STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-239258r674703_rule
V-239258
SRG-OS-000027-VMM-000080
ESXI-67-000001
CAT II
10
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile.
Click "Edit" in "Lockdown Mode" and enable ("Normal" or "Strict").
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$level = "lockdownNormal" OR "lockdownStrict"
$vmhost = Get-VMHost -Name <hostname> | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.ChangeLockdownMode($level)
Note: In Strict Lockdown Mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Client is no longer available, the ESXi host becomes inaccessible.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile.
Scroll down to "Lockdown Mode" and verify it is enabled ("Normal" or "Strict").
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}}
If Lockdown Mode is disabled, this is a finding.
For environments that do not use vCenter server to manage ESXi, this is Not Applicable.
V-239258
False
ESXI-67-000001
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile.
Scroll down to "Lockdown Mode" and verify it is enabled ("Normal" or "Strict").
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}}
If Lockdown Mode is disabled, this is a finding.
For environments that do not use vCenter server to manage ESXi, this is Not Applicable.
M
5326