Home
Security Hardening
DISA STIG VMware vSphere ESXi OS 6.5 V2R3

DISA STIG VMware vSphere ESXi OS 6.5 V2R3

ESXI-65-000028 – The ESXi host SSH daemon must limit connections to a single session.
Details The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client...
ESXI-65-000013 – The ESXi host SSH daemon must not allow host-based authentication.
Details SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts....
ESXI-65-000029 – The ESXi host must remove keys from the SSH authorized_keys file.
Details ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable...
ESXI-65-000014 – The ESXi host SSH daemon must not permit root logins.
Details Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct...
ESXI-65-000015 – The ESXi host SSH daemon must not allow authentication using an empty password.
Details Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password,...
ESXI-65-000016 – The ESXi host SSH daemon must not permit user environment settings.
Details SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to...
ESXI-65-000017 – The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
Details DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. Solution From an SSH session connected...
ESXI-65-000018 – The ESXi host SSH daemon must not permit GSSAPI authentication.
Details GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s...
ESXI-65-000019 – The ESXi host SSH daemon must not permit Kerberos authentication.
Details Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides...
ESXI-65-000020 – The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
Details If other users have access to modify user-specific SSH configuration files, they may be able to log into the...

Prev Next

DISA STIG VMware vSphere ESXi OS 6.5 V2R3

ESXI-65-000028 – The ESXi host SSH daemon must limit connections to a single session.

ESXI-65-000013 – The ESXi host SSH daemon must not allow host-based authentication.

ESXI-65-000029 – The ESXi host must remove keys from the SSH authorized_keys file.

ESXI-65-000014 – The ESXi host SSH daemon must not permit root logins.

ESXI-65-000015 – The ESXi host SSH daemon must not allow authentication using an empty password.

ESXI-65-000016 – The ESXi host SSH daemon must not permit user environment settings.

ESXI-65-000017 – The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

ESXI-65-000018 – The ESXi host SSH daemon must not permit GSSAPI authentication.

ESXI-65-000019 – The ESXi host SSH daemon must not permit Kerberos authentication.

ESXI-65-000020 – The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.