Home
Security Hardening
DISA STIG VMware vSphere 6.7 ESXi V1R1

DISA STIG VMware vSphere 6.7 ESXi V1R1

ESXI-67-000062 – The ESXi host must prevent unintended use of the dvFilter network APIs.
Details If the organization is not using products that use the dvfilter network API, the host should not be configured...
ESXI-67-000063 – For the ESXi host, all port groups must be configured to a value other than that of the native VLAN.
Details ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have...
ESXI-67-000064 – For the ESXi host, all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required – VGT is required.
Details When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes...
ESXI-67-000065 – For the ESXi host, all port groups must not be configured to VLAN values reserved by upstream physical switches.
Details Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For...
ESXI-67-000066 – For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.
Details To communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode...
ESXI-67-000067 – All ESXi host-connected physical switch ports must be configured with spanning tree disabled.
Details Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports must have portfast configured if...
ESXI-67-000068 – All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.
Details When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk...
ESXI-67-000070 – The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.
Details The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs....
ESXI-67-000071 – The SA must verify the integrity of the installation media before installing ESXi.
Details Always check the SHA1 or MD5 hash after downloading an ISO, offline bundle, or patch to ensure integrity and...
ESXI-67-000072 – The ESXi host must have all security patches and updates installed.
Details Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. NOTE: Nessus has not performed...

DISA STIG VMware vSphere 6.7 ESXi V1R1

ESXI-67-000062 – The ESXi host must prevent unintended use of the dvFilter network APIs.

ESXI-67-000063 – For the ESXi host, all port groups must be configured to a value other than that of the native VLAN.

ESXI-67-000064 – For the ESXi host, all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required – VGT is required.

ESXI-67-000065 – For the ESXi host, all port groups must not be configured to VLAN values reserved by upstream physical switches.

ESXI-67-000066 – For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.

ESXI-67-000067 – All ESXi host-connected physical switch ports must be configured with spanning tree disabled.

ESXI-67-000068 – All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.

ESXI-67-000070 – The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.

ESXI-67-000071 – The SA must verify the integrity of the installation media before installing ESXi.

ESXI-67-000072 – The ESXi host must have all security patches and updates installed.