Ensure Lockdown mode is enabled
Details Enabling lockdown mode disables direct local access to an ESXi host, requiring the host be managed remotely from vCenter...
- Home
- Security Hardening
- CIS VMware ESXi 6.7 V1.2.0 L1
CIS VMware ESXi 6.7 V1.2.0 L1
Ensure Managed Object Browser (MOB) is disabled
Details The Managed Object Browser (MOB) is a web-based server application that lets you examine objects that exist on the...Ensure NTP time synchronization is configured properly
Details Network Time Protocol (NTP) synchronization should be configured correctly and enabled on each VMware ESXi host to ensure accurate...Ensure only authorized users and groups belong to the esxAdminsGroup group
Details The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to...Ensure passwords are required to be complex
Details ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. You can change the required length and character...Ensure PCI and PCIe device passthrough is disabled
Details Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine can...Ensure persistent logging is configured for all ESXi hosts
Details ESXi can be configured to store log files on an in-memory file system. This occurs when the host’s Syslog.global.LogDir...Ensure port groups are not configured to the value of the native VLAN
Details ESXi does not use the concept of native VLAN, so do not configure port groups to use the native...Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)
Details Port groups should not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT). When a port group...Ensure port groups are not configured to VLAN values reserved by upstream physical switches
Details Ensure that port groups are not configured to VLAN values reserved by upstream physical switches. Certain physical switches reserve...