(nolayer-3routerspanningthisandothernetworks),whichwillpreventanyoutsideaccesstothenetwork.
","2,3","Configuration","ThevMotionportgroupshouldbeinadedicatedVLANonacommonvSwitch.
ThevSwitchcanbesharedwithproduction(virtualmachine)traffic,aslongasthevMotionportgroup'sVLANisnotusedbyproductionvirtualmachines.
CheckforusageoftheVLANIDonnon-vMotionportgroups.
CheckthattheVLANisisolatedandnotroutedinthephysicalnetwork.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""label-portgroups","vSphere",5.
5,"vNetwork","vSwitch","Ensurethatportgroupsareconfiguredwithaclearnetworklabel.
","Anetworklabelidentifieseachportgroupwithaname.
Thesenamesareimportantbecausetheyserveasafunctionaldescriptorfortheportgroup.
Withoutthesedescriptions,identifyingportgroupsandtheirfunctionsbecomesdifficultasthenetworkbecomesmorecomplex.
","1,2,3","Operational","1.
FromthevSphereClient,checkthenamesofthedifferentportgroups.
TochecktheportgroupnamesinthevSphereclient,connecttothevCenterserverandnavigatetoHome>Inventory>Networking.
Youwillbeabletoviewallthedifferentportgroupsanddetermineiftheportgroupnamesareclearlylabeledormightberenamedwithameaningfulname.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallPortgroupsGet-VirtualPortGroup",,,,"N/A""label-vswitches","vSphere",5.
5,"vNetwork","VDS","EnsurethatallvSphereDistributedSwitcheshaveaclearnetworklabel.
","vSphereDistributedSwitcheswithintheESXiServerrequireafieldforthenameoftheswitch.
Thislabelisimportantbecauseitservesasafunctionaldescriptorfortheswitch,justasphysicalswitchesrequireahostname.
LabelingdvSwitcheswillindicatethefunctionortheIPsubnetofthedvSwitches.
Forinstance,labelingthevirtualswitchas"internal"orsomevariationwillindicatethatthedvSwitchisonlyforinternalnetworkingbetweenavirtualmachine'sprivatevirtualswitchwithnophysicalnetworkadaptorsboundtoit.
NOTE:ThisguidelineisfordvSwitchesonly.
StandardvSwitchlabelscannotbechanged.
","1,2,3","Operational","WiththevSphereClient,connecttothevCenterserverandnavigatetoHome>Inventory>Networking.
YouwillbeabletoviewallofthedvSwitchesinthatvCenteranddetermineiftheswitchesareclearlylabeled.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardlist","N/A","#esxclinetworkvswitchstandardlist","N/A","#ListallvSwitchesGet-VirtualSwitch",,,"http://kb.
vmware.
com/kb/1020757","N/A""limit-administrator-scope","vSphere",5.
5,"vNetwork","vSwitch","Ensurethatonlyauthorizedadministratorshaveaccesstovirtualnetworkingcomponents.
","Thiscontrolmitigatestheriskofmisconfiguration,whetheraccidentalormalicious,andenforceskeysecurityconceptsofseparationofdutiesandleastprivilege.
Itisimportanttoleveragetherole-basedaccesscontrolswithinvSpheretoensurethatonlyauthorizedadministratorshaveaccesstothedifferentvirtualnetworkingcomponents.
Forexample,VMadministratorsshouldhaveaccessonlytoportgroupsinwhichtheirVMsreside.
NetworkadministratorsshouldhavepermissionstoallvirtualnetworkingcomponentsbutnothaveaccesstoVMs.
Thesecontrolswilldependverymuchontheorganization'spolicyonseparationofduties,leastprivilege,andtheresponsibilitiesoftheadministratorswithintheorganization.
","1,2,3","Operational","EnsurethatvSpherepermissionstospecificportgroupsaregrantedonlytothoseindividualswhoneedit.
1.
LogintothevCenterServerusingthevSphereClientasauserwithfullAdministratorRolerightstotheInventoryobjectyouarechecking.
2.
Select"[InventoryObject]>Permissions".
VerifythattheusersassignedtothisInventoryobjecthavetheappropriateRole.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
AuthorizationManager.
html","N/A","N/A","N/A","N/A",,,,,"N/A""limit-network-healthcheck","vSphere",5.
5,"vNetwork","VDS","DisableVDSnetworkhealthcheckifyouarenotactivelyusingit","NetworkHealthcheckisdisabledbydefault.
Onceenabled,thehealthcheckpacketscontaininformationonhost#,vds#port#,whichanattackerwouldfinduseful.
Itisrecommendedthatnetworkhealthcheckbeusedfortroubleshooting,andturnedoffwhentroubleshootingisfinished.
","1,2,3","Configuration","UsingthevSphereWebClient,selecteachVDSandgotoManage>Settings>Healthcheck".
VerifythatVLANandMTUCheckandTeamingandFailoverCheckarebothdisasbled.
LimittheuseofthistowhenactivelytroubleshootingVLANorMTUissuesonaVDS.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
DistributedVirtualSwitch.
html","N/A","N/A","N/A","N/A",,,,,"N/A""no-native-vlan-1","vSphere",5.
5,"vNetwork","VLAN","EnsurethatportgroupsarenotconfiguredtothevalueofthenativeVLAN.
","ESXidoesnotusetheconceptofnativeVLAN.
FrameswithVLANspecifiedintheportgroupwillhaveatag,butframeswithVLANnotspecifiedintheportgrouparenottaggedandthereforewillendupasbelongingtonativeVLANofthephysicalswitch.
Forexample,framesonVLAN1fromaCiscophysicalswitchwillbeuntagged,becausethisisconsideredasthenativeVLAN.
However,framesfromESXispecifiedasVLAN1willbetaggedwitha"1";therefore,trafficfromESXithatisdestinedforthenativeVLANwillnotbecorrectlyrouted(becauseitistaggedwitha"1"insteadofbeinguntagged),andtrafficfromthephysicalswitchcomingfromthenativeVLANwillnotbevisible(becauseitisnottagged).
IftheESXivirtualswitchportgroupusesthenativeVLANID,trafficfromthoseVMswillnotbevisibletothenativeVLANontheswitch,becausetheswitchisexpectinguntaggedtraffic.
","1,2,3","Configuration","Ifthedefaultvalueof1forthenativeVLANisbeingused,theESXiServervirtualswitchportgroupsshouldbeconfiguredwithanyvaluebetween2and4094.
Otherwise,ensurethattheportgroupisnotconfiguredtousewhatevervalueissetforthenativeVLAN.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallvSwitches,theirPortgroupsandVLANIdsGet-VirtualPortGroup-Standard|SelectvirtualSwitch,Name,VlanID",,,,"N/A""no-reserved-vlans","vSphere",5.
5,"vNetwork","VLAN","EnsurethatportgroupsarenotconfiguredtoVLANvaluesreservedbyupstreamphysicalswitches","CertainphysicalswitchesreservecertainVLANIDsforinternalpurposesandoftendisallowtrafficconfiguredtothesevalues.
Forexample,CiscoCatalystswitchestypicallyreserveVLANs1001–1024and4094,whileNexusswitchestypicallyreserve3968–4047and4094.
Checkwiththedocumentationforyourspecificswitch.
UsingareservedVLANmightresultinadenialofserviceonthenetwork.
","1,2,3","Configuration","VLANIDsettingonallportgroupsshouldnotbesettoreservedvaluesofthephysicalswitch.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallvSwitches,theirPortgroupsandVLANIdsGet-VirtualPortGroup-Standard|SelectvirtualSwitch,Name,VlanID",,,,"N/A""no-unused-dvports","vSphere",5.
5,"vNetwork","VDS","Ensurethattherearenounusedportsonadistributedvirtualportgroup.
","ThenumberofportsavailableonavSphereDistributedSwitchdistributedportgroupcanbeadjustedtoexactlymatchthenumberofvirtualmachinevNICsthatneedtobeassignedtothatdvPortgroup.
Limitingthenumberofportstojustwhatisneededlimitsthepotentialforanadministrator,eitheraccidentallyormaliciously,tomoveavirtualmachinetoanunauthorizednetwork.
ThisisespeciallyrelevantifthemanagementnetworkisonadvPortgroup,becauseitcouldhelppreventsomeonefromputtingaroguevirtualmachineonthisnetwork.
","1,2","Configuration","ConnecttothevCenterServerwithvSphereClient(Home>Inventory>Networkingview,findalldvSwitches)ortheWebClient(Networking>vDSname>dvPortgroupname>Manage>EditSettings>General)andverifythatthenumberofportsavailabletotalisonlytheamountrequiredforlegitimatevirtualmachineconnectionstothatdvPortgroup.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
DistributedVirtualPortgroup.
html","N/A","N/A","N/A","N/A","#CheckforthenumberoffreeportsonallVDSPortGroupsFunctionGet-FreeVDSPort{Param([parameter(Mandatory=$true,ValueFromPipeline=$true)]$VDSPG)Process{$nicTypes="VirtualE1000","VirtualE1000e","VirtualPCNet32","VirtualVmxnet","VirtualVmxnet2","VirtualVmxnet3"$ports=@{}$VDSPG.
ExtensionData.
PortKeys|Foreach{$ports.
Add($_,$VDSPG.
Name)}$VDSPG.
ExtensionData.
Vm|Foreach{$VMView=Get-View$_$nic=$VMView.
Config.
Hardware.
Device|where{$nicTypes-contains$_.
GetType().
Name-and$_.
Backing.
GetType().
Name-match"Distributed"}$nic|where{$_.
Backing.
Port.
PortKey}|Foreach{$ports.
Remove($_.
Backing.
Port.
PortKey)}}($ports.
Keys).
Count}}Get-VirtualPortGroup-Distributed|SelectName,@{N="NumFreePorts";E={Get-FreeVDSPort-VDSPG$_}}",,"TheVDSordvPortgroupontheVDSwillnothaveanyextraavailableportcapacity.
",,"N/A""no-vgt-vlan-4095","vSphere",5.
5,"vNetwork","VLAN","EnsurethatportgroupsarenotconfiguredtoVLAN4095exceptforVirtualGuestTagging(VGT).
","WhenaportgroupissettoVLAN4095,thisactivatesVGTmode.
Inthismode,thevSwitchpassesallnetworkframestotheguestVMwithoutmodifyingtheVLANtags,leavingituptotheguesttodealwiththem.
VLAN4095shouldbeusedonlyiftheguesthasbeenspecificallyconfiguredtomanageVLANtagsitself.
IfVGTisenabledinappropriately,itmightcausedenialofserviceorallowaguestVMtointeractwithtrafficonanunauthorizedVLAN.
","1,2,3","Configuration","VLANIDsettingonallportgroupsshouldnotbesetto4095unlessVGTisrequired.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallvSwitches,theirPortgroupsandVLANIdsGet-VirtualPortGroup-Standard|SelectvirtualSwitch,Name,VlanID",,,,"N/A""reject-forged-transmit","vSphere",5.
5,"vNetwork","vSwitch","Ensurethatthe"ForgedTransmits"policyissettoreject.
","IfthevirtualmachineoperatingsystemchangestheMACaddress,theoperatingsystemcansendframeswithanimpersonatedsourceMACaddressatanytime.
Thisallowsanoperatingsystemtostagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadaptorauthorizedbythereceivingnetwork.
Forgedtransmissionsshouldbesettoacceptbydefault.
ThismeansthevirtualswitchdoesnotcomparethesourceandeffectiveMACaddresses.
ToprotectagainstMACaddressimpersonation,allvirtualswitchesshouldhaveforgedtransmissionssettoreject.
RejectForgedTransmitcanbesetatthevSwitchand/orthePortgrouplevel.
YoucanoverrideswitchlevelsettingsatthePortgrouplevel.
","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"VMNetwork"forstandardswitches3.
SelectHostsandeachHostthatrequiresmodification4.
SelecteachPortgroupconnectedtoactiveVM'srequiringsecuring.
5.
Gototab"Summary>EditSettings>Policies>Security".
6.
"ForgedTransmits"="Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
NetworkPolicy.
SecurityPolicy.
html","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclinetworkvswitchstandardpolicysecurityset-vvSwitch2-ffalse","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclivswitchstandardpolicysecurityset-vvSwitch2-ffalse","#ListallvSwitchesandtheirSecuritySettingsGet-VirtualSwitch-Standard|SelectVMHost,Name,`@{N="MacChanges";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
MacChanges){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
PromiscuousMode){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
ForgedTransmits){"Accept"}Else{"Reject"ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Thiswillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
Anexceptionshouldbemadefortheportgroupsthattheseapplicationsareconnectedto.
",,"N/A""reject-forged-transmit-dvportgroup","vSphere",5.
5,"vNetwork","VDS","Ensurethatthe"ForgedTransmits"policyissettoreject.
","IfthevirtualmachineoperatingsystemchangestheMACaddress,theoperatingsystemcansendframeswithanimpersonatedsourceMACaddressatanytime.
Thisallowsanoperatingsystemtostagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadaptorauthorizedbythereceivingnetwork.
Forgedtransmissionsshouldbesettoacceptbydefault.
ThismeansthedvPortgroupdoesnotcomparethesourceandeffectiveMACaddresses.
ToprotectagainstMACaddressimpersonation,allvirtualswitchesshouldhaveforgedtransmissionssettoreject.
","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"DSwitch"fordistributedportgroups.
3.
SelecteachdvPortgroupconnectedtoactiveVM'srequiringsecuring.
4.
Gototab"Summary>EditSettings>Policies>Security".
5.
SettheForgedtransmitsvalueto"Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
VMwareDistributedVirtualSwitch.
SecurityPolicy.
html","N/A","N/A","N/A","N/A","#ListalldvPortGroupsandtheirSecuritySettingsGet-VirtualPortGroup-Distributed|SelectName,`@{N="MacChanges";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
MacChanges.
Value){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
AllowPromiscuous.
Value){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
ForgedTransmits.
Value){"Accept"}Else{"Reject"}}}",,"ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Thiswillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
AnexceptionshouldbemadeforthedvPortgroupsthattheseapplicationsareconnectedto.
",,"N/A""reject-mac-change-dvportgroup","vSphere",5.
5,"vNetwork","VDS","Ensurethatthe"MACAddressChange"policyissettoreject.
","IfthevirtualmachineoperatingsystemchangestheMACaddress,itcansendframeswithanimpersonatedsourceMACaddressatanytime.
Thisallowsittostagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadaptorauthorizedbythereceivingnetwork.
ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Itwillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
AnexceptionshouldbemadeforthedvPortgroupsthattheseapplicationsareconnectedto.
","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"DSwitch"fordistributedportgroups.
3.
SelecteachdvPortgroupconnectedtoactiveVM'srequiringsecuring.
4.
Gototab"Summary>EditSettings>Policies>Security".
5.
"MacAddressChanges"="Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
VMwareDistributedVirtualSwitch.
SecurityPolicy.
html","N/A","N/A","N/A","N/A","#ListalldvPortGroupsandtheirSecuritySettingsGet-VirtualPortGroup-Distributed|SelectName,`@{N="MacChanges";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
MacChanges.
Value){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
AllowPromiscuous.
Value){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
ForgedTransmits.
Value){"Accept"}Else{"Reject"}}}",,"ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Itwillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
AnexceptionshouldbemadeforthedvPortgroupsthattheseapplicationsareconnectedto.
",,"N/A""reject-mac-changes","vSphere",5.
5,"vNetwork","vSwitch","Ensurethatthe"MACAddressChange"policyissettoreject.
","IfthevirtualmachineoperatingsystemchangestheMACaddress,itcansendframeswithanimpersonatedsourceMACaddressatanytime.
Thisallowsittostagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadaptorauthorizedbythereceivingnetwork.
ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Itwillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
Anexceptionshouldbemadefortheportgroupsthattheseapplicationsareconnectedto.
RejectMACChangescanbesetatthevSwitchand/orthePortgrouplevel.
YoucanoverrideswitchlevelsettingsatthePortgrouplevel.
","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"VMNetwork"forstandardswitches.
3.
SelectHostsandeachHostthatrequiresmodification4.
SelecteachPortgroupconnectedtoactiveVM'srequiringsecuring.
5.
Gototab"Summary>EditSettings>Policies>Security".
6.
"MacAddressChanges"="Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
NetworkPolicy.
SecurityPolicy.
html","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclinetworkvswitchstandardpolicysecurityset-vvSwitch2-mfalse","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclivswitchstandardpolicysecurityset-vvSwitch2-mfalse","#ListallvSwitchesandtheirSecuritySettingsGet-VirtualSwitch-Standard|SelectVMHost,Name,`@{N="MacChanges";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
MacChanges){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
PromiscuousMode){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
ForgedTransmits){"Accept"}Else{"Reject"ThiswillpreventVMsfromchangingtheireffectiveMACaddress.
Itwillaffectapplicationsthatrequirethisfunctionality.
AnexampleofanapplicationlikethisisMicrosoftClustering,whichrequiressystemstoeffectivelyshareaMACaddress.
Thiswillalsoaffecthowalayer2bridgewilloperate.
ThiswillalsoaffectapplicationsthatrequireaspecificMACaddressforlicensing.
Anexceptionshouldbemadefortheportgroupsthattheseapplicationsareconnectedto.
",,"N/A""reject-promiscuous-mode","vSphere",5.
5,"vNetwork","vSwitch","Ensurethatthe"PromiscuousMode"policyissettoreject.
","WhenpromiscuousmodeisenabledforavirtualswitchallvirtualmachinesconnectedtothePortgrouphavethepotentialofreadingallpacketsacrossthatnetwork,meaningonlythevirtualmachinesconnectedtothatPortgroup.
PromiscuousmodeisdisabledbydefaultontheESXIServer,andthisistherecommendedsetting.
However,theremightbealegitimatereasontoenableitfordebugging,monitoringortroubleshootingreasons.
SecuritydevicesmightrequiretheabilitytoseeallpacketsonavSwitch.
AnexceptionshouldbemadeforthePortgroupsthattheseapplicationsareconnectedto,inordertoallowforfull-timevisibilitytothetrafficonthatPortgroup.
PromiscousmodecanbesetatthevSwitchand/orthePortgrouplevel.
YoucanoverrideswitchlevelsettingsatthePortgrouplevel.
","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"VMNetwork"forstandardswitches3.
SelectHostsandeachHostthatrequiresmodification4.
SelecteachPortgroupconnectedtoactiveVM'srequiringsecuring.
5.
Gototab"Summary>EditSettings>Policies>Security".
6.
"PromiscuousMode"="Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
NetworkPolicy.
SecurityPolicy.
html","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclinetworkvswitchstandardpolicysecurityset-vvSwitch2-pfalse","#esxclinetworkvswitchstandardpolicysecurityget-v[VSWITCH]","#esxclivswitchstandardpolicysecurityset-vvSwitch2-pfalse","#ListallvSwitchesandtheirSecuritySettingsGet-VirtualSwitch-Standard|SelectVMHost,Name,`@{N="MacChanges";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
MacChanges){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
PromiscuousMode){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Spec.
Policy.
Security.
ForgedTransmits){"Accept"}Else{"Reject"SecuritydevicesthatrequiretheabilitytoseeallpacketsonavSwitchwillnotoperateproperlyifthe"PromiscuousMode"parameterissetto"Reject.
"",,"N/A""reject-promiscuous-mode-dvportgroup","vSphere",5.
5,"vNetwork","VDS","Ensurethatthe"PromiscuousMode"policyissettoreject.
","WhenpromiscuousmodeisenabledforadvPortgroup,allvirtualmachinesconnectedtothedvPortgrouphavethepotentialofreadingallpacketsacrossthatnetwork,meaningonlythevirtualmachinesconnectedtothatdvPortgroup.
PromiscuousmodeisdisabledbydefaultontheESXIServer,andthisistherecommendedsetting.
However,theremightbealegitimatereasontoenableitfordebugging,monitoringortroubleshootingreasons.
SecuritydevicesmightrequiretheabilitytoseeallpacketsonavSwitch.
AnexceptionshouldbemadeforthedvPortgroupsthattheseapplicationsareconnectedto,inordertoallowforfull-timevisibilitytothetrafficonthatdvPortgroup.
UnlikestandardvSwitches,dvSwitchesonlyallowPromiscuousModeatthedvPortgrouplevel","1,2,3","Configuration","VerifybyusingthevSphereWebClienttoconnecttothevCenterServerandasadministrator:1.
Goto"Home>Inventory>Networking".
2.
Select"DSwitch"fordistributedportgroups.
3.
SelecteachdvPortgroupconnectedtoactiveVM'srequiringsecuring.
4.
Gototab"Summary>EditSettings>Policies>Security".
5.
"PromiscuousMode"="Reject"","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
dvs.
VMwareDistributedVirtualSwitch.
SecurityPolicy.
html","N/A","N/A","N/A","N/A","#ListalldvPortGroupsandtheirSecuritySettingsGet-VirtualPortGroup-Distributed|SelectName,`@{N="MacChanges";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
MacChanges.
Value){"Accept"}Else{"Reject"}}},`@{N="PromiscuousMode";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
AllowPromiscuous.
Value){"Accept"}Else{"Reject"}}},`@{N="ForgedTransmits";E={if($_.
ExtensionData.
Config.
DefaultPortConfig.
SecurityPolicy.
ForgedTransmits.
Value){"Accept"}Else{"Reject"}}}",,"SecuritydevicesthatrequiretheabilitytoseeallpacketsonavSwitchwillnotoperateproperlyifthe"PromiscuousMode"parameterissetto"Reject.
"",,"N/A""restrict-mgmt-network-access-gateway","vSphere",5.
5,"vNetwork","Architecture","Strictlycontrolaccesstomanagementnetwork.
","Themanagementnetworkshouldbeprotectedatthesecuritylevelofthemostsecurevirtualmachinerunningonahost/cluster.
Ifanattackergainsaccesstothemanagementnetwork,itprovidesthestaginggroundforfurtherattack.
Nomatterhowthemanagementnetworkisrestricted,therewillalwaysbeaneedforadministratorstoaccessthisnetworktoconfigureVMwarevCenterServerandtheVMwareESX/ESXihosts.
Insteadofallowingclientsystemsonthisnetwork,therearewaystoenableaccesstomanagementfunctionalityinastrictlycontrolledmanner.
",1,"Configuration","Configureacontrolledgatewayorothercontrolledmethodtoaccessthemanagementnetwork.
Forexample,requirethatadministratorsconnecttoitviaaVPN,andallowaccessonlybytrustedadministrators.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-mgmt-network-access-jumpbox","vSphere",5.
5,"vNetwork","Architecture","Strictlycontrolaccesstomanagementnetwork.
","Themanagementnetworkshouldbeprotectedatthesecuritylevelofthemostsecurevirtualmachinerunningonahost/cluster.
Ifanattackergainsaccesstothemanagementnetwork,itprovidesthestaginggroundforfurtherattack.
Nomatterhowthemanagementnetworkisrestricted,therewillalwaysbeaneedforadministratorstoaccessthisnetworktoconfigureVMwarevCenterServerandtheVMwareESX/ESXihosts.
Insteadofallowingclientsystemsonthisnetwork,therearewaystoenableaccesstomanagementfunctionalityinastrictlycontrolledmanner.
","2,3","Configuration","ConfigurejumpboxesthatrunvSphereClientandothermanagementclients(e.
g.
vSphereManagementAssistant).
Therearedifferentindustry-acceptedwaystoconfigureajumpbox.
Theparticularmethodshouldbechosenbaseduponalocalriskassessment.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-netflow-usage","vSphere",5.
5,"vNetwork","VDS","EnsurethatVDSNetflowtrafficisonlybeingsenttoauthorizedcollectorIP's.
","ThevSphereVDScanexportNetflowinformationabouttrafficcrossingtheVDS.
NetflowexportsarenotencryptedandcancontaininformationaboutthevirtualnetworkmakingiteasierforaMITMattacktobeexecutedsuccessfully.
IfNetflowexportisrequired,verifythatallVDSNetflowtargetIP'sarecorrect.
","1,2,3","Configuration","FromtheWeborvSphereClients,verifythatNetflowIPdestinationsarecorrect.
EdittheVDSpropertiesandintheNetflowtab,verifytheCollectorSettings>IPAddressandPort.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
DistributedVirtualSwitch.
html","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-port-level-overrides","vSphere",5.
5,"vNetwork","VDS","Restrictport-levelconfigurationoverridesonVDS","Port-levelconfigurationover-ridesaredisabledbydefault.
Onceenabled,thisallowsfordifferentsecuritysettingstobesetfromwhatisestablishedatthePort-Grouplevel.
TherearecaseswhereparticularVM'srequireuniqueconfigurations,butthisshouldbemonitoredsoitisonlyusedwhenauthorized.
Ifover-ridesarenotmonitored,anyonewhogainsaccesstoaVMwithalesssecureVDSconfigurationcouldsurreptiouslyexploitthatbroaderaccess.
","1,2,3","Configuration","FromtheWeborvSphereClients,verifythatPortMirrordestinationinterfacesarecorrect.
EdittheVDSpropertiesandinthePortMirrortab,verifytheDestinationVLAN,PortorUplinkIDs.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
DistributedVirtualSwitch.
html","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-portmirror-usage","vSphere",5.
5,"vNetwork","VDS","EnsurethatVDSPortMirrortrafficisonlybeingsenttoauthorizedcollectorportsorVLANs.
","ThevSphereVDScanmirrortrafficfromoneporttoanotherinordertoallowforpacketcapturedevicestocollectspecifictrafficflows.
Portmirroringwillsendacopyofalltrafficspecifiedinun-encryptedformat.
Thismirroredtrafficcontainsthefulldatainthepacketscapturedandcanresultintotalcompromiseofthatdataifmisdirected.
IfPortMirroringisrequired,verifythatallPortMirrorDestinationVLAN,PortandUplinkIDsarecorrect.
","1,2,3","Configuration","FromtheWeborvSphereClients,verifythatPortMirrordestinationinterfacesarecorrect.
EdittheVDSpropertiesandinthePortMirrortab,verifytheDestinationVLAN,PortorUplinkIDs.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
wssdk.
apiref.
doc%2Fvim.
DistributedVirtualSwitch.
html","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
networking.
doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.
html","N/A""set-non-negotiate","vSphere",5.
5,"vNetwork","Physical","Ensurethatthenon-negotiateoptionisconfiguredfortrunklinksbetweenexternalphysicalswitchesandvirtualswitchesinVLANtagging(VST)mode.
","InordertocommunicatewithvirtualswitchesinVSTmode,externalswitchportsmustbeconfiguredastrunkports.
VSTmodedoesnotsupportDynamicTrunkingProtocol(DTP),sothetrunkmustbestaticandunconditional.
TheautoordesirablephysicalswitchsettingsdonotworkwiththeESXiserverbecausethephysicalswitchcommunicateswiththeESXiServerusingDTP.
Thenon-negotiateandonoptionsunconditionallyenableVLANtrunkingonthephysicalswitchandcreateaVLANtrunklinkbetweentheESXiServerandthephysicalswitch.
Thedifferencebetweennon-negotiateandonoptionsisthatonmodestillsendsoutDTPframes,whereasthenon-negotiateoptiondoesnot.
Thenon-negotiateoptionshouldbeusedforallVLANtrunks,tominimizeunnecessarynetworktrafficforvirtualswitchesinVSTmode.
","1,2,3","Operational","LogintothephysicalswitchandensurethatDTPisnotenabledonthephysicalswitchportsconnectedtotheESXiHost.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://kb.
vmware.
com/kb/1004074","N/A""upstream-bpdu-stp","vSphere",5.
5,"vNetwork","Physical","Verifythatforvirtualmachinesthatrouteorbridgetraffic,spanningtreeprotocolisenabledandBPDUguardandPortfastaredisabledontheupstreamphysicalswitchport.
","InthescenariowheretheESXihosthasaguestVMthatisconfiguredtoperformbridgingfunction,theVMwillgenerateBPDUframesandsendouttotheVDS.
TheVDSthenforwardstheBPDUframesthroughthenetworkadaptertothephysicalswitchport.
Whentheswitchportconfiguredwith"BPDUguard"receivestheBPDUframe,theswitchdisablestheportandtheVMlosesconnectivity.
Toavoidthisnetworkfailurescenariowhilerunningsoftware-bridgingfunctiononanESXIhost,customersshoulddisablethe"portfast"and"BPDUguard"configurationontheportandrunthespanningtreeprotocol.
","1,2,3","Operational","Routinelycheckthatforvirtualmachinesthatperformbridgingorrouting,thefirstupstreamphysicalswitchportisconfiguredwithBPDUGuardandPortfastdisabledandSpanningTreeProtocolenabled.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","http://www.
vmware.
com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.
pdfhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-C02EB0B6-2259-4F0A-9774-B325C6949970.
html","N/A""verify-vlan-id","vSphere",5.
5,"vNetwork","VLAN","EnsurethatallvirtualswitchVLANsarefullydocumentedandhaveallrequiredandonlyrequiredVLANs.
","Whendefiningaphysicalswitchportfortrunkmode,caremustbetakentoensurethatonlyspecifiedVLANsareconfigured.
ItisconsideredbestpracticetorestrictonlythoseVLANsrequiredontheVLANtrunklink.
TheriskwithnotfullydocumentingallVLANsonthevSwitchisthatitispossiblethataphysicaltrunkportmightbeconfiguredwithoutneededVLANs,orwithunneededVLANs,potentiallyenablinganadministratortoeitheraccidentallyormaliciouslyconnectaVMtoanunauthorizedVLAN.
","1,2,3","Operational","BothstandardanddistributedvSwitchconfigurationscanbeviewedinthevSphereWebClient.
BrowsetoaswitchinthevSphereWebClientnavigator.
ClicktheManagetab,andclickSettings.
SelecteachvSwitch,andforeachportgrouponthevSwitch,verifyandrecordtheVLANIDsused.
FordvSwitches,gotoHome>Inventory>NetworkingandforeachdvSwitchintheinventory,andforeachdvPortGroupineachdvSwitch,selectEditSettings>Policies>VLANandverifyandrecordtheVLANIDs.
Fromthecommand-line,ForastandardvSwitch,"esxcfg-vswitch-l"willlistallportgroupsandtheirVLANassociation.
Comparethislistwiththephysicalswitchconfiguration.
","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
wssdk.
apiref.
doc/vim.
host.
PortGroup.
Specification.
html","#esxclinetworkvswitchstandardportgrouplist","N/A","#esxclinetworkvswitchstandardportgrouplist","N/A","#ListallvSwitches,theirPortgroupsandVLANIdsGet-VirtualPortGroup-Standard|SelectvirtualSwitch,Name,VlanID",,,"http://kb.
vmware.
com/KB/1008127http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-3887738A-3F3C-4438-B1E7-E35F2A38D94F.
html","N/A""verify-vlan-trunk","vSphere",5.
5,"vNetwork","Physical","VerifythatVLANtrunklinksareconnectedonlytophysicalswitchportsthatfunctionastrunklinks.
","WhenconnectingavirtualswitchtoaVLANtrunkport,youmustbecarefultoproperlyconfigureboththevirtualswitchandthephysicalswitchattheuplinkport.
Ifthephysicalswitchisnotproperlyconfigured,frameswiththeVLAN802.
1qheaderisforwardedtoaswitchnotexpectingtheirarrival.
ThevSphereadministratorshouldalwaysensurethatvirtualswitchuplinks,actingasVLANtrunklinks,areconnectedonlytophysicalswitchportsthatfunctionastrunklinks.
Misconfigurationofthephysicalswitchportsmightleadtoundesirableperformance,includingframesbeingdroppedormisdirected.
","1,2,3","Operational","RoutinelycheckphysicalswitchportstoensurethattheyareproperlyconfiguredastrunkportsifconnectedtovirtualswitchVLANtrunkingports.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-3BB93F2C-3872-4F15-AEA9-90DEDB6EA145.
html","N/A"vCenterServer"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommandRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""apply-os-patches","vSphere",5.
5,"vCenter","Host","KeepvCenterServersystemproperlypatched.
","BystayinguptodateonWindowspatches,vulnerabilitiesintheOScanbemitigated.
IfanattackercanobtainaccessandelevateprivilegesonthehostonwhichthevCenterServersystemisrunning,theattachercanpotentiallytakeovertheentirevSpheredeployment","1,2,3","Operational","KeepthehostonwhichvCenterServersystemisrunninguptodatewithpatchesinaccordancewithindustry-standardorinternalguidelines.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListAllPatchesforyourvCenterServer,AdministratorPrivilegeswillbeneededonyour#vCenterserverforthistocompleteGet-WmiObject-ComputerName$DefaultVIServerWin32_QuickFixEngineering|selectDescription,Hotfixid",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-4F7BF744-6052-43F2-A62E-6B05C13E755B.
html","N/A""block-unused-ports","vSphere",5.
5,"vCenter","Communication","BlockaccesstoportsnotbeingusedbyvCenter.
","BlockingunneededportscanpreventagainstgeneralattacksontheWindowssystem.
AlocalfirewallontheWindowssystemofvCenter,oranetworkfirewall,canbeusedtoblockaccesstoportsnotspecificallybeingusedbyvCenter.
Hereisapartiallistofexamplesofwhereportsmightbeblocked:(636/TCP)IfthevCenterwillnotbepartofalinked-modevCentergroup;(1521/TCP)IfthevCenterDBisnotOracle.
","1,2","Configuration","Verifythatunusednetworkprotocol/portpairsareblockedto/fromthevCenterServer.
AlistofportsusedbyvCentercanbefoundinthisVMwareKnowledgeBasearticle:http://kb.
vmware.
com/kb/1012382.
Makesurenottoblockanyportsforfunctionalitythatisactuallyinuseinyourenvironment.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Anyblockedportswillhavetobeunblockedforfunctionalityrelyingonthemtowork.
","http://kb.
vmware.
com/kb/1012382http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-ECEA77F5-D38E-4339-9B06-FF9B78E94B68.
html","N/A""change-default-password","vSphere",5.
5,"vCenter","VCSA","ChangedefaultVCSApassword","DuringinstallationoftheVCSA,thedefaultpasswordisnotchanged.
Thismustbedonemanually","1,2,3","Configuration","LogintothevCenterServerApplianceadminpageandchangethepasswordfortherootaccount","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,,"http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
vsphere.
vcenterhost.
doc%2FGUID-1BB3D56C-F72A-4330-BA06-8F4505005A3B.
html","N/A""check-privilege-reassignment","vSphere",5.
5,"vCenter","Access","Checkforprivilegere-assignmentaftervCenterServerrestarts.
","DuringarestartofvCenterServer,iftheuserorusergroupthatisassignedAdministratorRoleontherootfoldercouldnotbeverifiedasavaliduser/groupduringtherestart,theuser/group'spermissionasAdministratorwillberemoved.
Initsplace,vCenterServergrantstheAdministratorroletothelocalWindowsadministratorsgroup,toactasanewvCenterServeradministrator.
SinceitisnotrecommendedtograntvCenterServerAdministratorrightstoWindowsAdministrators,thisresultsinasituationthatshouldberectifiedbyre-establishingalegitimateadministratoraccount.
","1,2","Operational","AnytimethatvCenterServerrestarts,thelogfileshouldbescannedtoensurethatnoprivilegeswerere-assigned.
ForthelocationofvCenterServerlogfiles,pleaseseethisKB:http://kb.
vmware.
com/kb/1021804.
IntheWindowsApplicationlog,lookforanentrylike:LogName:ApplicationSource:VMwareVirtualCenterServerDate:M/DD/YYYYH:MM:SSPMEventID:1000TaskCategory:NoneLevel:WarningKeywords:ClassicUser:N/AComputer:[vCenterServer]Description:Removingpermissionforentity"",group"DOMAIN\Account",role-1.
Reason:Userorgroupnotfound.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListallvCenterApplicationlogentriesforVMwareVirtualCenter.
OSAdministratorPrivilegeswillbeneededonyourserverforthistocomplete.
Get-EventLog-ComputerNameMyvCenter-LogNameApplication-Source"VMwareVirtualCenterServer"-EntryType"Warning"",,,"http://kb.
vmware.
com/kb/1021804","N/A""config-ntp","vSphere",5.
5,"vCenter","Communication","ConfigureNTPtimesynchronization","Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed-upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder'sactionswhenreviewingtherelevantlogfiles.
Incorrecttimesettingscanmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andcanmakeauditinginaccurate.
InadditionincorrecttimesettingscanintroduceloginissueswithSSOasallSSOcomponentrelyoncoordinatedtime.
","1,2,3","Parameter","OneachWindowscomputerintheinfrastructure,ensurethatNTPsettingsarecorrectandinaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
","N/A","N/A","SiteSpecific","Modify","No","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"MicrosoftdocumentationfortheversionofWindowsServerOSthatyouareusing.
http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-B77341E3-9D7D-48B6-A221-B782C21AF98E.
html","N/A""disable-datastore-web","vSphere",5.
5,"vCenter","Communication","DisabledatastoreWebbrowser.
","ThedatastoreWebbrowserenablesyoutoviewallthedatastoresassociatedwiththevSpheredeployment,includingallfoldersandfilescontainedinthem,suchasVMfiles.
ThisisgovernedbytheuserspermissionsonvCenterServer.
Insomecases,youmightwanttodisablethedatastorebrowsertoeliminatetheriskofhavinganopeninterfacethatisnotbeingused.
",1,"Parameter","Toverifythedatastorebrowserisdisabled,editthevpxd.
cfgfileandensurethatthefollowingelementisset:falseThisshouldbetheonlyoccurrenceofthiselement,anditshouldbewithinthe.
.
.
elementinvpxd.
cfg.
AlsoverifytherewasarestartofthevCenterServicetomaketheconfigfilechangeapply.
ThismayrestartotherrelatedVMwareservices.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"YouwillnolongerbeabletobrowseandviewdatastorefilesusingaWebbrowserconnectedtovCenterServerviaeitherHTTPorHTTPS.
Productsdependingontheseserviceswillbenegativelyimpacted.
Checkwithyour3rdpartyvendorandalsoconsiderimplementing"restrict-datastore-access"inthesecases.
RESTAPIcommandsrelyingonwebaccesstothedatastoreofthevCenterServerwillnotwork.
NOTE:ThedatastorebrowseravailableoneachESXihostisunaffectedbythissetting;itcanbedisabledseparatelyusingahost-levelsetting.
",,"N/A""disable-mob","vSphere",5.
5,"vCenter","Communication","Disablemanagedobjectbrowser.
","ThemanagedobjectbrowserprovidesawaytoexploretheobjectmodelusedbyvCentertomanagethevSphereenvironment;itenablesconfigurationstobechangedaswell.
ThisinterfaceisusedprimarilyfordebuggingthevSphereSDK.
Thisinterfacemightpotentiallybeusedtoperformmaliciousconfigurationchangesoractions.
","1,2","Parameter","Verifythemanagedobjectbrowserisdisabledbyviewing/editingthevpxd.
cfgfile,andcheckingthatthefollowingelementisset:false.
Thisshouldbetheonlyoccurrenceofthiselement,anditshouldbewithinthe.
.
.
elementinvpxd.
cfg","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Themanagedobjectbrowserwillnolongerbeavailablefordiagnostics.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-0EF83EA7-277C-400B-B697-04BDC9173EA3.
html","N/A""install-with-service-account","vSphere",5.
5,"vCenter","Host","InstallvCenterServerusingaserviceaccountinsteadofabuilt-inWindowsaccount.
","YoucanusetheMicrosoftWindowsbuilt-insystemaccountoradomainuseraccounttorunvCenterServer.
TheMicrosoftWindowsbuilt-insystemaccounthasmorepermissionsandrightsontheserverthanthevCenterServersystemrequires,whichcancontributetosecurityproblems.
Withadomainuseraccount,youcanenableWindowsauthenticationforSQLServer;italsoallowsmoregranularsecurityandlogging.
TheinstallingaccountonlyneedstobeamemberoftheAdministratorsgroup,andhavepermissiontoactaspartoftheoperatingsystemandlogonasaservice.
IfyouareusingSQLServerforthevCenterdatabase,youmustconfiguretheSQLServerdatabasetoallowthedomainaccountaccesstoSQLServer.
","1,2","Configuration","VerifythatvCenterServerwasinstalledusingaspecial-purposeuseraccountontheWindowshostwithonlyalocaladministratorrole.
Thisaccountshouldhave"Actaspartoftheoperatingsystem"privilege,andwriteaccesstothelocalfilesystem","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA3A3E38C.
html","N/A""limit-user-login","vSphere",5.
5,"vCenter","Host","AvoidunneededuserlogintovCenterServersystem.
","AftersomeonehasloggedintothevCenterServersystem,itbecomesmoredifficulttopreventwhattheycando.
Ingeneral,loggingintothevCenterServersystemshouldbelimitedtoveryprivilegedadministrators,andthenonlyforthepurposeofadministeringvCenterServerorthehostOS.
AnyoneloggedintothevCenterServercanpotentiallycauseharm,eitherintentionallyorunintentionally,byalteringsettingsandmodifyingprocesses.
TheyalsohavepotentialaccesstovCentercredentials,suchastheSSLcertificate.
","1,2,3","Operational","VerifythatpoliciesareinplaceandenforcedtorestrictlogintothevCenterSystemonlytothosepersonnelwhohavelegitimatetaskstoperforminit.
Ensurethattheyloginonlywhennecessary,andaudittheseevents.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA3A3E38C.
html","N/A""monitor-admin-assignment","vSphere",5.
5,"vCenter","Access","MonitorthatvCenterServeradministrativeusershavethecorrectRolesassigned.
","Monitorthatadministrativeusersareonlyassignedprivilegestheyrequire.
LeastPrivilegerequiresthattheseprivilegesshouldonlybeassignedifneeded,toreduceriskofconfidentiality,availabilityorintegrityloss.
Atanintervalsuitabletoindustrybestpracticesoryourorganization'sstandards,verifyinvCenterServerusingthevSphereClient:1.
Thatanon-guestaccessrolewascreatedwithouttheseprivileges.
2.
Thisroleisassignedtouserswhoneedadministratorprivilegesexcludingthoseallowingfileandprograminteractionwithintheguests.
","1,2","Operational","MonitorthatRolesarecreatedinvCenterwithrequiredgranularityofprivilegeforyourorganization'sadministratortypes,andthattheserolesareassignedtothecorrectusers.
1.
LogintothevCenterServerSystemusingthevSphereClientasavCenterServerSystemAdministrator.
2.
Goto"Home>Administration>Roles"andverifythataRoleexistsforeachoftheadministratorprivilegesetsyourorganizationrequiresandallows.
3.
RightclickoneachRolenameandselect"Edit".
Verifythatunder"AllPrivileges>VirtualMachines"thatonlyrequiredcheckboxesareselected.
.
.
.
AlistofvSphere5.
5privilegesisavailableat:http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.
html","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListallRolesandAccountswithaccesstotherootDatacentersfolderGet-FolderDatacenters|Get-VIPrivilege",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-93B962A7-93FA-4E96-B68F-AE66D3D6C663.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.
html","N/A""monitor-certificate-access","vSphere",5.
5,"vCenter","Host","MonitoraccesstoSSLcertificates.
","ThedirectorythatcontainstheSSLcertificatesonlyneedstobeaccessedbytheserviceaccountuseronaregularbasis.
Occasionally,thevCenterServersystemadministratormightneedtoaccessitforsupportpurposes.
TheSSLcertificatecanbeusedtoimpersonatevCenteranddecryptthevCenterdatabasepassword.
","1,2","Operational","Useeventlogmonitoringtoalertonnonserviceaccountaccesstocertificatesdirectory.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""no-self-signed-certs","vSphere",5.
5,"vCenter","Communication","Donotusedefaultself-signedcertificates.
","Usesignedcertificatesiftheyareanoperationrequirement.
","1,2,3","Operational","EnsurethatanycertificatespresentedbyeachvCentercomponentcanbeverifiedbyatrustedcertificationauthority.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","functionTest-WebServerSSL{#Functionoriginallocation:http://en-us.
sysadmins.
lv/Lists/Posts/Post.
aspxList=332991f0-bfed-4143-9eea-f521167d287c&ID=60[CmdletBinding()]param([Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)][string]$URL,[Parameter(Position=1)][ValidateRange(1,65535)][int]$Port=443,[Parameter(Position=2)][Net.
WebProxy]$Proxy,[Parameter(Position=3)][int]$Timeout=15000,[switch]$UseUserContext)Add-Type@"usingSystem;usingSystem.
Net;usingSystem.
Security.
Cryptography.
X509Certificates;namespacePKI{namespaceWeb{publicclassWebSSL{publicUriOriginalURi;publicUriReturnedURi;publicX509Certificate2Certificate;//publicX500DistinguishedNameIssuer;//publicX500DistinguishedNameSubject;publicstringIssuer;publicstringSubject;publicstring[]SubjectAlternativeNames;publicboolCertificateIsValid;//publicX509ChainStatus[]ErrorInformation;publicstring[]ErrorInformation;publicHttpWebResponseResponse;}}}"@$ConnectString="https://$url`:$port"$WebRequest=[Net.
WebRequest]::Create($ConnectString)$WebRequest.
Proxy=$Proxy$WebRequest.
Credentials=$null$WebRequest.
Timeout=$Timeout$WebRequest.
AllowAutoRedirect=$true[Net.
ServicePointManager]::ServerCertificateValidationCallback={$true}try{$Response=$WebRequest.
GetResponse()}catch{}if($WebRequest.
ServicePoint.
Certificate-ne$null){$Cert=[Security.
Cryptography.
X509Certificates.
X509Certificate2]$WebRequest.
ServicePoint.
Certificate.
Handletry{$SAN=($Cert.
Extensions|Where-Object{$_.
Oid.
Value-eq"2.
5.
29.
17"}).
Format(0)-split","}catch{$SAN=$null}$chain=New-ObjectSecurity.
Cryptography.
X509Certificates.
X509Chain-ArgumentList(!
$UseUserContext)[void]$chain.
ChainPolicy.
ApplicationPolicy.
Add("1.
3.
6.
1.
5.
5.
7.
3.
1")$Status=$chain.
Build($Cert)New-ObjectPKI.
Web.
WebSSL-Property@{OriginalUri=$ConnectString;ReturnedUri=$Response.
ResponseUri;Certificate=$WebRequest.
ServicePoint.
Certificate;Issuer=$WebRequest.
ServicePoint.
Certificate.
Issuer;Subject=$WebRequest.
ServicePoint.
Certificate.
Subject;SubjectAlternativeNames=$SAN;CertificateIsValid=$Status;Response=$Response;ErrorInformation=$chain.
ChainStatus|ForEach-Object{$_.
Status}}$chain.
Reset()[Net.
ServicePointManager]::ServerCertificateValidationCallback=$null}else{Write-Error$Error[0]}}#CheckforHostCertificatesForeach($VMHostinGet-VMHost){Test-WebServerSSL-URL$vmhost.
Name|SelectOriginalURi,CertificateIsValid,Issuer}#CheckforvCenterCertificateTest-WebServerSSL-URL$DefaultVIServer|SelectOriginalURi,CertificateIsValid,Issuer",,,"Certreplacementtool:http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-1E444C85-D992-4BE3-8364-823EF4119296.
htmlManualreplacement:kb.
vmware.
com/kb/2058519.
","N/A""remove-expired-certificates","vSphere",5.
5,"vCenter","Host","RemoveexpiredcertificatesfromvCenterServer.
","IfexpiredcertificatesarenotremovedfromthevCenterServer,theusercanbesubjecttoaMiTMattack,whichpotentiallymightenablecompromisethroughimpersonationwiththeuser'scredentialstothevCenterServersystem.
","1,2,3","Operational","VerifyyouhaveremovedexpiredcertificatesfromyourvCenterServer.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-CD9A1235-73D6-4D6F-93B6-FBF9D62E4A91.
html","N/A""remove-failed-install-logs","vSphere",5.
5,"vCenter","Host","CleanuplogfilesafterfailedinstallationsofvCenterServer","Incertaincases,ifthevCenterinstallationfails,alogfile(withanameoftheform"hs_err_pidXXXX")iscreatedthatcontainsthedatabasepasswordinplaintext.
AnattackerwhobreaksintothevCenterServercouldpotentiallystealthispasswordandaccessthevCenterDatabase.
","1,2,3","Operational","IfatanytimeavCenterServerinstallationfails,onlythelogfilesofformat"hs_err_pid….
".
shouldbedeletedsecurelybeforeputtingthehostintoproduction.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://kb.
vmware.
com/kb/1021804","N/A""remove-revoked-certificates","vSphere",5.
5,"vCenter","Host","RemoverevokedcertificatesfromvCenterServer.
","IfrevokedcertificatesarenotremovedfromthevCenterServer,theusercanbesubjecttoaMiTMattack,whichpotentiallymightenablecompromisethroughimpersonationwiththeuser'scredentialstothevCenterServersystem.
","1,2,3","Operational","VerifyyouhaveremovedrevokedcertificatesfromyourvCenterServer.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"N/A""restrict-admin-privilege","vSphere",5.
5,"vCenter","Access","SecurethevSphereAdministratorroleandassignittospecificusers.
","Bydefault,vCenterServergrantsfulladministrativerightstothelocaladministrator'saccount,whichcanbeaccessedbydomainadministrators.
SeparationofdutiesdictatesthatfullvSphereadministrativerightsshouldbegrantedonlytothoseadministratorswhoarerequiredtohaveit.
Thisprivilegeshouldnotbegrantedtoanygroupwhosemembershipisnotstrictlycontrolled.
Therefore,administrativerightsshouldberemovedfromthelocalWindowsadministratoraccountandinsteadbegiventoaspecial-purposelocalvSphereadministratoraccount.
Thisaccountshouldbeusedtocreateindividualuseraccounts.
",3,"Operational","ObservetheassignedpermissionsinvSphere.
Makesurethat"Administrator"oranyotheraccountorgroupdoesnothaveanyprivilegesexceptuserscreatedasfollows:1.
CreateanordinaryuseraccountthatwillbeusedtomanagevCenter(examplevi-admin).
2.
Makesuretheuserdoesnotbelongtoanylocalgroups,suchasadministrator.
3.
Onthetop-levelhostsandclusterscontext,logontovCenterastheWindowsadministrator;thengranttheroleofadministrator(globalvCenteradministrator)totheaccountcreatedinstep"1".
4.
LogoutofvCenterandlogintovCenterwiththeaccountcreatedinstep"1";verifythatuserisabletoperformalltasksavailabletoavCenteradministrator.
5.
RemovethepermissionsinthevCenterforthelocaladministratorgroup.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListallRolesandAccountswithaccesstotherootDatacentersfolderGet-FolderDatacenters|Get-VIPrivilege",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-1F8C8AAC-3DB5-43F3-B8CE-925B7E6F58AA.
html","N/A""restrict-admin-role","vSphere",5.
5,"vCenter","Access","SecurethevSphereAdministratorroleandassignittospecificusers.
","Bydefault,vCenterServergrantsfulladministrativerightstothelocaladministrator'saccount,whichcanbeaccessedbydomainadministrators.
SeparationofdutiesdictatesthatfullvSphereadministrativerightsshouldbegrantedonlytothoseadministratorswhoarerequiredtohaveit.
Thisprivilegeshouldnotbegrantedtoanygroupwhosemembershipisnotstrictlycontrolled.
Therefore,administrativerightsshouldberemovedfromthelocalWindowsadministratoraccountandinsteadbegiventoaspecial-purposelocalvSphereadministratoraccount.
Thisaccountshouldbeusedtocreateindividualuseraccounts.
","1,2","Operational","ObservetheassignedpermissionsinvSphere.
Makesurethat"Administrator"oranyotheraccountorgroupdoesnothaveanyprivilegesexceptuserscreatedasfollows:1.
CreateanordinaryuseraccountthatwillbeusedtomanagevCenter(examplevi-admin).
2.
Makesuretheuserdoesnotbelongtoanylocalgroups,suchasadministrator.
3.
Onthetop-levelhostsandclusterscontext,logontovCenterastheWindowsadministrator;thengranttheroleofadministrator(globalvCenteradministrator)totheaccountcreatedinstep"1".
4.
LogoutofvCenterandlogintovCenterwiththeaccountcreatedinstep"1";verifythatuserisabletoperformalltasksavailabletoavCenteradministrator.
5.
RemovethepermissionsinthevCenterforthelocaladministratorgroup.
6.
Protectthevi-adminaccountfromregularusageandinsteadrelyuponaccountstiedtospecificindividuals.
Thisshouldbedoneasfollows:a.
Loggedinasvi-admin,grantfulladministrativerightstotheminimumnumberofindividualsrequired,typicallyseniorITstaff.
b.
Logoutasvi-admin,andthenprotectthepassword.
Therearenumerouswaysinwhichthepasswordcanbeprotected;forexample,useaverystrongpasswordandthenlocktheprintoutinasafe,oremployasystembywhichtwoindividualseachmusttypeonehalfofapassword,theotherhalfofwhichismutuallyunknownbytheotherindividual.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListallRolesandAccountswithaccesstotherootDatacentersfolderGet-FolderDatacenters|Get-VIPrivilege",,,,"N/A""restrict-certificate-access","vSphere",5.
5,"vCenter","Host","RestrictaccesstoSSLcertificates.
","TheSSLcertificatecanbeusedtoimpersonatevCenteranddecryptthevCenterdatabasepassword.
Bydefault,onlytheserviceuseraccountandthevCenterServeradministratorscanaccessthedirectorythatcontainstheSSLcertificates.
Theserviceaccountuserneedstoaccessthedirectoryregularly.
ThevCenterServersystemadministratorneedstoaccessthecertificatesoccasionally.
Checkthepermissionsshouldbecheckedonaregularbasistoensuretheyhavenotbeenchangedtoaddunauthorizedusers.
",1,"Configuration","CheckthattheWindowsfilepermissionontheSSLcertificatedirectoryfilesaresetsothatonlythevCenterserviceaccountandauthorizedvCenterServerAdministratorscanaccessthem.
VerifythatthedirectoryandallfileswithinareonlyaccessibletotheserviceuseraccountandauthorizedvCenterServeradministrators.
ThelocationbydefaultforvCenterthisisC:\ProgramData\VMware\VMwareVirtualCenter\SSLandfortheInventoryServiceSSLcertificateisC:\ProgramFiles\VMware\Infrastructure\InventoryService\ssl.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Supportabilitylimitations:Willpreventacompletesupportlogfrombeingcollectedwhenthevc-supportscriptisissued.
WillpreventtheadministratorfrombeingabletochangethevCenterdatabasepassword",,"N/A""restrict-datastore-web","vSphere",5.
5,"vCenter","Communication","Restrictdatastorebrowser.
","ThedatastorebrowserfunctionalityeitherthroughtheWebbrowserorviathevSphereClientandthevSphereWebClientallowsuserswithproperpermissionsview/upload/downloadaccesstoallthefilesondatastoresassociatedwiththevSpheredeployment.
Foldersandfilessuchasvirtualdiskfilescancontainsensitivedata.
ThisisgovernedbytheuserspermissionsonvCenterServer.
Topreventdatafrombeingaccessedbythewrongusers,verifythatalluserspermissionsinvCenteronlyallowaccesstothosedatastoreobjectstheyareauthorizedtoview.
","2,3","Parameter","LogintothevSphereWebClientasauserwithrightstoviewuserprivileges.
ForeachvCenterObject,selecttheManage>Permissionstab.
Foreachuserorgroup,verifythatthecorrespondingroledoesnothavetheDatastore>Browsedatastoreprivilegechecked.
N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-3B78EEB3-23E2-4CEB-9FBD-E432B606011A.
html","N/A""restrict-guest-control","vSphere",5.
5,"vCenter","Access","RestrictunauthorizedvSphereusersfrombeingabletoexecutecommandswithintheguestvirtualmachine.
","Bydefault,vCenterServer"Administrator"roleallowsuserstointeractwithfilesandprogramsinsideavirtualmachine'sguestoperatingsystem,whichcanlessenGuestdataconfidentiality,availabilityorintegrity.
LeastPrivilegerequiresthatthisprivilegeshouldnotbegrantedtoanyuserswhoarenotauthorized.
Anon-guestaccessadministratorroleshouldbecreatedwiththeseprivilegesremoved.
Thisrolewouldallowadministratorprivilegesexcludingthoseallowingfileandprograminteractionwithintheguests.
","1,2","Operational","VerifythatthereisaRolethatwillbeusedtomanagevCenterwithouttheGuestAccessControl(example"AdministratorNoGuestAccess"),andthatthisroleisassignedtoadministratorswhoshouldnothaveGuestfileandprograminteractionprivileges.
1.
LogintothevCenterServerSystemusingthevSphereClientasavCenterServerSystemAdministrator.
2.
Goto"Home>Administration>Roles"andverifythataRoleexistsforadministratorswithGuestaccessremoved.
3.
RightclickontheRolenameandselect"Edit".
Verifythatunder"AllPrivileges>VirtualMachines"the"GuestOperations"checkboxisunchecked.
4.
VerifythatusersrequiringAdministratorprivilegeswithoutGuestaccessprivilegesareassignedtothatroleandnotthedefaultAdministratorrole.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListtheexistingrolesGet-VIRole",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA3A3E38C.
html","N/A""restrict-Linux-clients","vSphere",5.
5,"vCenter","Client","RestricttheuseofLinux-basedclients.
","AlthoughSSL-basedencryptionisusedtoprotectcommunicationbetweenclientcomponentsandvCenterServerorESXi,theLinuxversionsofthesecomponentsdonotperformcertificatevalidation.
Evenifyouhavereplacedtheself-signedcertificatesonvCenterandESXiwithlegitimatecertificatessignedbyyourlocalrootcertificateauthorityorathirdparty,communicationswithLinuxclientsarestillvulnerabletoMiTMattacks.
Withpropercontrols,thisrestrictioncanberelaxedifdeemedappropriate.
Thesecontrolsinclude:-Restrictionofmanagementnetworkaccessonlytoauthorizedsystems-UseoffirewallstorestrictaccesstovCenteronlybyauthorizedhosts-Useofjump-boxsystemsforexclusiveaccesstovCenterOptionsinclude:Instructadministrators,especiallythosewhohavehighlevelsofprivileges,nottouseLinux-basedclientswhenconnectingtovCenterServer.
Makeuseofajump-boxarchitecturesothattheonlyLinuxclientsarethosebehindthejumpbox.
","1,2","Operational","VerifythattheoperatingsystemoftheclientyouareconnectingtovCenterorESXihostwithisnotLinux.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-network-access","vSphere",5.
5,"vCenter","Communication","RestrictnetworkaccesstovCenterServersystem.
","RestrictaccesstoonlythoseessentialcomponentsrequiredtocommunicatewithvCenter.
RestrictingaccesstoonlythoseessentialcomponentsrequiredtocommunicatewithvCenter,minimizesrisk.
","1,2","Operational","YoushouldprotectthevCenterServerbyenablingthefirewallontheWindowsserverthatvCentercomponentsarerunningon,orbyusinganetworkfirewalltorestricttraffictothoseservers.
ThisprotectionshouldincludeIP/Port-basedaccessrestrictions,sothatonlynecessarycomponentscancommunicatewiththevCenterServersystemonrequiredports.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"OnlysystemsintheIPwhitelist/ACLwillbeabletoconnecttovCenterServer.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-16227288-E2D1-4759-9EF1-321CE634F2AB.
html","N/A""restrict-vcs-db-user","vSphere",5.
5,"vCenter","Database","UseleastprivilegesforthevCenterServerdatabaseuser.
","vCenterrequiresonlycertainspecificprivilegesonthedatabase.
Furthermore,certainprivilegesarerequiredonlyforinstallationandupgrade,andcanberemovedduringnormaloperation.
Theseprivilegesshouldbeaddedagainifanotherupgrademustbeperformed.
LeastprivilegesmitigatesattacksifthevCenterdatabaseaccountiscompromised.
","1,2,3","Configuration","VerifythatonlytheprivilegesneededforyourcurrentvCenterstate,oneitherOracleandMicrosoftSQLServer,areassigned.
TheseprivilegesarelistedinthevSphereUpgradeGuide,PreparingforUpgradetovCenterServerchapter.
NOTE:Thissectionindicateswhichprivilegesareneededforinstallationandupgrade,andwhichareneededjustforongoingoperation.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA3A3E38C.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
upgrade.
doc/GUID-093777CF-BB5A-4D23-A41D-5B791789E33C.
htmlhttp://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
ICbase/PDF/vsphere-esxi-vcenter-server-55-upgrade-guide.
pdf","N/A""secure-vcenter-os","vSphere",5.
5,"vCenter","Host","ProvideWindowssystemprotectiononthevCenterServerhost.
","ByprovidingOS-levelprotection,vulnerabilitiesintheOScanbemitigated.
Thisprotectionincludesantivirus,antimalware,andsimilarmeasures.
IfanattackercanobtainaccessandelevateprivilegesonthevCenterServersystem,theycanthentakeovertheentirevSpheredeployment.
","1,2,3","Operational","VerifythatWindowssystemprotectionisapplied,suchasantivirus,inaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
VerifyprotectionsapplieddonotinterferewithvCenterServerfunction.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vco_install_config.
doc/GUID-569A7CD7-4E7C-422B-AAD6-D8E51C4A7444.
html","N/A""secure-vco-file-access","vSphere",5.
5,"vCenter","VCO","RestrictreadaccesstoVCOfileswithauthenticationdatatoadministrators","vCenterOrchestratorinstallationdirectoriesonthevCenterServercontainauthenticationinformationforplugins.
Ifcompromised,thesecanbeusedinaspoofingattackgettingaccesstotheplug-infunctionality.
","1,2,3","Configuration","LogintothevCenterServerhostwithadministratoraccessandremoveaccessfornon-administratorstothevCenterOrchestratorfileswithauthenticationinformation.
1)LogintovCenterServerOS2)NavigatetoC:\ProgramFiles\VMware\Infrastructure\Orchestrator3)Rightclickon'app-server'folderandgoto'Properties'4)Goto'Security'tab5)Select'Users'groupandclick'Edit'6)Anewwindowsopensup,select'Users'groupagainandclick'Remove'7)Click'OK'8)Click'OK'","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,,"http://kb.
vmware.
com/kb/2021259","N/A""thick-client-timeout","vSphere",5.
5,"vCenter","Client","Setatimeoutforthick-clientloginwithoutactivity.
","YoucansetaninactivitytimeoutforthevSphereClient(Thickclient).
Thisclient-sidesettingcanbechangedbytheuser,sothismustbesetbydefaultandre-auditedfor.
ClosingsessionsautomaticallyreducesthepotentialforunauthorizedaccesstovCenter,minimizingrisk.
","1,2,3","Parameter","OneachWindowscomputerwiththevSphereClientinstalledeither:1.
Verifythatatimeoutissettotherequirementofyourorganizationorindustrybestpractices.
TheloginidletimeoutisaparameterthatcanbesetinthevpxClient.
exe.
config.
Addthefollowingentryrightabove,whereXisthenumberofminutesforthetimeoutvalueandsavethensavethefile.
XOR2.
VerifythatusersarestartingthevSphereClientexecutablewithtimeoutsetasanexecutionflag.
Anexampleofthisis:"vpxClient.
exe-inactivityTimeout5".
The"5"standsfor5minutes.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Thickclientwillbeloggedoutofbytheclientatthespecifiedtimeandtheuserwillhavetologinagain.
",,"N/A""use-supported-system","vSphere",5.
5,"vCenter","Host","Maintainsupportedoperatingsystem,database,andhardwareforvCenter.
","vCenterServerresidesonaWindows-basedoperatingsystemandthereforerequiresasupportedversionofWindows.
IfvCenterisnotrunningonasupportedOS,itmightnotrunproperly.
AnattackermightbeabletotakeadvantageofthistoperformaDoSattackorworse.
","1,2,3","Configuration","VerifythatvCenterServerisrunningonsupportedOS,hardwareanddatabase.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListtheversionofvCenterOSandServicePack.
OSAdministratorPrivilegeswillbeneededonyourserverforthistocompleteGet-WmiObjectWin32_OperatingSystem-computer$DefaultVIServer|selectCSName,Caption,CSDVersion",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-4F7BF744-6052-43F2-A62E-6B05C13E755B.
htmlhttp://www.
vmware.
com/go/hcl","N/A""verify-client-plugins","vSphere",5.
5,"vCenter","Client","VerifyvSphereWebClientplugins","vCenterServerincludesavSphereWebClientextensibilityframework,whichprovidestheabilitytoextendthevSphereWebClientwithmenuselectionsortoolbariconsthatprovideaccesstovCenterServeradd-oncomponentsorexternal,Web-basedfunctionality.
vSphereWebClientpluginsorextensionsrunatthesameprivilegelevelastheuserloggedin.
Amaliciousextensionmightmasqueradeassomethingusefulbutthendoharmfulthingssuchasstealingcredentialsormisconfiguringthesystem.
","1,2,3","Operational","MakesurethatthevSphereWebClientinstallationusedbyadministratorsincludesonlyauthorizedextensionsfromtrustedsources.
Youcanchecktoseewhichplug-insareactuallyinstalledforagivenvSphereClientbySelectingHome,clickSolutionsontheleft,andclickClientPlugins.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListPluginsInstalled$ServiceInstance=get-viewServiceInstance$EM=Get-View$ServiceInstance.
Content.
ExtensionManager$EM.
ExtensionList|Select@{N="Name";E={$_.
Description.
Label}},Company,Version,@{N="Summary";E={$_.
Description.
Summary}}",,,,"N/A""Verify-RDP-encryption","vSphere",5.
5,"vCenter","Host","VerifyRDPencryptionlevels","WhenusingRDPtoconnecttoaWindowshost,thereareanumberofdifferentencryptionlevelsthatcanbeused.
Thedefaultsettingsof"ClientCompatible"maynotbestrongenough.
","1,2,3","Operational","OneachWindowscomputerintheinfrastructure,ensurethatRemoteDesktopHostConfigurationsettingsaresettoensurethehighestlevelofencryptioninaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
","N/A","N/A","N/A",,"No"MicrosoftdocumentationfortheversionofWindowsServerOSthatyouareusing.
","verify-ssl-certificates","vSphere",5.
5,"vCenter","Client","AlwaysverifySSLcertificates.
","Withoutcertificateverification,theusercanbesubjecttoaMiTMattack,whichpotentiallymightenablecompromisethroughimpersonationwiththeuser'scredentialstothevCenterServersystem.
WhenconnectingtovCenterServerusingvSphereClient,theclientcheckstoseeifthecertificatebeingpresentedcanbeverifiedbyatrustedthirdparty.
Ifitcannotbe,theuserispresentedwithawarningandtheoptiontoignorethischeck.
Thiswarningshouldnotbeignored;ifanadministratorispresentedwiththiswarning,theyshouldinquirefurtheraboutitbeforeproceeding.
","1,2,3","Operational","InstructanyuserofvSphereClientstoneverignorecertificateverificationwarnings.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","functionTest-WebServerSSL{#Functionoriginallocation:http://en-us.
sysadmins.
lv/Lists/Posts/Post.
aspxList=332991f0-bfed-4143-9eea-f521167d287c&ID=60[CmdletBinding()]param([Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)][string]$URL,[Parameter(Position=1)][ValidateRange(1,65535)][int]$Port=443,[Parameter(Position=2)][Net.
WebProxy]$Proxy,[Parameter(Position=3)][int]$Timeout=15000,[switch]$UseUserContext)Add-Type@"usingSystem;usingSystem.
Net;usingSystem.
Security.
Cryptography.
X509Certificates;namespacePKI{namespaceWeb{publicclassWebSSL{publicUriOriginalURi;publicUriReturnedURi;publicX509Certificate2Certificate;//publicX500DistinguishedNameIssuer;//publicX500DistinguishedNameSubject;publicstringIssuer;publicstringSubject;publicstring[]SubjectAlternativeNames;publicboolCertificateIsValid;//publicX509ChainStatus[]ErrorInformation;publicstring[]ErrorInformation;publicHttpWebResponseResponse;}}}"@$ConnectString="https://$url`:$port"$WebRequest=[Net.
WebRequest]::Create($ConnectString)$WebRequest.
Proxy=$Proxy$WebRequest.
Credentials=$null$WebRequest.
Timeout=$Timeout$WebRequest.
AllowAutoRedirect=$true[Net.
ServicePointManager]::ServerCertificateValidationCallback={$true}try{$Response=$WebRequest.
GetResponse()}catch{}if($WebRequest.
ServicePoint.
Certificate-ne$null){$Cert=[Security.
Cryptography.
X509Certificates.
X509Certificate2]$WebRequest.
ServicePoint.
Certificate.
Handletry{$SAN=($Cert.
Extensions|Where-Object{$_.
Oid.
Value-eq"2.
5.
29.
17"}).
Format(0)-split","}catch{$SAN=$null}$chain=New-ObjectSecurity.
Cryptography.
X509Certificates.
X509Chain-ArgumentList(!
$UseUserContext)[void]$chain.
ChainPolicy.
ApplicationPolicy.
Add("1.
3.
6.
1.
5.
5.
7.
3.
1")$Status=$chain.
Build($Cert)New-ObjectPKI.
Web.
WebSSL-Property@{OriginalUri=$ConnectString;ReturnedUri=$Response.
ResponseUri;Certificate=$WebRequest.
ServicePoint.
Certificate;Issuer=$WebRequest.
ServicePoint.
Certificate.
Issuer;Subject=$WebRequest.
ServicePoint.
Certificate.
Subject;SubjectAlternativeNames=$SAN;CertificateIsValid=$Status;Response=$Response;ErrorInformation=$chain.
ChainStatus|ForEach-Object{$_.
Status}}$chain.
Reset()[Net.
ServicePointManager]::ServerCertificateValidationCallback=$null}else{Write-Error$Error[0]}}#CheckforHostCertificatesForeach($VMHostinGet-VMHost){Test-WebServerSSL-URL$vmhost.
Name|SelectOriginalURi,CertificateIsValid,Issuer}#CheckforvCenterCertificateTest-WebServerSSL-URL$DefaultVIServer|SelectOriginalURi,CertificateIsValid,Issuer",,,,"N/A""use-service-accounts","vSphere","5.
5","vCenter","Host","UseuniqueserviceaccountswhenapplicationsconnecttovCenter","Inordertonotviolatenon-repudiation(ie:denytheauthenticityofwhoisconnectingtovCenter),whenapplicationsneedtoconnecttovCentertheyshoulduseuniqueserviceacccounts","1,2,3","Operational","ForeachapplicationconnectiontovCenter,assignauniqueserviceaccountthatcannotbeloggedintoviaashellandfollowstheguidelinesinvCenterServer-monitor-admin-assignmentforleastprivilegeuseofrolesandpermissions","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","UsingasingleaccountforallyourapplicationaccesstovCentermeansthatifoneofthoseapplicationsiscompromiseditwillbedifficulttoensurewhereanattackiscomingfrom.
Also,someapplicationsmayonlyneedalimitedsetofpermissionsandshouldnotbeover-provisionedwithpermissions.
Thislimitsattacksurface.
",,"N/A"VUM"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommentRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""audit-vum-login","vSphere",5.
5,"vCenter","VUM","AudituserlogintoUpdateManagersystem.
","AftersomeonehasloggedintotheUpdateManagersystem,itbecomesmoredifficulttopreventwhattheycando.
Ingeneral,loggingintotheUpdateManagersystemshouldbelimitedtoveryprivilegedadministrators,andthenonlyforthepurposeofadministeringUpdateManagerorthehostOS.
AnyoneloggedintotheUpdateManagercanpotentiallycauseharm,eitherintentionallyorunintentionally,byalteringsettingsandmodifyingprocesses.
","1,2,3","Operational","Ensureadministratorsloginonlywhennecessarybyauditingloginevents","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""isolate-vum-airgap","vSphere",5.
5,"vCenter","VUM","LimittheconnectivitybetweenUpdateManagerandpublicpatchrepositories.
","Inatypicaldeployment,UpdateManagerconnectstopublicpatchrepositoriesontheInternettodownloadpatches.
ThisconnectionshouldbelimitedasmuchaspossibletopreventaccessfromtheoutsidetotheUpdateManagersystem.
AnychanneltotheInternetrepresentsathreat.
",1,"Configuration","VerifyUpdateManagerisconfiguredtousetheDownloadService.
VerifythatthereareenforcedpoliciesinplacetousephysicalmediatotransferupdatefilestotheUpdateManagerserver(air-gapmodel).
EnsurethattheDownloadServiceisfunctioningandthattheUpdateManagerserverdoesnotobtainpatchesdirectlyfromtheInternet.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
update_manager.
doc/GUID-1F5292F1-904D-4607-871A-AE426EF9BD3F.
html","N/A""isolate-vum-proxy","vSphere",5.
5,"vCenter","VUM","LimittheconnectivitybetweenUpdateManagerandpublicpatchrepositories.
","Inatypicaldeployment,UpdateManagerconnectstopublicpatchrepositoriesontheInternettodownloadpatches.
ThisconnectionshouldbelimitedasmuchaspossibletopreventaccessfromtheoutsidetotheUpdateManagersystem.
AnychanneltotheInternetrepresentsathreat.
",3,"Configuration","VerifythatthereisaWebproxybetweenUpdateManagerandtheInternet.
ChecktheproxysettingsforUpdateManagertomakesuretheyarecorrect.
Proxysettingsaregiveninthe"InstallingandAdministeringVMwarevSphereUpdateManager"guide.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
update_manager.
doc/GUID-975192DB-B2A7-485A-9D11-0D9CD29F1D7F.
html",,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
update_manager.
doc/GUID-975192DB-B2A7-485A-9D11-0D9CD29F1D7F.
html","N/A""isolate-vum-webserver","vSphere",5.
5,"vCenter","VUM","LimittheconnectivitybetweenUpdateManagerandpublicpatchrepositories.
","Inatypicaldeployment,UpdateManagerconnectstopublicpatchrepositoriesontheInternettodownloadpatches.
ThisconnectionshouldbelimitedasmuchaspossibletopreventaccessfromtheoutsidetotheUpdateManagersystem.
AnychanneltotheInternetrepresentsathreat.
",2,"Configuration","VerifyUpdateManagerisconfiguredtousetheDownloadService,andconfigureaWebservertotransferthefilestotheUpdateManagerserver(semi-air-gapmodel).
EnsurethattheDownloadServiceisfunctioningandthattheUpdateManagerserverdoesnotobtainpatchesdirectlyfromtheInternet.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
update_manager.
doc/GUID-47CDC301-C46F-4191-AB99-D2859F3BA54B.
html","N/A""limit-vum-users","vSphere",5.
5,"vCenter","VUM","LimituserlogintoUpdateManagersystem.
","AftersomeonehasloggedintotheUpdateManagersystem,itbecomesmoredifficulttopreventwhattheycando.
Ingeneral,loggingintotheUpdateManagersystemshouldbelimitedtoveryprivilegedadministrators,andthenonlyforthepurposeofadministeringUpdateManagerorthehostOS.
AnyoneloggedintotheUpdateManagercanpotentiallycauseharm,eitherintentionallyorunintentionally,byalteringsettingsandmodifyingprocesses.
","1,2,3","Operational","RestrictlogintotheUpdateManagertoonlythosepersonnelwhohavelegitimatetaskstoperformwithit.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""no-vum-self-management","vSphere",5.
5,"vCenter","VUM","DonotconfigureUpdateManagertomanageitsownVMortheVMofitsvCenterServer.
","AlthoughyoucaninstallbothUpdateManagerandvCenterServeronVMsandplacethemonthesameESXihost,youshouldnotconfigureUpdateManagertomanagetheupdatesonthoseVMs.
Uponscanningandremediation,thevirtualmachineonwhichUpdateManagerandvCenterServerareinstalledcanrebootandthewholedeploymentwillshutdown.
","1,2,3","Configuration","VerifythatUpdateManagerdoesnotmanagethepatchingoftheVMonwhichitruns,northeVMonwhichtheassociatedvCenterServerruns.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""no-vum-self-signed-certs","vSphere",5.
5,"vCenter","VUM","Donotusedefaultself-signedcertificates.
","Theself-signedcertificatesthatareautomaticallygeneratedbyUpdateManagerduringtheinstallationprocessarenotsignedbyacommercialCA,andmightnotprovidestrongsecurity.
TheuseofdefaultcertificatesleavestheSSLconnectionopentoMiTMattacks.
Replacethedefaultself-signedcertificateswiththosefromatrustedcertificationauthoritytomitigatethepotentialforMiTMattacks.
","1,2,3","Configuration","Verifythatself-signedcertificatesonUpdateManagerhavebeenchangedtocertificatesfromatrustedcertificationauthority.
Useofthecertautomationtoolcanassistinthisprocess.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-0A562049-1A24-4CEE-BFBB-E4EB164DBC6F.
html","N/A""patch-vum-os","vSphere",5.
5,"vCenter","VUM","KeepUpdateManagersystemproperlypatched.
","BystayinguptodateonWindowspatches,vulnerabilitiesintheOScanbemitigated.
AnattackercancompromisethepatchingprocessafterobtainingaccessandelevatingprivilegesontheUpdateManagersystem.
","1,2,3","Operational","VerifytheUpdateManagersystemisuptodatewithpatchesinaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","#ListAllPatchesforyourVUMServer,AdministratorPrivilegeswillbeneededonyour#VUMserverforthistocompleteGet-WmiObject-ComputerName"VUMServerName"Win32_QuickFixEngineering|selectDescription,Hotfixid",,,,"N/A""restrict-vum-db-user","vSphere",5.
5,"vCenter","VUM","UseleastprivilegesfortheUpdateManagerdatabaseuser.
","UpdateManagerrequirescertainprivilegesonitsdatabaseuserinordertoinstall,andtheinstallerautomaticallychecksforthese.
ThesearedocumentedinInstallingandAdministeringVMwarevSphereUpdateManager.
However,afterinstallation,onlyasmallnumberofprivilegesarerequiredforoperation.
TheprivilegesontheVUMdatabaseusercanbereducedduringnormaloperation.
Theseprivilegesshouldbeaddedagainifanupgradeoruninstallmustbeperformed.
LeastprivilegesmitigatesattacksiftheUpdateManagerdatabaseaccountiscompromised.
","1,2,3","Configuration","VerifythatonlythefollowingpermissionsareallowedtotheVUMDBuserafterinstallation.
ForOracle:Afterinstallation,onlythefollowingpermissionsareneededfornormaloperation:createsession,createanytable,dropanytable.
ForSQLServer:Afterinstallation,thedba_ownerroleorsysadminrolecanberemovedfromtheMSDBdatabase(itisstillrequired,however,fortheUpdateManagerdatabase).
Pleasecheck"InstallingandAdministeringVMwarevSphereUpdateManager"foranyupdatestotheseconfigurations.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
update_manager.
doc/GUID-B5FB88E4-5341-45D4-ADC3-173922247466.
html",,,,"N/A""secure-vum-os","vSphere",5.
5,"vCenter","VUM","ProvideWindowssystemprotectionontheUpdateManagersystem.
","ByprovidingOS-levelprotection,vulnerabilitiesintheOScanbemitigated.
Thisprotectionincludesantivirus,antimalware,andsimilarmeasures.
IfanattackercanobtainaccessandelevateprivilegesonthevCenterServersystem,theycanthentakeovertheentirevSpheredeployment.
","1,2,3","Operational","VerifythatWindowssystemprotectionisapplied,suchasantivirus,inaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
VerifyprotectionsapplieddonotinterferewithUpdateManagerfunction.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A"SSO"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommandRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""check-SSO-Password-expiration","vSphere",5.
5,"vCenter","SSO","CheckSSOpasswordsforexpiration","ThedefaultSSOpasswordpolicyhasapasswordlifetimeof90days.
After90days,thepasswordisexpiredandtheabilitytologiscompromised.
TheappliestoALLSSOaccounts,bothAdministrativeandUser.
(thereisnotseparatepolicyforbothgroups).
Ensuretheadminaccountsarenotabouttoexpire","1,2,3","Configuration","There'snocurrentmethodfornotificationofpasswordexpiration.
Recordthedateforexpirationandresetthepasswordbeforethatdate.
InSSO5.
1,eventheadministratorcannotresetthepasswordafterthepasswordisexpired.
InSSO5.
5,userscanresetanexpiredpasswordiftheyknowtheoldpassword.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"PasswordReset:http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-26313CF2-7D66-4D05-90CE-3649A116DC88.
html","N/A""check-SSO-Password-policy","vSphere",5.
5,"vCenter","SSO","EnsureSSOPasswordpolicyconformstolocalpolicy","ThedefaultSSOpasswordpolicyhasapasswordlifetimeof90days.
After90days,thepasswordisexpiredandtheabilitytologiscompromised.
TheappliestoALLSSOaccounts,bothAdministrativeandUser.
(thereisnotseparatepolicyforbothgroups).
EnsurethepoliciesinSSOmatchlocalpoliciesforpasswordmanagementandcomplexity","1,2,3","Configuration","LogintovCenterasanSSOadministrator(defaultuserisadministrator@vsphere.
local)andselectConfiguration.
Thereyoucaneditthepasswordandlockoutpolicies","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
security.
doc/GUID-B9C4409A-B053-40C3-96DE-232BB99AAA35.
html","N/A""config-ntp","vSphere",5.
5,"vCenter","SSO","ConfigureNTPtimesynchronization","Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed-upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder'sactionswhenreviewingtherelevantlogfiles.
Incorrecttimesettingscanmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andcanmakeauditinginaccurate.
InadditionincorrecttimesettingscanintroduceloginissueswithSSOasallSSOcomponentrelyoncoordinatedtime.
","1,2,3","Parameter","IfusingaseparateSSOserver,ensurethatNTPsettingsarecorrectandinaccordancewithindustry-standardguidelines,orinternalguidelineswhereappropriate.
","N/A","N/A","SiteSpecific","Modify","No","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"MicrosoftdocumentationfortheversionofWindowsServerOSthatyouareusing.
http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
upgrade.
doc/GUID-9FD3A5E3-6C2D-4161-9270-4BF57FADCE6D.
html","N/A","no-SSO-self-signed-certs","vSphere",5.
5,"vCenter","SSO","Donotusedefaultself-signedcertificates.
","Self-signedcertificatesareautomaticallygeneratedbySSOduringtheinstallationprocess,arenotsignedbyacommercialCA,andmightnotprovidestrongsecurity.
Replacedefaultself-signedcertificateswiththosefromatrustedcertificationauthority,eitheracommercialCAoranorganizationalCA.
TheuseofdefaultcertificatesleavestheSSLconnectionopentoMiTMattacks.
ChangingthedefaultcertificatestotrustedCA-signedcertificatesmitigatesthepotentialforMiTMattacks.
","1,2,3","Configuration","Verifythatself-signedcertificatesonSSOhavebeenchangedtocertificatesfromatrustedcertificationauthority.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""restrict-sso-db-user","vSphere",5.
5,"vCenter","SSO","UseleastprivilegesfortheSSOdatabaseuser.
","SSOrequirescertainprivilegesonitsdatabaseuserinordertoinstall,andtheinstallerautomaticallychecksforthese.
ThesearedocumentedintheVMwareUpdateManagerAdministrationGuide.
However,afterinstallation,onlyasmallnumberofprivilegesarerequiredforoperation.
TheprivilegesontheSSOdatabaseusercanbereducedduringnormaloperation.
Theseprivilegesshouldbeaddedagainifanupgradeoruninstallmustbeperformed.
LeastprivilegesmitigatesattacksiftheSSOdatabaseaccountiscompromised.
ThereiscurrentlynowaytorestrictADusersfromloggingin,eveniftheycan'tdoanything.
","1,2,3","Configuration","VerifythatonlythefollowingpermissionsareallowedtotheSSODBuserafterinstallation.
ForOracle:Afterinstallation,onlythefollowingpermissionsareneededfornormaloperation:createsession,createanytable,dropanytable.
ForSQLServer:Afterinstallation,thedba_ownerroleorsysadminrolecanberemovedfromtheMSDBdatabase(itisstillrequired,however,fortheSSOdatabase).
PleasecheckthelatestVMwareSSOAdministrationGuideforanyupdatestotheseconfigurations.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A""SSO-DB-password-recorded","vSphere",5.
5,"vCenter","SSO","EnsuretheSSODBpasswordisrecordedandsecured","IftheSSODBpasswordisnotrecordedduringinstallation,theabilitytorecovertheSSOdatabaseiscompromised.
","1,2,3","Configuration","EnsuretheSSOdatabaepasswordisrecordedandstoredinasecurelocation.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,"N/A",WebClient"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommentRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""verify-ssl-certificates","vSphere",5.
5,"vCenter","WebClient","AlwaysverifySSLcertificates.
","Withoutcertificateverification,theusercanbesubjecttoaMiTMattack,whichpotentiallymightenablecompromisethroughimpersonationwiththeuser'scredentialstothevCenterServersystem.
WhenconnectingtovCenterServerusingvSphereWebClient,theclientcheckstoseeifthecertificatebeingpresentedcanbeverifiedbyatrustedthirdparty.
Ifitcannotbe,theuserispresentedwithawarningandtheoptiontoignorethischeck.
Thiswarningshouldnotbeignored;ifanadministratorispresentedwiththiswarning,theyshouldinquirefurtheraboutitbeforeproceeding.
","1,2,3","Operational","InstructusersofoneofthevSphereclientstoneverignorecertificateverificationwarnings.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","functionTest-WebServerSSL{#Functionoriginallocation:http://en-us.
sysadmins.
lv/Lists/Posts/Post.
aspxList=332991f0-bfed-4143-9eea-f521167d287c&ID=60[CmdletBinding()]param([Parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)][string]$URL,[Parameter(Position=1)][ValidateRange(1,65535)][int]$Port=443,[Parameter(Position=2)][Net.
WebProxy]$Proxy,[Parameter(Position=3)][int]$Timeout=15000,[switch]$UseUserContext)Add-Type@"usingSystem;usingSystem.
Net;usingSystem.
Security.
Cryptography.
X509Certificates;namespacePKI{namespaceWeb{publicclassWebSSL{publicUriOriginalURi;publicUriReturnedURi;publicX509Certificate2Certificate;//publicX500DistinguishedNameIssuer;//publicX500DistinguishedNameSubject;publicstringIssuer;publicstringSubject;publicstring[]SubjectAlternativeNames;publicboolCertificateIsValid;//publicX509ChainStatus[]ErrorInformation;publicstring[]ErrorInformation;publicHttpWebResponseResponse;}}}"@$ConnectString="https://$url`:$port"$WebRequest=[Net.
WebRequest]::Create($ConnectString)$WebRequest.
Proxy=$Proxy$WebRequest.
Credentials=$null$WebRequest.
Timeout=$Timeout$WebRequest.
AllowAutoRedirect=$true[Net.
ServicePointManager]::ServerCertificateValidationCallback={$true}try{$Response=$WebRequest.
GetResponse()}catch{}if($WebRequest.
ServicePoint.
Certificate-ne$null){$Cert=[Security.
Cryptography.
X509Certificates.
X509Certificate2]$WebRequest.
ServicePoint.
Certificate.
Handletry{$SAN=($Cert.
Extensions|Where-Object{$_.
Oid.
Value-eq"2.
5.
29.
17"}).
Format(0)-split","}catch{$SAN=$null}$chain=New-ObjectSecurity.
Cryptography.
X509Certificates.
X509Chain-ArgumentList(!
$UseUserContext)[void]$chain.
ChainPolicy.
ApplicationPolicy.
Add("1.
3.
6.
1.
5.
5.
7.
3.
1")$Status=$chain.
Build($Cert)New-ObjectPKI.
Web.
WebSSL-Property@{OriginalUri=$ConnectString;ReturnedUri=$Response.
ResponseUri;Certificate=$WebRequest.
ServicePoint.
Certificate;Issuer=$WebRequest.
ServicePoint.
Certificate.
Issuer;Subject=$WebRequest.
ServicePoint.
Certificate.
Subject;SubjectAlternativeNames=$SAN;CertificateIsValid=$Status;Response=$Response;ErrorInformation=$chain.
ChainStatus|ForEach-Object{$_.
Status}}$chain.
Reset()[Net.
ServicePointManager]::ServerCertificateValidationCallback=$null}else{Write-Error$Error[0]}}#CheckforHostCertificatesForeach($VMHostinGet-VMHost){Test-WebServerSSL-URL$vmhost.
Name|SelectOriginalURi,CertificateIsValid,Issuer}#CheckforvCenterCertificateTest-WebServerSSL-URL$DefaultVIServer|SelectOriginalURi,CertificateIsValid,Issuer",,,,"N/A""web-client-timeout","vSphere",5.
5,"vCenter","WebClient","Setatimeoutforweb-clientloginwithoutactivity.
","ThevSphereWebClientserveradministratorcansetaninactivitytimeoutforthevSphereWebClient.
ClosingsessionsautomaticallyreducesthepotentialforunauthorizedaccesstovCenter,minimizingrisk.
Defaultvalueis120minutes","1,2,3","Parameter","OnthecomputerwherethevSphereWebClientisinstalled,locatethewebclient.
propertiesfile.
ThelocationofthisfiledependsontheoperatingsystemonwhichthevSphereWebClientisinstalled.
ConsulttheVMwaredocumentationformoreinformation.
SeetheReferencecolumnforalink.
Editthefiletoincludethelinesession.
timeout=valuewherevalueisthetimeoutvalueinminutes.
Tosettheclienttonevertimeout,specifyanegativeor0valueforthetimeout.
Forexample,tosetthetimeoutvalueto60minutes,includethelinesession.
timeout=60.
Thedefaultsettingis120.
RestartthevSphereWebClientservice.
OnWindowsoperatingsystems,restarttheVMwarevSphereWebClientservice.
OnthevCenterServerAppliance,restartthevSphere-clientservice.
","webclient.
properties","session.
timeout","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"Webclientwillbeloggedoutofbytheclientatthespecifiedtimeandtheuserwillhavetologinagain.
","http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
vcenterhost.
doc/GUID-975412DE-CDCB-49A1-8E2A-0965325D33A5.
html","N/A"VCSA"ID","Product","Version","Component","Subcomponent","Title","VulnerabilityDiscussion","RiskProfile","ControlType","AssessmentProcedure","ConfigurationFile","ConfigurationParameter","DesiredValue","ChangeType","Isdesiredvaluethedefault","vSphereAPI","ESXiShellCommandAssessment","ESXiShellCommandRemediation","vCLICommandAssessment","vCLICommentRemediation","PowerCLICommandAssessment","PowerCLICommandRemediation","NegativeFunctionalImpact","Reference","AbletosetusingHostProfile""change-default-password","vSphere",5.
5,"VCSA","Access","ChangedefaultVCSApassword","DuringinstallationoftheVCSA,thedefaultpasswordisnotchanged.
Thismustbedonemanually","1,2,3","Configuration","LogintothevCenterServerApplianceadminpageandchangethepasswordfortherootaccount","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,,,,"http://pubs.
vmware.
com/vsphere-55/index.
jsptopic=%2Fcom.
vmware.
vsphere.
vcenterhost.
doc%2FGUID-1BB3D56C-F72A-4330-BA06-8F4505005A3B.
html","N/A""config-ntp","vSphere",5.
5,"VCSA","Communication","ConfigureNTPtimesynchronization","Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed-upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder'sactionswhenreviewingtherelevantlogfiles.
Incorrecttimesettingscanmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andcanmakeauditinginaccurate.
InadditionincorrecttimesettingscanintroduceloginissueswithSSOasallSSOcomponentsrelyoncoordinatedtime.
","1,2,3","Parameter","SetNTPsettingsaccordingtotheVMwaredocumentation","N/A","N/A","SiteSpecific","Modify","No","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,"http://pubs.
vmware.
com/vsphere-55/topic/com.
vmware.
vsphere.
install.
doc/GUID-FE79F045-BEB0-4FE5-B19D-4F4B3BE4663D.
html","N/A""restrict-network-access","vSphere",5.
5,"VCSA","Communication","RestrictnetworkaccesstovCenterServerAppliancesystem.
","RestrictaccesstoonlythoseessentialcomponentsrequiredtocommunicatewithvCenter.
Blockingaccessbyunnecessarysystemsreducesthepotentialforgeneralattacksontheoperatingsystem.
RestrictingaccesstoonlythoseessentialcomponentsrequiredtocommunicatewithvCenter,minimizesrisk.
","1,2","Operational","YoushouldprotectthevCenterServerAppliancebyincorporatingthesettingscalledoutintheKBarticlereferenced.
TheresultwillbefirewallsettingsthatarecompliantwiththeDISASTIG.
","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A",,,"OnlysystemsintheIPwhitelist/ACLwillbeabletoconnecttovCenterServer.
","http://kb.
vmware.
com/kb/2047585","N/A"