Home
Security Hardening
DISA STIG VMware ESXi Server 5 STIG V2R1

DISA STIG VMware ESXi Server 5 STIG V2R1

ESXI5-VMNET-000016 – The system must ensure the virtual switch MAC Address Change policy is set to reject.
Details If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC...
ESXI5-VMNET-000001 – All dvPortgroup VLAN IDs must be fully documented.
Details If using VLAN tagging on a dvPortgroup, tags must correspond to the IDs on external VLAN-aware upstream switches if...
ESXI5-VMNET-000017 – The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
Details In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports....
ESXI5-VMNET-000002 – All dvSwitch Private VLAN IDs must be fully documented.
Details dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN IDs. The IDs must correspond to the IDs on external...
ESXI5-VMNET-000003 – All virtual switches must have a clear network label.
Details Network labels must identify each port group with a name. These names are important because they serve as a...
ESXI5-VMNET-000004 – Virtual switch VLANs must be fully documented and have only the required VLANs.
Details When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk...
ESXI5-VMNET-000005 – All vSwitch and VLAN IDs must be fully documented – ‘vSwitch labels’
Details VLAN tagging used on a vSwitch must correspond to the IDs on external VLAN-aware upstream switches, if any. If...
ESXI5-VMNET-000006 – All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.
Details Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS....
ESXI5-VMNET-000007 – Only authorized administrators must have access to virtual networking components.
Details This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of...
ESXI5-VMNET-000008 – All physical switch ports must be configured with spanning tree disabled.
Details Due to the integration of the ESXi Server into the physical network, the physical network (switch) adaptors must have...

DISA STIG VMware ESXi Server 5 STIG V2R1

ESXI5-VMNET-000016 – The system must ensure the virtual switch MAC Address Change policy is set to reject.

ESXI5-VMNET-000001 – All dvPortgroup VLAN IDs must be fully documented.

ESXI5-VMNET-000017 – The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

ESXI5-VMNET-000002 – All dvSwitch Private VLAN IDs must be fully documented.

ESXI5-VMNET-000003 – All virtual switches must have a clear network label.

ESXI5-VMNET-000004 – Virtual switch VLANs must be fully documented and have only the required VLANs.

ESXI5-VMNET-000005 – All vSwitch and VLAN IDs must be fully documented – ‘vSwitch labels’

ESXI5-VMNET-000006 – All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.

ESXI5-VMNET-000007 – Only authorized administrators must have access to virtual networking components.

ESXI5-VMNET-000008 – All physical switch ports must be configured with spanning tree disabled.