Ensure access to VMs through the dvfilter network APIs is configured correctly
Details A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to...
- Home
- Security Hardening
- CIS VMware ESXi 6.7 V1.2.0 L1
CIS VMware ESXi 6.7 V1.2.0 L1
Ensure account lockout is set to 15 minutes
Details An account is automatically locked after the maximum number of failed consecutive login attempts is reached. The account should...Ensure Active Directory is used for local user authentication
Details ESXi can be configured to use a directory service such as Active Directory to manage users and groups. It...Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
Details vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Bidirectional Challenge-Handshake Authentication Protocol...Ensure CIM access is limited
Details The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set...Ensure DCUI has a trusted users list for lockdown mode
Details Lockdown mode disables direct host access, requiring admins to manage hosts from vCenter. Set DCUI.Access to a list of...Ensure dvfilter API is not configured if not used
Details The dvfilter network API is used by some products (e.g., VMSafe). If it is not in use, it should...Ensure ESXi is properly patched
Details VMware Update Manager is a tool used to automate patch management for vSphere hosts and virtual machines. Creating a...Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less
Details The ESXiShellInteractiveTimeOut allows you to automatically terminate idle ESXi shell and SSH sessions. The permitted idle time should be...Ensure informational messages from the VM to the VMX file are limited
Details Limit informational messages from the virtual machine (VM) to the virtual machine extensions (VMX) file to avoid filling the...