STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:SV-207602r378532_rule
V-207602
SRG-OS-000027-VMM-000080
ESXI-65-000001
CAT II
10
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict).
or
From a PowerCLI command prompt while connected to the ESXi host run the following commands:
$level = "lockdownNormal" OR "lockdownStrict"
$vmhost = Get-VMHost -Name <hostname> | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.ChangeLockdownMode($level)
Note: In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict).
or
From a PowerCLI command prompt while connected to the ESXi host run the following command:
Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}}
If Lockdown Mode is disabled, this is a finding.
For environments that do not use vCenter server to manage ESXi, this is not applicable.
V-207602
False
ESXI-65-000001
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict).
or
From a PowerCLI command prompt while connected to the ESXi host run the following command:
Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}}
If Lockdown Mode is disabled, this is a finding.
For environments that do not use vCenter server to manage ESXi, this is not applicable.
M
2925