Performance Best Practices For VMware Vsphere 6.7 VMware ESXi 6.7

Guideline ID
ESXi.apply-patches
ESXi.audit-exception-users
ESXi.Audit-SSH-Disable
ESXi.config-ntp
ESXi.config-persistent-logs
ESXi.config-snmp
ESXi.disable-mob
ESXi.enable-ad-auth
ESXi.enable-auth-proxy
ESXi.enable-chap-auth
ESXi.enable-normal-lockdown-mode
ESXi.enable-remote-syslog
ESXi.enable-strict-lockdown-mode
ESXi.firewall-restrict-access
ESXi.set-account-auto-unlock-time
ESXi.set-account-lockout
ESXi.set-dcui-access
ESXi.set-dcui-timeout
ESXi.set-password-policies
ESXi.set-shell-interactive-timeout
ESXi.set-shell-timeout
ESXi.TransparentPageSharing-intra-enabled
ESXi.verify-acceptance-level-supported
VM.disable-console-copy
VM.disable-console-paste
VM.disable-disk-shrinking-shrink
VM.disable-disk-shrinking-wiper
VM.disable-independent-nonpersistent
VM.disable-non-essential-3D-features
VM.disconnect-devices-floppy
VM.disconnect-devices-parallel
VM.disconnect-devices-serial
VM.Enable-VGA-Only-Mode
VM.limit-setinfo-size
VM.minimize-console-VNC-use
VM.restrict-host-info
VM.TransparentPageSharing-inter-VM-Enabled
VM.verify-network-filter
VM.verify-PCI-Passthrough
vNetwork.enable-bpdu-filter
vNetwork.limit-network-healthcheck
vNetwork.reject-forged-transmit-dvportgroup
vNetwork.reject-forged-transmit-StandardSwitch
vNetwork.reject-mac-changes-dvportgroup
vNetwork.reject-mac-changes-StandardSwitch
vNetwork.reject-promiscuous-mode-dvportgroup
vNetwork.reject-promiscuous-mode-StandardSwitch
vNetwork.restrict-netflow-usage
vNetwork.restrict-port-level-overrides
vNetwork.verify-dvfilter-bind
Description
Keep ESXi system properly patched
Audit the list of users who are on the Exception Users List and whether the have administrator
privleges
Ensure that the SSH default disablement has not been changed
Configure NTP time synchronization
Configure persistent logging for all ESXi host
Ensure proper SNMP configuration
Disable Managed Object Browser (MOB)
Use Active Directory for local user authentication

When adding ESXi hosts to Active Directory use the vSphere Authentication Proxy to protect
passwords
Enable bidirectional CHAP, also known as Mutual CHAP, authentication for iSCSI traffic
Enable Normal Lockdown Mode to restrict access
Configure remote logging for ESXi hosts

Enable Strict lockdown mode to restrict access
Configure the ESXi host firewall to restrict access to services running on the host
Set the time after which a locked account is automatically unlocked
Set the count of maximum failed login attempts before the account is locked out
Set DCUI.Access to allow trusted users to override lockdown mode

Audit DCUI timeout value
Establish a password policy for password complexity
Set a timeout to automatically terminate idle ESXi Shell and SSH sessions
Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run
Ensure default setting for intra-VM TPS is correct
Verify Image Profile and VIB Acceptance Levels
Explicitly disable copy/paste operations
Explicitly disable copy/paste operations

Disable virtual disk shrinking
Disable virtual disk shrinking
Avoid using independent nonpersistent disks
Disable 3D features on Server and desktop virtual machines
Disconnect unauthorized devices

Disable all but VGA mode on specific virtual machines
Limit informational messages from the VM to the VMX file
Control access to VM console via VNC protocol
Do not send host information to guests

Check for enablement of salted VM's that are sharing memory pages
Control access to VMs through the dvfilter network APIs
Audit all uses of PCI or PCIe passthrough functionality

Enable BPDU filter on the ESXi host to prevent being locked out of physical switch ports with
Portfast and BPDU Guard enabled
Enable VDS network healthcheck only if you need it
Ensure that the “Forged Transmits” policy is set to reject
Ensure that the “Forged Transmits” policy is set to reject

Ensure that the “MAC Address Changes” policy is set to reject
Ensure that the “MAC Address Changes” policy is set to reject
Ensure that the “Promiscuous Mode” policy is set to reject
Ensure that the “Promiscuous Mode” policy is set to reject

Ensure that VDS Netflow traffic is only being sent to authorized collector IPs
Restrict port-level configuration overrides on VDS
Audit use of dvfilter network APIs

Vulnerability Discussion
By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An

educated attacker can exploit known vulnerabilities when attempting to attain access or elevate
privileges on an ESXi host.
In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web
Client. These users do not lose their permissions when the host enters lockdown mode. Usually
you may want to add service accounts such as a backup agent to the Exception Users list. Verify
that the list of users who are exempted from losing permissions is legitimate and as needed per
your enviornment. Users who do not require special permissions should not be exempted from
lockdown mode.
SSH is disabled by default on ESXi. The use of SSH to an ESXi host should be limited in scope and
use. SSH enablement is controlled via the SSH service. This service is stopped by default.
By ensuring that all systems use the same relative time source (including the relevant localization
offset), and that the relative time source can be correlated to an agreed-upon time standard (such
as Coordinated Universal Time—UTC), you can make it simpler to track and correlate an intruder’s
actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect
and correlate log files to detect attacks, and can make auditing inaccurate.
ESXi can be configured to store log files on an in-memory file system. This occurs when the host's
"/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs
are stored at any time. In addition log files will be reinitialized upon each reboot. This presents a
security risk as user activity logged on the host is only stored temporarily and will not persistent
across reboots. This can also complicate auditing and make it harder to monitor events and
diagnose issues. ESXi host logging should always be configured to a persistent datastore.
If SNMP is not being used, it should remain disabled. If it is being used, the proper trap destination
should be configured. If SNMP is not properly configured, monitoring information can be sent to a
malicious host that can then use this information to plan an attack. Note: ESXi 5.1 and later
supports SNMPv3 which provides stronger security than SNMPv1 or SNMPv2, including key
authentication and encryption. Deciding what version of SNMP to use (v1, v2 or v3) is a site
specific setting.
The managed object browser (MOB) provides a way to explore the object model used by the
VMkernel to manage the host; it enables configurations to be changed as well. This interface is
meant to be used primarily for debugging the vSphere SDK. In Sphere 6.x this is disabled by
default. This guideline is here to remind you to audit your ESXi servers to ensure someone hasn't
turned on the MOB.
Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain
multiple local user accounts. Using AD for user authentication simplifies the ESXi host
configuration, ensures password complexity and reuse policies are enforced and reduces the risk of
security breaches and unauthorized access. Note: if the AD group "ESX Admins" (default) exists
then all users and groups that are assigned as members to this group will have full administrative
access to all ESXi hosts the domain.
If you configure your host to join an Active Directory domain using Host Profiles the Active
Directory credentials are saved in the host profile and are transmitted over the network. To avoid
having to save Active Directory credentials in the Host Profile and to avoid transmitting Active
Directory credentials over the network use the vSphere Authentication Proxy.
vSphere allows for the use of bidirectional authentication of both the iSCSI target and host.
Choosing not to enforce more stringent authentication can make sense if you create a dedicated
network or VLAN to service all your iSCSI devices. By not authenticating both the iSCSI target and
host, there is a potential for a MiTM attack in which an attacker might impersonate either side of
the connection to steal data. Bidirectional authentication can mitigate this risk. If the iSCSI facility is
isolated from general network traffic, it is less vulnerable to exploitation.
Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed
remotely from vCenter Server. This is done to ensure the roles and access controls implemented in
vCenter are always enforced and users cannot bypass them by logging into a host directly. By
forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining
elevated privileges or performing tasks that are not properly audited is greatly reduced. Note:
Lockdown mode does not apply to users who log in using authorized keys. When you use an
authorized key file for root user authentication, root users are not prevented from accessing a host
with SSH even when the host is in lockdown mode.
Note that users listed in the DCUI.Access list for each host are allowed to override lockdown mode
and login to the DCUI.
By default the "root" user is the only user listed in the DCUI.Access list.
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering
host log files onto a central host you can more easily monitor all hosts with a single tool. You can
also do aggregate analysis and searching to look for such things as coordinated attacks on multiple
hosts. Logging to a secure, centralized log server helps prevent log tampering and also provides a
long-term audit record. To facilitate remote logging VMware provides the vSphere Syslog Collector.
Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed
remotely from vCenter Server.
This is done to ensure the roles and access controls implemented in vCenter are always enforced
and users cannot bypass them by logging into a host directly. By forcing all interaction to occur
through vCenter Server, the risk of someone inadvertently attaining elevated privileges or
performing tasks that are not properly audited is greatly reduced.
Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are
independent of lockdown mode. For lockdown mode to be an effective security measure, ensure
that the ESXi Shell and SSH services are also disabled. Those services are disabled by default.
When a host is in lockdown mode, users on the Exception Users list can access the host from the
ESXi Shell and through SSH if they have the Administrator role on the host and if these services are
enabled. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and
the SSH service disabled is the most secure option.
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and
unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from
authorized networks. This guideline is focused specifically on two types of access. SSH (which is
disabled by default) and vSphere Web Access running on Port 80.
Modification of firewall rules for any other service may have a negative impact on the overall
operation. Best practices state that ESXi and vCenter should be running in a separate network.
This guideline will show how to limit access to the SSH and Web server to IP address ranges to
further limit the scope of vulnerability.
Multiple account login failures for the same account could possibly be a threat vector trying to
brute force the system or cause denial of service. Such attempts to brute force the system should
be limited by locking out the account after reaching a threshold.
In case, you would want to auto unlock the account, i.e. unlock the account without administrative
action, set the time for which the account remains locked. Setting a high duration for which
account remains locked would deter and serverly slow down the brute force method of logging in.
Multiple account login failures for the same account could possibly be a threat vector trying to
brute force the system or cause denial of service. Such attempts to brute force the system should
be limited by locking out the account after reaching a threshold.
Lockdown mode disables direct host access requiring that admins manage hosts from vCenter
Server. However, if a host becomes isolated from vCenter Server, the admin is locked out and can
no longer manage the host. If you are using normal lockdown mode, you can avoid becoming
locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of
highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not
running in strict lockdown mode.
DCUI is used for directly logging into ESXi host and carrying out host management tasks. The idle
connections to DCUI must be terminated to avoid any unintended usage of the DCUI originating
from a left over login session.
ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. It is important to
use passwords that are not easily guessed and that are difficult for password generators to
determine. Password strength and complexity rules apply to all ESXi users, including root. They do
not apply to Active Directory users when the ESX host is joined to a domain. Those password
policies are enforced by AD.
If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely,
increasing the potential for someone to gain privileged access to the host. The
ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.
When the ESXi Shell or SSH services are enabled on a host they will run indefinitely. To avoid
having these services left running set the ESXiShellTimeOut. The ESXiShellTimeOut defines a
window of time after which the ESXi Shell and SSH services will automatically be terminated.
Acknowledgement of the recent academic research that leverages Transparent Page Sharing (TPS)
to gain unauthorized access to data under certain highly controlled conditions and documents
VMware’s precautionary measure of restricting TPS to individual virtual machines by default in
upcoming ESXi releases. At this time, VMware believes that the published information disclosure
due to TPS between virtual machines is impractical in a real world deployment.
VMs that do not have the sched.mem.pshare.salt option set cannot share memory with any other
VMs.
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code
installed on an ESXi host. The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified - VIBs created, tested and signed by VMware
(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware,
(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner
(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner.
Community Supported VIBs are not supported and do not have a digital signature. To protect the
security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be
installed on your hosts.
Copy and paste operations are disabled by default. However, if you explicitly disable this feature
audit controls can check that this setting is correct.
Copy and paste operations are disabled by default, however, if you explicitly disable this feature,
audit controls can check that this setting is correct.
Shrinking a virtual disk reclaims unused space in it. The shrinking process itself, which takes place
on the host, reduces the size of the disk's files by the amount of disk space reclaimed in the wipe
process. If there is empty space in the disk, this process reduces the amount of space the virtual
disk occupies on the host drive. Normal users and processes—that is, users and processes without
root or administrator privileges—within virtual machines have the capability to invoke this
procedure. A non-root user cannot wipe the parts of the virtual disk that require root-level
permissions. However, if this is done repeatedly, the virtual disk can become unavailable while this
shrinking is being performed, effectively causing a denial of service. In most datacenter
environments, disk shrinking is not done, so you should disable this feature. Repeated disk
shrinking can make a virtual disk unavailable. Limited capability is available to non-administrative
users in the guest.
Shrinking a virtual disk reclaims unused space in it. VMware Tools reclaims all unused portions of
disk partitions (such as deleted files) and prepares them for shrinking. Wiping takes place in the
guest operating system. If there is empty space in the disk, this process reduces the amount of
space the virtual disk occupies on the host drive. Normal users and processes—that is, users and
processes without root or administrator privileges—within virtual machines have the capability to
invoke this procedure. A non-root user cannot wipe the parts of the virtual disk that require root-
level permissions. However, if this is done repeatedly, the virtual disk can become unavailable
while this shrinking is being performed, effectively causing a denial of service. In most datacenter
environments, disk shrinking is not done, so you should disable this feature. Repeated disk
shrinking can make a virtual disk unavailable. Limited capability is available to non-administrative
users in the guest.
The security issue with nonpersistent disk mode is that successful attackers, with a simple
shutdown or reboot, might undo or remove any traces that they were ever on the machine. To
safeguard against this risk, production virtual machines should be set to use persistent disk mode;
additionally, make sure that activity within the VM is logged remotely on a separate server, such as
a syslog server or equivalent Windows-based event collector. Without a persistent record of
activity on a VM, administrators might never know whether they have been attacked or hacked.
It is suggested that 3D be disabled on virtual machines that do not require 3D functionality, (e.g.
server or desktops not using 3D applications).
Ensure that no device is connected to a virtual machine if it is not required. For example, serial and
parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives
are usually connected only temporarily during software installation. For less commonly used
devices that are not required, either the parameter should not be present or its value must be
FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other
required parameters specify how each device is instantiated. Any enabled or connected device
represents a potential attack channel.
When setting is set to FALSE, functionality is disabled, however the device may still show up
withing the guest operation system.
Many Server-class virtual machines need only a standard VGA console (typically a Unix/Linux
server system). Enabling this setting removes additional unnecessary (for a server workload)
functionality beyond disabling 3D.
The configuration file containing these name-value pairs is limited to a size of 1MB. This 1MB
capacity should be sufficient for most cases, but you can change this value if necessary. You might
increase this value if large amounts of custom information are being stored in the configuration
file. The default limit is 1MB;this limit is applied even when the sizeLimit parameter is not listed in
the .vmx file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is
filled.
The VM console enables you to connect to the console of a virtual machine, in effect seeing what a
monitor on a physical server would show. This console is also availabe via the VNC protocol. Setting
up this access also involves setting up firewall rules on each ESXi server the virtual machine will run
on.
By enabling a VM to get detailed information about the physical host, an adversary could
potentially use this information to inform further attacks on the host.
If set to True a VM can obtain detailed information about the physical host. *The default value for
the parameter is False but is displayed as Null. Setting to False is purely for audit purposes.*
This setting should not be TRUE unless a particular VM requires this information for performance
monitoring.
When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two
virtual machines both salt and the content of the page must be same. A salt value is a configurable
vmx option for each virtual machine. You can manually specify the salt values in the virtual
machine's vmx file with the new vmx option sched.mem.pshare.salt. If this option is not present in
the virtual machine's vmx file, then the value of vc.uuid vmx option is taken as the default value.
Since the vc.uuid is unique to each virtual machine, by default TPS happens only among the pages
belonging to a particular virtual machine (Intra-VM).
If a group of virtual machines are considered trustworthy, it is possible to share pages among them
by setting a common salt value for all those virtual machines (inter-VM).
Default value is null. When this happens the VM has a random salt value generated.
An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs to
use the API that need this access.
This setting is considered an "Audit Only" guideline. If there is a value present, the admin should
check it to ensure it is correct.
Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine
results in a potential security vulnerability. The vulnerability can be triggered by buggy or
malicious code running in privileged mode in the guest OS, such as a device driver. Industry-
standard hardware and firmware does not currently have sufficient error containment support to
make it possible for ESXi to close the vulnerability fully.
There can be a valid business reason for a VM to have this configured. This is an audit-only
guideline. You should be aware of what virtual machines are configured with direct passthrough of
PCI and PCIe devices and ensure that their guest OS is monitored carefully for malicious or buggy
drivers that could crash the host.
BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is
directly connected to reduce the STP convergence delay.
If a BPDU packet is sent from a virtual machine on the ESXi host to the physical switch so
configured, a cascading lockout of all the uplink interfaces from the ESXi host can occur.
To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host to drop any BPDU
packets being sent to the physical switch.
The caveat is that certain SSL VPN which use Windows bridging capability can legitimately generate
BPDU packets. The administrator should verify that there are no legitimate BPDU packets
generated by virtual machines on the ESXi host prior to enabling BPDU Filter.
If BPDU Filter is enabled in this situation, enabling Reject Forged Transmits on the virtual switch
port group adds protection against Spanning Tree loops.
In the 6.7 SCG this was changed to a site specific setting to be more in line with the guidelines
intent. You need to be using BPDU in guest and have BPDU configured on a hardware switch.
Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain
information on host#, vds# port#, which an attacker would find useful. It is recommended that
network healthcheck be used for troubleshooting, and turned off when troubleshooting is
finished.
If the virtual machine operating system changes the MAC address, the operating system can send
frames with an impersonated source MAC address at any time. This allows an operating system to
stage malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network.
When the Forged transmits option is set to Accept, ESXi does not compare source and effective
MAC addresses.
To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you
do, the host compares the source MAC address being transmitted by the guest operating system
with the effective MAC address for its virtual machine adapter to see if they match. If the
addresses do not match, the ESXi host drops the packet.
If the virtual machine operating system changes the MAC address, the operating system can send
frames with an impersonated source MAC address at any time. This allows an operating system to
stage malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network.
Forged transmissions is set to Accept by default.
This means the virtual switch does not compare the source and effective MAC addresses.
To protect against MAC address impersonation, all virtual switches should have forged
transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup
level. You can override switch level settings at the Portgroup level.
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the
devices in a network by impersonating a network adaptor authorized by the receiving network.
This will prevent VMs from changing their effective MAC address. It will affect applications that
require this functionality. An example of an application like this is Microsoft Clustering, which
requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will
operate. This will also affect applications that require a specific MAC address for licensing. An
exception should be made for the dvPortgroups that these applications are connected to.
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the
devices in a network by impersonating a network adaptor authorized by the receiving network.
exception should be made for the port groups that these applications are connected to. Reject
MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level
settings at the Portgroup level.
When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the
dvPortgroup have the potential of reading all packets across that network, meaning only the virtual
machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXI
Server, and this is the recommended setting. However, there might be a legitimate reason to
enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the
ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that
these applications are connected to, in order to allow for full-time visibility to the traffic on that
dvPortgroup. Unlike standard vSwitches, dvSwitches only allow Promiscuous Mode at the
dvPortgroup level
When promiscuous mode is enabled for a virtual switch all virtual machines connected to the
Portgroup have the potential of reading all packets across that network, meaning only the virtual
machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXI
Server, and this is the recommended setting. However, there might be a legitimate reason to
enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the
ability to see all packets on a vSwitch. An exception should be made for the Portgroups that these
applications are connected to, in order to allow for full-time visibility to the traffic on that
Portgroup. Promiscous mode can be set at the vSwitch and/or the Portgroup level. You can
override switch level settings at the Portgroup level.
The vSphere VDS can export Netflow information about traffic crossing the VDS. Netflow exports
are not encrypted and can contain information about the virtual network making it easier for a
MITM attack to be executed successfully. If Netflow export is required, verify that all VDS Netflow
target IP's are correct.
Port-level configuration overrides are disabled by default. Once enabled, this allows for different
security settings to be set from what is established at the Port-Group level. There are cases where
particular VM's require unique configurations, but this should be monitored so it is only used when
authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure
VDS configuration could surreptiously exploit that broader access.
If you are not using a product such as VMware NSX that make use of the dvfilter network API, the
host should not be configured to send network information to a IP Address. If the API is enabled
and the system running at the IP address referenced is compromised then there is potential for
that system to provide unauthorized access to the network of other VMs on the host. If you are
using a product that makes use of this API then verify that the host has been configured correctly.
Configuration Parameter
NA
N/A
N/A
Syslog.global.logDir
N/A
Config.HostAgent.plugins.solo.enableMob
N/A
N/A
Use Chap, Name, Secret
vimsvc/auth/lockdown_is_enabled
Syslog.global.logHost
vimsvc/auth/lockdown_is_enabled
N/A
Security.AccountUnlockTime
Security.AccountLockFailures
DCUI.Access
UserVars.DcuiTimeOut
Security.PasswordQualityControl
UserVars.ESXiShellInteractiveTimeOut
UserVars.ESXiShellTimeOut
Mem.ShareForceSalting
N/A
isolation.tools.copy.disable
isolation.tools.paste.disable
isolation.tools.diskShrink.disable
isolation.tools.diskWiper.disable
scsiX:Y.mode
mks.enable3d
floppyX.present
parallelX.present
serialX.present
svga.vgaOnly
tools.setInfo.sizeLimit
RemoteDisplay.vnc.enabled
tools.guestlib.enableHostInfo
sched.mem.pshare.salt
ethernetX.filterX.name = filtername
pciPassthru*.present
Net.BlockGuestBPDU
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Net.DVFilterBindIpAddress
Desired Value
NA
Site-specific
False
Site Specific
Site Specific
site-specific
False
Site Specific
Site Specific
Site Specific
Enabled
Site Specific
Enabled
Site Specific
900
List of authorized users

600
Site specific
900
900
VMware Certified, VMware Accepted or Partner Supported
TRUE
TRUE
TRUE
TRUE
One of the following: * Not present (defaults to Persistent if blank) * Explicitly set to Persistent *Se
FALSE
not present or FALSE

TRUE
1048576
FALSE
FALSE
Site-Specific
Null unless using dvfilter
FALSE
1
Disabled
Reject
Reject
Reject
Reject
Reject
Reject
Site-Specific
Disabled
Null
Default Value Is desired value the default? Action Type
NA Yes Update
Null No Audit Only
Stopped No Audit Only

Null No Modify
[] /scratch/log No Modify
Disabled No Modify
false Yes Audit Only
Local Authentication No Add

Disabled No Add or Modify
No Authentication No Add
Disabled No Modify
Null No Add
Disabled No Modify
Connections are allowed from any IP address No Modify
120 No Modify
10 No Modify
root No Add
600 Yes Audit Only
"retry=3 min=disabled,disabled,disabled,7,7" No Audit Only
0 No Modify
0 No Modify
2 Yes Audit Only
Partner Supported No Audit Only
TRUE Yes Add
TRUE Yes Add

FALSE No Add
FALSE No Add
Persistent No Add
FALSE Yes Add
FALSE No
FALSE No
No
FALSE No Add or Modify
1048576 Yes Add
FALSE Yes Audit Only

Null No Remove, Modify
Null No Audit Only

0 No Modify
Disabled Yes Audit Only
Reject Yes Audit Only
Accept No Modify

Null No Add
Disabled Yes Audit Only
Null Yes Audit Only

Assessment using Web Client
From the vSphere web client select the host and click "Summary". Expand "Configuration" and
verify "ESX/ESXi Version" and "Image Profile" strings. Those strings would tell you the current
image version of the host. Ensure that the image version is the latest one given by VMware.
From the vSphere web client, select host and click on "Configure" -> "Settings" -> "System" ->
"Security Profile". Scroll down until "Lockdown Mode". Verify that the list of "Exception Users" is
legitimate.
In the vSphere Web Client, select the host in the vCenter inventory. Select Configure. In the System
Section, select Security Profile and click Edit. Check that the SSH service is reported as Stopped.
From the vSphere web client select the host and click "Configure" -> "Time Configuration" and click
the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the
startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is
recommended to synchronize the ESXi clock with a time server that is located on the management
network rather than directly with a time server on a public network. This time server can then
synchronize with a public source through a strictly controlled network connection with a firewall.
From the vSphere web client select the host and click "Configure" -> "Settings" -> "Advanced
System settings". Look for "Syslog.global.logDir" parameter name and ensure that it is not set to "[]
/scratch/log" or is not blank.
From the vSphere web client select the host and click "Configure" -> "Settings" -> "Security
Profile". Look for "SNMP Server" under "Services" section. Its status should be "Stopped" until and
unless you are using snmp in your enviornment.
Open the Web Client, Select the settings for the host, Select "Advanced System Settings" and
search for "Config.HostAgent.plugins.solo.enableMob". Ensure the value is False (default in 6.0 and
later).
From the vSphere Web Client, select the host and go to "Configure" -> "Authentication Services".
Verify that "Domain" and "Trusted Domain Controller" settings under "Domain Settings" section
are configured as appropriate.
There is no way to audit this using web client if you manually chose to join the host to a domain.
If you chose to join the host to domain by attaching a host profile, you can verify that the host
profile has been configured to use proxy server for joining the host to domains by follow below
steps:
Go to "Home" and click on "Host Profiles" under "Monitoring" section. Choose the appropriate
host profile and expand "Security and Services" -> "Authentication Configuration" -> "Active
Directory Configuration". Verify that the "JoinDomain Method" setting is configured to "Use
vSphere Authentication Proxy to add the host to Domain".
From the vSphere web client, select a host and click on "Configure" -> "Storage" -> "Storage
Adapters".
For EACH iSCSI Adapter, scroll for "Authentication" section under "Adapter Details" section ->
"Properties" tab. The "Method" parameter should be set to "Use bidirectional CHAP".
"Security Profile".
Scroll down until "Lockdown Mode". Verify that "Lockdown Mode" parameter is set to
"Enabled (Normal)".
From the vSphere Web Client select the host, click "Configure" -> "Advanced Sytem Settings", and
enter "Syslog.global.logHost" in the filter. Check whether a syslog host is set.

From the vSphere Web Client, select the host and click on "Configure" -> "Settings" -> "System" ->
"Security Profile".
Scroll down to "Lockdown Mode".; Verify that "Lockdown Mode" parameter is set to "Enabled
(Strict)".
From the vSphere web client, select the host and click "Configure" -> "Settings" -> "System" ->
"Security Profile".
Verify that for enabled services, both incoming and outgoing connections, a proper network/IP
Range is selected (the 3rd column should not be "All").
From the vSphere Web Client select the host, click "Configure" -> "Settings" -> "System" ->
"Advanced Sytem Settings". Enter "Security.AccountUnlockTime" in the filter. Verify that the value
for this parameter is set to 900.
"Advanced Sytem Settings". Enter "Security.AccountLockFailures" in the filter. Verify that the value
for this parameter is set to 3.
"Advanced Sytem Settings". Enter "DCUI.Access" in the filter. Verify that the list of users is
legitimate. It should ideally contain root and any other local users who are authorized to override
lockdown mode.
"Advanced Sytem Settings". Enter "UserVars.DcuiTimeOut" in the filter. Verify that the value for
this parameter is set to 600.
From vSphere web client, select host and then click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Security.PasswordQualityControl to see the configured value.
It should be set as default value or more restrictive.
"Advanced System settings". Filter for UserVars.ESXiShellInteractiveTimeOut to see the configured
value. It should be set to desired value or more restrictive.
"Advanced System settings". Filter for UserVars.ESXiShellTimeOut to see the configured value. It
should be set to desired value or more restrictive.
From the vSphere Web Client, select a host and then click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Mem.ShareForceSalting. Verify that it is set to 2.
From vSphere web client, select host and then click "Configure" -> "System" -> "Security Profile".
Scroll down until you see "Host Image Profile Acceptance Level". Verify that the "Acceptance Level"
parameter is set to "VMware Accepted", "VMware Certified" or "Partner Supported".
From the vSphere web client, select each VM and click "Configure" -> "Settings" -> "VM Options".
Expand "Advanced Settings". Scroll the list of "Configuration Parameters" and ensure that the
desired configuration parameter is present with the desired value.
Ensure that the following parameter is NOT present or is set to FALSE, unless Floppy drives are
required: floppyX.present
Ensure that the following parameter is NOT present or is set to FALSE, unless Parallel ports are
required: parallelX.present
Ensure that the following parameter is NOT present or is set to FALSE, unless Serial ports are
required: serialX.present
From the vSphere Web Client, select each VM and click "Configure" -> "Settings" -> "VM Options".
If there is a non-null value and that value is common to more than one virtual machine, those
virtual machines have inter-VM TPS enabled.
If a VM is not supposed to be protected by a product using the dvfilter API, ensure that the
following is not present in its VMX file: ethernet0.filter1.name = dv-filter1where “ethernet0” is the
network adaptor interface of the virtual machine that is to be protected, “filter1” is the number of
the filter that is being used, and “dv-filter1” is the name of the particular data path kernel module
that is protecting the VM. If the VM is supposed to be protected, ensure that the name of the data
path kernel is set correctly.
From the vSphere Web Client, select each VM and click "Configure" -> "Settings" -> "VM Options".
From vSphere Web Client, select the host and then click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Net.BlockGuestBPDU to see the configured value. It should
be set to the desired value.
From the vSphere Web Client, select each VDS and go to "Configure" -> "Settings" -> Health
check". Verify that "VLAN and MTU Check" and "Teaming and Failover Check" are both "Disabled".
From vSphere web client, for each portgroup within each distributed switch go to "Configure" ->
"Settings" -> "Policies".
Verify that "Forged transmits" policy is set to "Reject".
From the vSphere Web Client select the host and click "Configure" -> "Networking" -> "Virtual
Switches". For each virtual switch and for each port group within that virtual switch, click edit. Go
to "Security" and verify that "Forged Transmits" is set to "Reject".
"Settings" -> "Policies". Verify that "MAC address changes" policy is set to "Reject".
From the vSphere web client select the host and click "Configure" -> "Networking" -> "Virtual
to "Security" and verify that "MAC address changes" is set to "Reject".
"Settings" -> "Policies". Verify that "Promiscuous Mode" policy is set to "Reject".
to "Security" and verify that "Promiscuous Mode" is set to "Reject".
From vSphere Web Client, for each distributed switch go to "Configure" -> "Settings" -> "NetFlow".
Verify that "Collector IP address" and "Collector port" are legitimate.
From vSphere Web Client, for each portgroup within each distributed switch go to "Configure" ->
"Settings" -> "Properties". Verify that all "Override port policies" are "Disabled".
From vSphere web client, select a host and click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Net.DVFilterBindIpAddress to see the configured value. It
should be set to the desired value or to the IP address of the appropriate VM using dvfilter
network APIs.
Negative Functional Impact
None
None
The default setting is Stopped

None
None
None
None. This is disabled by default.
None
None
None
There are some operations, such as backup and troubleshooting, that require direct access to the
host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as
needed, and then re-enabled when the task is completed.
Note: Lockdown mode does not apply to users listed in the DCUI.Access list, which by default
includes the root user.
Previous versions of the SCG classified this as a "Risk Profile 2 or 3" setting. In the 6.7 SCG the
"strict" lockdown mode guideline was the only setting set to "1" which prompted the removal of
Risk Profiles all together. This in no means lessens the discussion of "Risk". Most customers should
enable at least Normal Lockdown Mode. Those customers that should enable Strict Lockdown
Mode need to make that judgement based on their current risk factors as there are serious caveats
as called out at the begining of the Negative Functional Impact statement.
None
In strict lockdown mode, introduced in vSphere 6.0, the DCUI service is stopped. If the connection
to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes
unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If
you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
Previous versions of the SCG classified this as a "Risk Profile 1" setting. In the 6.7 SCG this was the
only setting set to "1" which prompted the removal of Risk Profiles all together. This in no means
lessens the discussion of "Risk". Most customers should enable at least Normal Lockdown Mode.
Those customers that should enable Strict Lockdown Mode need to make that judgement based
on their current risk factors as there are serious caveats as called out at the begining of the
Negative Functional Impact statement.
Only systems in the IP whitelist/ACL will be able to connect to services on the ESXi server
None
The account would be locked out and would require administrative action to unlock the account or
an elapse time for the account to automatically unlock.
None
None
None
None
None
Host customization using custom unsigned VIBs is not allowed.
This is the default setting so functionality remains the same
None
Inability to shrink virtual machine disks in the event that a datastore runs out of space.
Inability to shrink virtual machine disks in the event that a datastore runs out of space.
Won’t be able to make use of nonpersistent mode, which allows rollback to a known state when
rebooting the VM.
Configuring this setting to false will not allow 3D functionality to run in the virtual machine. Use of
this setting on desktop systems that require 3D is not recommended.
Virtual machine will need to be powered off to reverse change if any of these devices are needed
at a later time.
at a later time.
at a later time.
Configuring this setting to True will not allow any advanced graphics functions to work. Only
character-cell console mode will be available. Use of this setting renders mks.enable3d moot. The
mks.enable3d has no effect.
**Note** this setting should only be applied to those virtual machines for which a virtualized
video card is not needed.
None
None
Unable to retrieve performance information about the host from inside the guest, there are times
when this can be useful for troubleshooting.
Running with Inter-VM page sharing should only be done between virtual machines that are trust-
worthy.
incorrectly configuring this option can negatively impact functionality of tools that use dvFilter
API's.
A buggy or malicious driver in the guest OS could cause a fault with the physical host resulting in a
host crash
None
None
This will prevent VMs from changing their effective MAC address. This will affect applications that
require this functionality.
An example of an application like this is Microsoft Clustering, which requires systems to effectively
share a MAC address.
This will also affect how a layer 2 bridge will operate. This will also affect applications that require a
specific MAC address for licensing. An exception should be made for the dvPortgroups that these
applications are connected to.
This will prevent VMs from changing their effective MAC address. This will affect applications that
operate.
This will also affect applications that require a specific MAC address for licensing. An exception
should be made for the port groups that these applications are connected to.
exception should be made for the dvPortgroups that these applications are connected to.
exception should be made for the port groups that these applications are connected to.
Security devices that require the ability to see all packets on a vSwitch will not operate properly if
the “Promiscuous Mode” parameter is set to “Reject.”
Security devices that require the ability to see all packets on a vSwitch will not operate properly if
the “Promiscuous Mode” policy is set to “Reject".
None
Specific port level overrides would be denied.
This will prevent a dvfilter-based network security appliance from functioning

Remediation using Web Client
Employ a process to keep ESXi hosts up to date with patches in accordance with industry-standards
and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with
this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email
alerts for them.
https://www.vmware.com/support/policies/security_response
"Security Profile". Scroll down until "Lockdown Mode". Click "Edit" and then click on
"Exception Users". Add or delete users as per your site requirements.
In the vSphere Web Client, select the host in the vCenter inventory. Select Configure. In the System
Section, select Security Profile and click Edit. Check that the SSH service is reported as Stopped. If
it is not, press the Stop button and ensure the Startup Policy is set to "Start and Stop Manually"
In the vSphere Web Client, select the host in the vCenter inventory. Select Configure -> Settings. In
the System Section, select Time Configuration and click Edit. Select "Use Network Time Protocol
(Enable NTP client), set the NTP service startup policy, enter the IP addresses of the NTP servers to
synchronize with, and click Start or Restart.
1. Identify the datastore path where you want to place scratch, then login to the vSphere Web
Client.
2. Navigating to the host and select "Configure" and select "Advanced System Settings" in the
System panel.
3. Enter "Syslog.global.LogDir" in the filter.
Set the "Syslog.global.LogDir" to the desired datastore path.

Note: the Syslog.global.LogDir must be set for each host
You do not configure the SNMP agent with the vSphere Web Client. Use esxcli, PowerCLI, or the
vSphere Web Services SDK.
Open the Web Client, Select the settings for the host, Select "Advanced System Settings" and
search for "Config.HostAgent.plugins.solo.enableMob" and set the value to False if it isn't currently
False.
From the vSphere Web Client, select the host and go to "Configure" -> "Authentication Services"
and click the "Join Domain" button. Provide the domain name along with the user credentials for
an AD user that has the rights to join computers to the domain. Notes:
(1) you can use Host Profiles to automate adding hosts to an AD domain.
(2) Consider using the vSphere Authentication proxy to avoid transmitting AD credentials over the
network. Refer to the "enable-auth-proxy" recommendation for more information.
You can do it in two ways - either from Web Client directly or via Host Profiles. For web client,
select the host and click on "Configure" -> "Settings" -> "Authentication Services". Click on "Join
Domain" and then select "Using Proxy Server" radio button. Provide proxy server IP address.
Using Host profile method,

Install and configure the Authentication proxy. From the vSphere web client, navigate to "Host
Profiles", select the host profile, select "Configure" -> "Edit Host profile". Expand "Security and
Services" -> "Security Settings" -> "Authentication Configuration". Select "Active Directory
configuration". Set the "Join Domain Method" to "Use vSphere Authentication Proxy to add the
host do domain" and provide the IP address of the authentication proxy.
From the vSphere web client, select a host and click on "Configure" -> "Storage" -> "Storage
Adapters"
For EACH iSCSI Adapter, scroll for "Authentication" section under "Adapter Details" section ->
"Properties" tab. Click "Edit" and configure bidirectional chap authentication.
"Security Profile".
Scroll down until "Lockdown Mode". Click "Edit" and then choose "Normal".
Step 1: Install/Enable a syslog host (vSphere Syslog Collector recommended).

Step 2: From the vSphere Web Client select the host and click "Configure" -> "Advanced Sytem
Settings", and enter "Syslog.global.logHost" in the filter. Set the "Syslog.global.logHost" to the
hostname of your syslog server.
Note: when setting a remote log host it is also recommended to set the
"Syslog.global.logDirUnique" to true. You must configure the syslog settings for each host. The host
syslog parameters can also be configured the vCLI or PowerCLI, or using an API client.
"Security Profile".
Scroll down to "Lockdown Mode". Click "Edit" and then choose "Strict".
From the vSphere web client, select the host and click "Configure" -> "Settings" -> "System" ->
"Security Profile".
For each enabled services for both incoming and outgoing connections set a proper network/IP
Range after deselecting "Allow connections from any IP address" checkbox.
"Advanced Sytem Settings". Enter "Security.AccountUnlockTime" in the filter. Click edit and set the
value for this parameter to 900.
"Advanced Sytem Settings". Enter "Security.AccountLockFailures" in the filter. Click edit and set the
value for this parameter to 3.
"Advanced Sytem Settings". Enter "DCUI.Access" in the filter. Enter comma separated user
accounts who are authorized to access DCUI even in case of lockdown mode.
Caution: Do not remove root user.

"Advanced Sytem Settings". Enter "UserVars.DcuiTimeOut" in the filter. Click edit and set the value
for this parameter to 600 or more restrictive.
"Advanced System settings". Filter for Security.PasswordQualityControl to see the configured value.
Set it to the default value or more restrictive.
"Advanced System settings". Filter for UserVars.ESXiShellInteractiveTimeOut to see the configured
value. Click edit and set it to the desired value or more restrictive.
"Advanced System settings". Filter for UserVars.ESXiShellTimeOut to see the configured value. Click
edit and set it to the desired value or more restrictive.
From vSphere Web Client, select a host and then click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Mem.ShareForceSalting. Click edit and set it to 2.
From vSphere web client, select host and then click "Configure" -> "System" -> "Security Profile".
Scroll down until you see "Host Image Profile Acceptance Level". Click "Edit" and set the
"Acceptance Level" parameter to the desired value. The Default value is "Partner Supported"
which will work with Secure Boot for ESXi 6.5 or greater.
Click "Edit". Go to "VM Options" tab and expand "Advanced". Click on "Edit Configuration". Click
on "Add Row" and then add the desired configuration parameter with the desired value.
Click "Edit".
Go to "VM Options" tab and expand "Advanced".
Click on "Edit Configuration".
Click on "Add Row" and then edit the desired configuration parameter with the desired value.
From the vSphere Web Client, select each VM and click "Configure" -> "Settings" -> "Virtual
Hardware" -> Remove the PCI/PCIe passthrough device.
From vSphere Web cClient, select the host and then click "Configure" -> "Settings" -> "System" ->
"Advanced System settings". Filter for Net.BlockGuestBPDU to see the configured value. Click edit
and set it to the desired value.
From the vSphere Web Client, select each VDS and go to "Configure" -> "Settings" -> Health
check". Click "Edit" and set "VLAN and MTU Check" and "Teaming and Failover Check" to
"Disabled".
"Settings" -> "Policies" and click "Edit". Go to "Security" and set the "Forged transmits" policy to
"Reject".
to "Security" and set the "Forged Transmits" to "Reject".
"Settings" -> "Policies" and click "Edit". Go to "Security" and set the "MAC address changes" policy
to "Reject".
From the vSphere web client select the host and click "Configure" -> "Networking" -> "Virtual
to "Security" and set the "MAC address changes" to "Reject".
"Settings" -> "Policies" and click "Edit". Go to "Security" and set the "Promiscuous Mode" policy to
"Reject".
Switches". For each virtual switch and for each port group within that virtual switch, click Edit. Go
to "Security" and set the "Promiscuous Mode" to "Reject".
From vSphere Web Client, for each distributed switch go to "Configure" -> "Settings" -> "NetFlow".
Click "Edit" and set the "Collector IP address" and "Collector port" as appropriate.
"Settings" -> "Properties". Click "Edit" and go to "Advanced". Disable all "Override port policies".
"Advanced System settings". Filter for Net.DVFilterBindIpAddress to see the configured value. Click
edit and set it to the desired value or to the IP address of the appropriate VM using dvfilter
network APIs.
vSphere API
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.PatchManager.Status.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.DateTimeSystem.html
https://code.vmware.com/apis/196/vsphere#/doc/vim.option.OptionManager.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.SnmpSystem.html
N/A
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.ActiveDirectoryAuthentication.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.ActiveDirectoryAuthentication.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.InternetScsiHba.AuthenticationProperti
https://code.vmware.com/apis/196/vsphere#/doc/vim.HostSystem.html
https://code.vmware.com/apis/196/vsphere#/doc/vim.HostSystem.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.ServiceSystem.html
N/A
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.ImageConfigManager.AcceptanceLevel.
https://code.vmware.com/apis/358/vsphere#/doc/vim.option.OptionValue.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.vm.device.VirtualDevice.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.DistributedVirtualSwitch.HealthCheckConfig
https://code.vmware.com/apis/358/vsphere#/doc/vim.dvs.DistributedVirtualPortgroup.PortgroupPo
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.NetworkPolicy.SecurityPolicy.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.NetworkPolicy.SecurityPolicy.html
https://code.vmware.com/apis/358/vsphere#/doc/vim.host.VirtualSwitch.Config.html
https://code.vmware.com/apis/196/vsphere#/doc/vim.DistributedVirtualSwitch.html
https://code.vmware.com/apis/196/vsphere#/doc/vim.DistributedVirtualSwitch.html
ESXi Shell Command Assessment
# esxcli software profile get / # esxcli software vib get

N/A
# esxcli system syslog config get
# esxcli system snmp get
vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo.enableMob
TBD
N/A
# esxcli iscsi adapter auth chap get
# To check if Lockdown mode is enabled:

#Note: This will not differentiate between Normal and Strict.
#If either are enabled the result will be "true"
vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
# esxcli system syslog config get

# To check if Lockdown mode is enabled:
#Note: This will not differentiate between Normal and Strict.
#If either are enabled the result will be "true"
vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
vim-cmd hostsvc/advopt/view DCUI.Access

N/A
# esxcli --formatter=csv --format-param=fields="Path,Int Value" system settings advanced list | grep

/UserVars/ESXiShellInteractiveTimeOut

/UserVars/ESXiShellTimeOut
# esxcli software acceptance get

# esxcli software vib list
grep -i "isolation.tools.copy.disable" [VMX]
grep -i isolation.tools.paste.disable [VMX]

grep -i "isolation.tools.diskShrink.disable" [VMX]
grep -i "isolation.tools.diskWiper.disable" [VMX]
grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]
grep -I mks.enable3d [VMX]
grep -i "^floppy[0-9]*.present" [VMX]

grep -i "^parallel[0-9]*.present" [VMX]
grep -i "^serial[0-9]*.present" [VMX]
grep -i "svga.vgaonly" [VMX]
grep -i "tools.setInfo.sizeLimit" [VMX}
grep -i "RemoteDisplay.vnc.enabled" [VMX]
grep -i "tools.guestlib.enableHostInfo" [VMX]

grep -i "sched.mem.pshare.salt" [VMX]
grep -i "^ethernet[0-9]*.filter[0-9]*.name" [VMX]
grep -i "pciPassthru*.present" [VMX]

esxcli system settings advanced list -o /Net/BlockGuestBPDU
N/A
N/A
# esxcli network vswitch standard policy security get -v [VSWITCH]

N/A
N/A

N/A
N/A

/Net/DVFilterBindIpAddress
ESXi Shell Command Remediation
# esxcli software profile update / # esxcli software vib update

N/A
# esxcli system syslog config set --logDir
# Configure Community String

esxcli system snmp set --communities [COMMUNITY]
# Configure SNMP Targetesxcli system snmp set --targets [TARGET]@[PORT]/
[COMMUNITY]
# Enable SNMPesxcli system snmp set --enable true
vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool true
TBD
N/A
# esxcli iscsi adapter auth chap set
# To disable Lockdown mode:

vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
#Enabling strict lockdown mode is not supported by vim-cmd.

# To enable Normal Lockdown mode:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
# esxcli system syslog config set loghost

# esxcli system syslog reload
# To disable Lockdown mode:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
#Enabling strict lockdown mode is not supported by vim-cmd.

# To enable Normal Lockdown mode:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
vim-cmd hostsvc/advopt/update DCUI.Access string [USERS]

N/A
# esxcli system settings advanced set -o /UserVars/ESXiShellInteractiveTimeOut -i
# esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i
# esxcli software acceptance set --level
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
esxcli system settings advanced set -o /Net/BlockGuestBPDU -i 0
N/A
N/A
# esxcli network vswitch standard policy security set -v vSwitch2 -f false

N/A
# esxcli network vswitch standard policy security set -v vSwitch2 -m false
N/A
# esxcli network vswitch standard policy security set -v vSwitch2 -p false

N/A
N/A
# esxcli system settings advanced set -o /Net/DVFilterBindIpAddress -d

vCLI Command Assessment
# esxcli <conn_options> software profile get / # esxcli <conn_options> software vib get
# vicfg-ntp <conn_options> --list
# esxcli <conn_options> system syslog config get
# esxcli <conn_options> system snmp get
N/A
vicfg-authconfig <conn_options> --authscheme AD --currentdomain

# vicfg-authconfig <conn_options> --authscheme AD --currentdomain
# esxcli <conn_options> iscsi adapter auth chap get
# esxcli <conn_options> system syslog config get

N/A
N/A
N/A

/UserVars/ESXiShellInteractiveTimeOut

/UserVars/ESXiShellTimeOut
# esxcli <connection_options> software acceptance get

# esxcli software vib list
vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/

[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.copy.disable

[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.paste.disable
[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.diskWiper.disable

[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.diskWiper.disable
1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE]

VM/VM.vmx" VM.vmx 2. grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]

[DATASTORE]/[VM]/[VM].vmx getguestinfo mks.enable3d

VM/VM.vmx" VM.vmx 2. grep -i "^floppy[0-9]*.present" [VMX]
VM/VM.vmx" VM.vmx 2. grep -i "^parallel[0-9]*.present" [VMX]

VM/VM.vmx" VM.vmx 2. grep -i "^floppy[0-9]*.present" [VMX]

[DATASTORE]/[VM]/[VM].vmx getguestinfo svga.vgaOnly

[DATASTORE]/[VM]/[VM].vmx getguestinfo tools.setInfo.sizeLimit

[DATASTORE]/[VM]/[VM].vmx getguestinfo RemoteDisplay.vnc.enabled

[DATASTORE]/[VM]/[VM].vmx getguestinfo tools.guestlib.enableHostInfo
[DATASTORE]/[VM]/[VM].vmx getguestinfo sched.mem.pshare.salt

VM/VM.vmx" VM.vmx 2. grep -i "^ethernet[0-9]*.filter[0-9]*.name" [VMX]

[DATASTORE]/[VM]/[VM].vmx getguestinfo pciPassthru*.present
esxcli <conn_options> system settings advanced list -o /Net/BlockGuestBPDU
N/A
N/A
# esxcli <conn_options> network vswitch standard policy security get -v [VSWITCH]

N/A
N/A

N/A
N/A
# esxcli <conn_options> --formatter=csv --format-param=fields="Path,Int Value" system settings

advanced list | grep /Net/DVFilterBindIpAddress
vCLI Command Remediation
# esxcli conn_options software profile update / # esxcli conn_options software vib update
# vicfg-ntp conn_options --add IP
# esxcli conn_options system syslog config set --logDir
# Configure Community String

esxcli conn_options system snmp set --communities [COMMUNITY]
# Configure SNMP Target
esxcli conn_options system snmp set --targets [TARGET]@[PORT]/[COMMUNITY]
# Enable SNMP
esxcli conn_options system snmp set --enable true
N/A
vicfg-authconfig conn_options ad_conn_options --authscheme AD --joindomain domain_FQDN

# vicfg-authconfig conn_options ad_conn_options --authscheme AD --joindomain domain_FQDN
# esxcli iscsi conn_options adapter auth chap set
# esxcli conn_options system syslog config set loghost

# esxcli system syslog reload
N/A
N/A
N/A
# esxcli conn_options system settings advanced set -o /UserVars/ESXiShellInteractiveTimeOut -i
# esxcli conn_options system settings advanced set -o /UserVars/ESXiShellTimeOut -i
# esxcli <connection_options> software acceptance set --level
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
esxcli conn_options system settings advanced set -o /Net/BlockGuestBPDU -i 0
N/A
N/A
# esxcli conn_options vswitch standard policy security set -v vSwitch2 -f false

N/A
# esxcli conn_options vswitch standard policy security set -v vSwitch2 -m false
N/A
# esxcli conn_options vswitch standard policy security set -v vSwitch2 -p false

N/A
N/A
# esxcli conn_options system settings advanced set -o /Net/DVFilterBindIpAddress -d

PowerCLI Command Assessment
# VMware Update Manager PowerCLI Cmdlets can be used to check this feature. See sample
scripts here for PowerCLI 11:
https://code.vmware.com/docs/7335/powercli-11-0-0-user-s-guide?h=powercli
%2011#/doc/GUID-BCD266EC-2A66-4F35-8E2E-0138C10D7007.html
foreach ($esxihost in $esxihosts)
{
Write-Host "Host is: " $esxihost
Write-host "Exception Users from vCenter"
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
$LDusers = $lockdown.QueryLockdownExceptions()
Write-host $LDusers
# Connect to each ESXi host in the cluster to retrieve the list of local users.
Write-Host "Lockdown user: " $LDuser
Write-host "Connecting to: " $esxihost
Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword
#Loop through the list of Exception Users and check to see if they have accounts on
#the ESXi server and if that account in an administrator account.
foreach ($LDuser in $LDusers)
{
Write-host "Get-vmhostaccount"
$hostaccountname = get-vmhostaccount -ErrorAction SilentlyContinue $LDuser
write-host "Check to see if user exists"
if ($hostaccountname.Name)
Write-Host $hostaccountname.Name
{
Write-Host "Get-VIPermission"
$isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where
{$_.Role –eq “Admin”}
Write-host "Admin Role: " $isadmin.Role
if ($isadmin.Role -eq "Admin") {Write-Host $LDuser is an "Exception User with Admin
accounts on " $esxihost}
}
Disconnect-VIServer -Server $global:DefaultVIServer -Force -Confirm:$false
}
}
#Check to see if the SSH Server Is running

foreach ($VMhost in (Get-VMHost))
{
$ServiceList = Get-VMHostService -VMhost $VMhost
$SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"}
If ($SSHservice.Running -eq $true) {Write-Output "SSH Server on host $VMhost is running"}
else {Write-Output "SSH Server on host $VMhost is Stopped"}
}
# List the NTP Settings for all hosts
Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}}
# List Syslog.global.logDir for each host

Get-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-
VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}}
# List the SNMP Configuration of a host (single host connection required)

Get-VMHost | Get-VMHostSnmp
Get-VMHost <host> | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob
# Check each host and their domain membership status

Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus
# Check the host profile is using vSphere Authentication proxy to add the host to the domain
Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, `
@{N="JoinADEnabled";E={($_ | Get-
VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, `
@{N="JoinDomainMethod";E={(($_ | Get-
VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select
-ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}# Check
each host and their domain membership statusGet-VMHost | Get-VMHostAuthentication | Select
VmHost, Domain, DomainMembershipStatus
# List Iscsi Initiator and CHAP Name if defined

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType,
@{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}
# To check if Lockdown mode is enabled

Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}
Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost

# To check if Lockdown mode is enabled
Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}
#To display the mode

$esxihosts = get-vmhost
{
Write-Host "——————————–"
$lockdown.UpdateViewData()
$lockdownstatus = $lockdown.LockdownMode
Write-Host "Lockdown mode on $esxihost is set to $lockdownstatus"
Write-Host "——————————–"
}
# List the services which are enabled and have rules defined for specific IP ranges to access the
service
Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and (-not
$_.ExtensionData.AllowedHosts.AllIP)}
# List the services which are enabled and do not have rules defined for specific IP ranges to access
the service
Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and
($_.ExtensionData.AllowedHosts.AllIP)}
Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime
Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures
Get-VMHost | Get-AdvancedSetting -Name DCUI.Access

Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut
Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut
Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting
# List the Software AcceptanceLevel for each host

Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $VMHost | Select
Name, @{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()}}}
# List only the vibs which are not at "VMwareCertified" or "VMwareAccepted" or
"PartnerSupported" acceptance level
Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.vib.list() | Where { ($_.AcceptanceLevel -ne "VMwareCertified") -and
($_.AcceptanceLevel -ne "VMwareAccepted") -and ($_.AcceptanceLevel -ne "PartnerSupported") }}
# List the VMs and their current settings

Get-VM | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | where {$_.value -eq "false"}
| Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "isolation.tools.paste.disable" | where {$_.value –eq
“false”} | Select Entity, Name, Value
Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | where {$_.value –eq

Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | where {$_.value –eq
#List the VM's and their disk types

Get-VM | Get-HardDisk | where {$_.Persistence –ne “Persistent”} | Select Parent, Name, Filename,
DiskType, Persistence

Get-VM | Get-AdvancedSetting -Name "mks.enable3d"| Select Entity, Name, Value
# Check for Floppy Devices attached to VMs

Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState
# In this Example you will need to add the functions from this post:
http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html
# Check for Parallel ports attached to VMs
Get-VM | Get-ParallelPort
# Check for Serial ports attached to VMs
Get-VM | Get-SerialPort

Get-VM | Get-AdvancedSetting -Name "svga.vgaOnly " | Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "tools.setInfo.sizeLimit" | where {$_.Value –gt “1048576”} |
Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "RemoteDisplay.vnc.enabled" | where {$_.Value –eq
“True”} | Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "tools.guestlib.enableHostInfo"| where {$_.Value –eq
“True”} | Select Entity, Name, Value
Get-VM | Get-AdvancedSetting -Name "Mem.ShareForceSalting" | where {$_.Value –eq “1”} |
Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "ethernet*.filter*.name*" | Select Entity, Name, Value

Get-VM | Get-AdvancedSetting -Name "pciPassthru*.present" | Select Entity, Name, Value
Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU
$vds = Get-VDSwitch
$vds.ExtensionData.Config.HealthCheckConfig
Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy
Get-VirtualSwitch | Get-SecurityPolicy
Get-VirtualPortGroup | Get-SecurityPolicy
Get-VDPortgroup | Get-VDSecurityPolicy
Get-VDPortgroup | Get-VDSecurityPolicy
Get-VDPortgroup | Select Name, VirtualSwitch,
@{Name="NetflowEnabled";Expression={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.V
alue}} | Where-Object {$_.NetflowEnabled -eq "True"}
Get-VDPortgroup | Get-VDPortgroupOverridePolicy
Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress

PowerCLI Command Remediation
# VMware Update Manager PowerCLI Cmdlets can be used to check this feature. See sample
scripts here for PowerCLI 11:
https://code.vmware.com/docs/7335/powercli-11-0-0-user-s-guide?h=powercli
%2011#/doc/GUID-BCD266EC-2A66-4F35-8E2E-0138C10D7007.html
# Set the NTP Settings for all hosts
$NTPServers = "pool.ntp.org", "pool2.ntp.org"Get-VMHost | Add-VmHostNtpServer $NTPServers
# Set Syslog.global.logDir for each host

Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name
Syslog.global.logDir -Value "NewLocation" }
# Update the host SNMP Configuration (single host connection required)

Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -ReadOnlyCommunity 'secret'
Get-VMHost <host> | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob |Set-

AdvancedSetting -value "false"
# Join the ESXI Host to the Domain

Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain $domain -User
$username -Password $password -JoinDomain
# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain
domain.local -User Administrator -Password Passw0rd -JoinDomain
# Set the Chap settings for the Iscsi Adapter

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Set-VMHostHba # Use desired
parameters here
# Enable lockdown mode for each host

Get-VMHost | Foreach { $_.EnterLockdownMode() }
Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value

"<insert syslog server hostname>"
#Run this at the vCenter level or against an individual host
#Create HostLockdownMode object
$level = New-Object VMware.Vim.HostLockdownMode
#Populate with level of lockdown:(lockdownDisabled,lockdownNormal,lockdownStrict)
$level = "lockdownStrict"
$esxihosts = get-vmhost
{
Write-Host "——————————–"
Write-Host "Setting Lockdown mode to " $level
$lockdown.ChangeLockdownMode($level)
$lockdown.UpdateViewData()
$lockdownstatus = $lockdown.LockdownMode
Write-Host "Lockdown mode on $esxihost is set to $lockdownstatus"
Write-Host "——————————–"
}
Please see documentation for the following cmdlets.
Get-VMHostFirewallException
Set-VMHostFirewallException
Get-VMHostFirewallDefaultPolicy
Set-VMHostFirewallDefaultPolicy
Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting

-Value 900
Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting

-Value 3
Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"

Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value
600
Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting

-Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-

AdvancedSetting -Value 900
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting

-Value 900
Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
# Set the Software AcceptanceLevel for each host

Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set("VMwareCertified")}
# Add the setting to all VMs

Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true

Get-VM | New-AdvancedSetting -Name "isolation.tools.paste.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.diskShrink.disable" -value $true

Get-VM | New-AdvancedSetting -Name "isolation.tools.diskWiper.disable" -value $true
#Alter the parameters for the following cmdlet to set the VM Disk Type:
Get-VM | Get-HardDisk | Set-HardDisk

Get-VM | New-AdvancedSetting -Name "mks.enable3d" -value $false
# Remove all Floppy drives attached to VMs

Get-VM | Get-FloppyDrive | Remove-FloppyDrive
# Remove all Parallel Ports attached to VMs
Get-VM | Get-ParallelPort | Remove-ParallelPort
# Remove all Serial Ports attached to VMs
Get-VM | Get-SerialPort | Remove-SerialPort

Get-VM | New-AdvancedSetting -Name "svga.vgaOnly" -value $true

Get-VM | New-AdvancedSetting -Name "tools.setInfo.sizeLimit" -value 1048576

Get-VM | New-AdvancedSetting -Name "RemoteDisplay.vnc.enabled" -value $false

Get-VM | New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $false
$ vmsaltvalue = "<some unique value>"
Get-VM | New-AdvancedSetting -Name "sched.mem.pshare.salt" -value $vmsaltvalue

Get-VM | New-AdvancedSetting -Name "pciPassthru*.present" -value ""
Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable

-notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object
Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object
Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}
Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy

-ForgedTransmits $false
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true

Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false
Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true

# Disable Netfow for a VDPortgroup
$DPortgroup = <name of portgroup>
Get-VDPortgroup $DPortGroup | Disable-PGNetflow
#Function for Disable-PGNetflow

#From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/
Function Disable-PGNetflow {
[CmdletBinding()]
Param (
[Parameter(ValueFromPipeline=$true)]
$DVPG
)
Process {
Foreach ($PG in $DVPG) {
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $PG.Extensiondata.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$PGView = Get-View -Id $PG.Id

$PGView.ReconfigureDVPortgroup_Task($spec)
}
}
}
# Disable Netfow for a VDPortgroup

#Get-VDPortgroup DPortGroup | Disable-PGNetflow
Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting

-Value ""
Able to set using Host Profile
NO
N/A
N/A
YES
YES
YES
YES
YES
YES
NO
YES
YES
N/A
YES
YES
YES
YES
YES
YES
NO
NO
YES
YES
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
NO
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
NO
Reference
https://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.update_manager.doc/GUID-
D53B8D36-A8D7-4B3B-895C-929267508026.html
https://www.vmware.com/support/policies/security_response
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-6CD8C2E3-
7925-4706-8271-F42F2BCFF95D.html
http://blogs.vmware.com/vsphere/2015/03/vsphere-6-0-lockdown-mode-exception-users.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-2553C86E-
7981-4F79-B9FC-A6CECA52F6CC.html
http://kb.vmware.com/kb/1033696
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-
9F67DB52-F469-451F-B6C8-DAE8D95976E7.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.monitoring.doc/GUID-
8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-4309DE28-
AFB6-4B2D-A8EA-A38D36A8C6E6.html
SNMP V3 configuration - http://pubs.vmware.com/vsphere-

67/topic/com.vmware.vsphere.monitoring.doc/GUID-2E4B0F2A-11D8-4649-AC6C-
99F89CE93026.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-0EF83EA7-
277C-400B-B697-04BDC9173EA3.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-4FD32125-
4955-439D-B39F-C654CCB207DC.html
http://pubs.vmware.com/vsphere-67/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc
%2FGUID-084B74BD-40A5-4A4B-A82C-0C9912D580DC.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.storage.doc/GUID-AC65D747-
728F-4109-96DD-49B433E2F266.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-DFC745FB-
CDD6-4828-8948-4D0E0561EEF8.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-88B24613-
E8F9-40D2-B838-225F5FF480FF.htmlhttp://kb.vmware.com/kb/1008077
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vcli.examples.doc/GUID-7391AF2D-
BD74-4ED8-B649-DBB31EB3CB21.html
E8F9-40D2-B838-225F5FF480FF.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-8912DD42-
C6EA-4299-9B10-5F3AEA52C605.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-DC96FFDB-
F5F2-43EC-8C73-05ACDAE6BE43.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-6779F098-
48FE-4E22-B116-A8353D19FF56.html
E8F9-40D2-B838-225F5FF480FF.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-94F0C54F-
05E3-4E16-8027-0280B9ED1009.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-B314F79B-
2BDD-4D68-8096-F009B87ACB33.html
https://kb.vmware.com/kb/2080735
http//pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.install.doc/GUID-56600593-EC2E-
4125-B1A0-065BDD16CF2D.html
http//pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-751034F3-
5337-4DB2-8272-8DAC0980EACA.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-367D02C1-
B71F-4AC3-AA05-85033136A667.html
B71F-4AC3-AA05-85033136A667.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-9610FE65-
3A78-4982-8C28-5B34FEB264B6.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-9610FE65-
3A78-4982-8C28-5B34FEB264B6.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-1E583D6D-
77C7-402E-9907-80B7F478D3FC.html
0F77-4D96-B273-A30F256B29D4.html
0F77-4D96-B273-A30F256B29D4.html
0F77-4D96-B273-A30F256B29D4.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-91BF834E-
CB92-4014-8CF7-29CE40F3E8A3.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-2CF880DA-
2435-4201-9AFB-A16A11951A2D.html
https://www.vmware.com/pdf/vmware-tools-101-standalone-user-guide.pdf
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-CD0783C9-
1734-4B9A-B821-ED17A77B0206.htmlUpdated reference URL
http://pubs.vmware.com/vsphere-67/topic/com.vmware.powercli.ug.doc/GUID-0E922C7E-67DF-
4A05-B4C0-013FC4EC60F4.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-FA661AE0-
C0B5-4522-951D-A3790DBE70B4.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-C590B7D3-
4E28-4F2B-8A59-4CDB9C6F2DAA.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.networking.doc/GUID-
4A6C1E1C-8577-4AE6-8459-EEB942779A82.html
891147DD-3E2E-45A1-9B50-7717C3443DD7.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-7DC6486F-
5400-44DF-8A62-6273798A2F80.html
891147DD-3E2E-45A1-9B50-7717C3443DD7.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-942BD3AA-
731B-4A05-8196-66F2B4BF1ACB.html
http://pubs.vmware.com/vsphere-67
Update Reference and API URLs
/topic/com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A010-8820D7250350.html
C0B5-4522-951D-A3790DBE70B4.html
55FCEC92-74B9-4E5F-ACC0-4EA1C36F397A.html
C0B5-4522-951D-A3790DBE70B4.html
DDF5CD98-454A-471D-9053-03ABB8FE86D1.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.security.doc/GUID-CD0783C9-
1734-4B9A-B821-ED17A77B0206.html
http://pubs.vmware.com/vsphere-67/topic/com.vmware.vsphere.ext_solutions.doc/GUID-
6013E15D-92CE-4970-953C-ACCB36ADA8AD.html
DISA STIG ID Hardening
ESXI-06-000072 1
ESXI-06-000003 0
ESXI-06-000035 0
ESXI-06-000046,ESXI-06-100046 0
ESXI-06-000045 0
ESXI-06-000053 0
ESXI-06-000034 0
ESXI-06-000037,ESXI-06-100037,ESXI-06-200037,ESXI-06-300037 0
ESXI-06-000038,ESXI-06-100038,ESXI-06-200038,ESXI-06-300038 0
ESXI-06-000054 0
ESXI-06-000001,ESXI-06-100001 0
ESXI-06-000004,ESXI-06-100004,ESXI-06-200004,ESXI-06-300004,ESXI-06-400004,ESXI-06-500004 0
ESXI-06-000001,ESXI-06-100001 0
ESXI-06-000006 0
ESXI-06-000005 0
ESXI-06-000002 0
ESXI-06-000043 0
ESXI-06-000031,ESXI-06-100031,ESXI-06-200031,ESXI-06-300031,ESXI-06-400031,ESXI-06-500031,E 0
ESXI-06-000041,ESXI-06-100041 0
ESXI-06-000042,ESXI-06-100042 0
ESXI-06-000055 0
ESXI-06-000047,ESXI-06-100047 0
VMCH-06-000001 0
VMCH-06-000004 0
VMCH-06-000005 1
VMCH-06-000006 1
VMCH-06-000007 0
VMCH-06-000028 0
VMCH-06-000030 0
VMCH-06-000031 0
VMCH-06-000036 0
VMCH-06-000034 0
VMCH-06-000039 0
VMCH-06-000040 0
VMCH-06-000041 0
0
ESXI-06-000058 0
VCWN-06-000012 0
VCWN-06-000013 0
ESXI-06-000059 1
VCWN-06-000014 0
ESXI-06-000060 1
VCWN-06-000015 0
ESXI-06-000061 0
VCWN-06-000016 0
VCWN-06-000017 0
ESXI-06-000062 0
Site Specific Setting Audit Setting
0 0
1 0
0 1
1 0
1 0
1 0
0 1
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 1
1 1
1 0
1 1
1 0
1 0
1 1
0 1
1 1
0 1
0 1
0 0
0 0
0 1
1 1
0 1
1 1
1 1
1 1
0 1
0 1
1 1
1 1
1 1
1 1
1 0
0 1
0 1
0 0
0 1
0 0
0 1
0 1
1 1
0 1
0 1

Performance Best Practices For VMware Vsphere 6.7 VMware ESXi 6.7

Uploaded by

Copyright:

Available Formats

Performance Best Practices For VMware Vsphere 6.7 VMware ESXi 6.7

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Performance Best Practices For VMware Vsphere 6.7 VMware ESXi 6.7

Uploaded by

Copyright:

Available Formats

Guideline ID

Keep ESXi system properly patched

Configure persistent logging for all ESXi host

Ensure proper SNMP configuration

Disable Managed Object Browser (MOB)

Use Active Directory for local user authentication

Enable Normal Lockdown Mode to restrict access

Configure remote logging for ESXi hosts

Set the time after which a locked account is automatically unlocked

Set DCUI.Access to allow trusted users to override lockdown mode

Establish a password policy for password complexity

Ensure default setting for intra-VM TPS is correct

Verify Image Profile and VIB Acceptance Levels

Explicitly disable copy/paste operations

Explicitly disable copy/paste operations

Disable virtual disk shrinking

Avoid using independent nonpersistent disks

Disable 3D features on Server and desktop virtual machines

Disconnect unauthorized devices

Disconnect unauthorized devices

Disable all but VGA mode on specific virtual machines

Limit informational messages from the VM to the VMX file

Control access to VM console via VNC protocol

Do not send host information to guests

Control access to VMs through the dvfilter network APIs

Audit all uses of PCI or PCIe passthrough functionality

Enable VDS network healthcheck only if you need it

Ensure that the “Forged Transmits” policy is set to reject

Ensure that the “Forged Transmits” policy is set to reject

Ensure that the “MAC Address Changes” policy is set to reject

Ensure that the “Promiscuous Mode” policy is set to reject

Ensure that the “Promiscuous Mode” policy is set to reject

Restrict port-level configuration overrides on VDS

Audit use of dvfilter network APIs

By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An

Forged transmissions is set to Accept by default.

Use Chap, Name, Secret

List of authorized users

VMware Certified, VMware Accepted or Partner Supported

not present or FALSE

not present or FALSE

Null unless using dvfilter

Null No Audit Only

Stopped No Audit Only

false Yes Audit Only

Local Authentication No Add

Connections are allowed from any IP address No Modify

"retry=3 min=disabled,disabled,disabled,7,7" No Audit Only

2 Yes Audit Only

Partner Supported No Audit Only

TRUE Yes Add

TRUE Yes Add

FALSE Yes Add

FALSE No Add or Modify

1048576 Yes Add

FALSE Yes Audit Only

FALSE Yes Audit Only

Null No Audit Only

Step 1: Install/Enable a syslog host (vSphere Syslog Collector recommended).

grep -i "^scsi[0-9]:[0-9].mode" [VMX]

grep -i "^ethernet[0-9].filter[0-9].name" [VMX]