STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

DISA Rule

SV-239304r674841_rule

Vulnerability Number

V-239304

Group Title

SRG-OS-000423-VMM-001700

Rule Version

ESXI-67-000049

Severity

CAT II

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters.

Select the Management VMkernel and click "Edit".

On the Port properties tab, uncheck everything but "Management.”

On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK".

Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches.

Select the Management portgroup and click "Edit".

On the properties tab, enter the appropriate VLAN ID and click "OK".

Check Contents

Verify the Management VMkernel port group is on a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and is not accessible to anything other than management-related functions such as vCenter.

The check for this will be unique per environment.

From the vSphere Client, select the ESXi host and go to Configure >> Networking.

Review the VLAN associated with the Management VMkernel and verify it is dedicated for that purpose and is logically separated from other functions.

If the network segment is accessible, except to networks where other management-related entities such as vCenter are located, this is a finding.

Vulnerability Number

V-239304

Documentable

False

Rule Version

ESXI-67-000049

Severity Override Guidance

Verify the Management VMkernel port group is on a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and is not accessible to anything other than management-related functions such as vCenter.

The check for this will be unique per environment.

From the vSphere Client, select the ESXi host and go to Configure >> Networking.

Review the VLAN associated with the Management VMkernel and verify it is dedicated for that purpose and is logically separated from other functions.

If the network segment is accessible, except to networks where other management-related entities such as vCenter are located, this is a finding.

Check Content Reference

M

Target Key

5326

Comments