Ensure access to VMs through the dvfilter network APIs is configured correctly
Details A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to...
- Home
- Security Hardening
- CIS VMware ESXi 7.0 V1.1.0 L1
CIS VMware ESXi 7.0 V1.1.0 L1
Ensure account lockout is set to 15 minutes
Details An account is automatically locked after the maximum number of failed consecutive login attempts is reached. The account should...Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
Details vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Bidirectional Challenge-Handshake Authentication Protocol...Ensure CIM access is limited
Details The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set...Ensure DCUI has a trusted users list for lockdown mode
Details Lockdown mode disables direct host access, requiring admins to manage hosts from vCenter. Set DCUI.Access to a list of...Ensure dvfilter API is not configured if not used
Details The dvfilter network API is used by some products (e.g., VMSafe). If it is not in use, it should...Ensure ESXi is properly patched
Details VMware Lifecycle Manager is a tool which may be utilized to automate patch management for vSphere hosts and virtual...Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less
Details The ESXiShellInteractiveTimeOut allows you to automatically terminate idle ESXi shell and SSH sessions. The permitted idle time should be...Ensure informational messages from the VM to the VMX file are limited
Details Limit informational messages from the virtual machine (VM) to the virtual machine extensions (VMX) file to avoid filling the...Ensure Managed Object Browser (MOB) is disabled
Details The Managed Object Browser (MOB) is a web-based server application that lets you examine objects that exist on the...