VMware vSphere 8.0 vCenter Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516
Group -
The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes, this fe...Rule Medium Severity -
SRG-APP-000575
Group -
SRG-APP-000575
Group -
The vCenter server must disable SNMPv1/2 receivers.
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were...Rule Medium Severity -
SRG-APP-000345
Group -
The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlo...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must disable the distributed virtual switch health check.
Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that networ...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in ...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machi...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must only send NetFlow traffic to authorized collectors.
The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it e...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will en...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modifying the virtual local area network (VLAN) tags...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.