Details

NFC is the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, NFC over SSL is enabled (i.e., ‘True’) within a vSphere cluster but the value of the setting is null. Clients check the value of the setting and default to not using SSL for performance reasons if the value is null. This behavior can be changed by ensuring the setting has been explicitly created and set to ‘True’. This will force clients to use SSL. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured.

Solution

From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Click ‘Edit’ and edit the ‘config.nfc.useSSL’ value to ‘true’ or if the value does not exist create it by entering the values in the ‘Key’ and ‘Value’ fields and clicking ‘Add’.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:

If the setting already exists:
Get-AdvancedSetting -Entity -Name config.nfc.useSSL | Set-AdvancedSetting -Value true

If the setting does not exist:
New-AdvancedSetting -Entity -Name config.nfc.useSSL -Value true

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• Rule-ID|SV-216843r612237_rule
• STIG-ID|VCWN-65-000021
• STIG-Legacy|SV-104583
• STIG-Legacy|V-94753
• Vuln-ID|V-216843

Source

• Tenable.com/audits