Details
Ensure that there are no unused ports on a distributed virtual port group.
*Rationale*
The number of ports available on a vdSwitch distributed port group can be adjusted to
exactly match the number of virtual machine vNICs that need to be assigned to that
dvPortgroup. Limiting the number of ports to just what is needed limits the potential for an
administrator, either accidentally or maliciously, to move a virtual machine to an
unauthorized network. This is especially relevant if the management network is on a
dvPortgroup, because it could help prevent someone from putting a rogue virtual machine
on this network.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Connect to the vCenter Server with vSphere Client ( Home > Inventory >
Networking view, find all dvSwitches) or the Web Client (Networking > vDS name >
dvPortgroup name > Manage > Edit Settings > General)
2. Configure the number of ports available to be only the amount required for
legitimate virtual machine connections to that dvPortgroup.
Impact-The VDS or dvPortgroup on the VDS will not have any extra available port capacity.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.