Ensure Normal Lockdown mode is enabled
Details Enabling lockdown mode disables direct local access to an ESXi host, requiring the host be managed remotely from vCenter...
- Home
- Security Hardening
- CIS VMware ESXi 7.0 V1.1.0 L1
CIS VMware ESXi 7.0 V1.1.0 L1
Ensure NTP time synchronization is configured properly
Details Network Time Protocol (NTP) synchronization should be configured correctly and enabled on each VMware ESXi host to ensure accurate...Ensure only authorized users and groups belong to the esxAdminsGroup group
Details The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to...Ensure passwords are required to be complex
Details ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. Options include setting minimum password length, requiring password...Ensure PCI and PCIe device passthrough is disabled
Details Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine can...Ensure persistent logging is configured for all ESXi hosts
Details ESXi can be configured to store log files on an in-memory file system. This occurs when the host’s Syslog.global.LogDir...Ensure port groups are not configured to the value of the native VLAN
Details ESXi does not use the concept of native VLAN, so do not configure port groups to use the native...Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)
Details Port groups should not be configured to VLAN 4095 or 0 except for Virtual Guest Tagging (VGT). When a...Ensure port groups are not configured to VLAN values reserved by upstream physical switches
Details Ensure that port groups are not configured to VLAN values reserved by upstream physical switches. Certain physical switches reserve...Ensure port-level configuration overrides are disabled.
Details Port-level configuration overrides are disabled by default. Once enabled, it allows for different security to be set ignoring what...