VMware ESX 3 Virtual Center

The VMware ESX 3 Virtual Center Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2016-05-03

Updated At: 2018-09-23 13:32:48

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-16724r1_rule ESX0030 MEDIUM VMotion virtual switches are not configured with a dedicated physical network adapter The security issue with VMotion migrations is that the encapsulated files are transmitted in plaintext. Plaintext provides no confidentiality, and anyone with the proper access may view these files. To mitigate this risk, a dedicated VLAN will be used for
    SV-16725r1_rule ESX0040 MEDIUM There is no dedicated VLAN or network segment configured for virtual disk file transfers. The transfer of virtual disk files and VMotion migrations to and from VMFS volumes is sent in plaintext. This type of traffic provides no confidentiality for the data. Due to this vulnerability, at a minimum, virtual disk file transfers and VMotion migrat
    SV-16727r1_rule ESX0060 MEDIUM iSCSI VLAN or network segment is not configured for iSCSI traffic. Virtual machines may share virtual switches and VLANs with the iSCSI configuration. This type of configuration may expose iSCSI traffic to unauthorized virtual machine users. To restrict unauthorized users from viewing the iSCSI traffic, the iSCSI network
    SV-16728r1_rule ESX0070 MEDIUM CHAP authentication is not configured for iSCSI traffic. ISCSI connections are able to be configured with Challenge Handshake Authentication Protocol (CHAP) authentication and IP security (IPSec) encryption. “ESX Server only supports one-way CHAP authentication for iSCSI. It does not support Kerberos, Secure
    SV-16731r1_rule ESX0100 MEDIUM Static discoveries are not configured for hardware iSCSI initiators. ESX Server uses two types of methods to determine what storage resources are available for access by the iSCSI initiators on the network. These methods are dynamic discovery and static discovery. With dynamic discovery, the initiator discovers iSCSI targe
    SV-16741r1_rule ESX0130 MEDIUM The service console and virtual machines are not on dedicated VLANs or network segments. Virtual machine traffic destined for a physical network should always be placed on a separate physical adapter from service console traffic. It is appropriate to use as many additional physical adapters as are necessary to support virtual machine networks
    SV-16742r1_rule ESX0140 LOW Notify Switches feature is not enabled to allowfor notifications to be sent to physical switches. One option in NIC Teaming is Notify Switches. Whenever a virtual NIC is connected to a virtual switch or whenever a virtual NIC’s traffic would be routed over a different physical NIC due to a failover event, a notification is sent. This notification is
    SV-16745r1_rule ESX0170 MEDIUM Virtual machines are connected to public virtual switches and are not documented. Public virtual switches are bound to physical NICs providing virtual machines connectivity to the physical network, whereas connecting physical servers to the LAN usually requires a cable. Virtual network configuration is much easier since once a virtual
    SV-16746r1_rule ESX0180 MEDIUM Virtual switch port group is configured to VLAN 1 The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN ID values of 1 to 4094 place the virtual switch in VST mode. However VLAN 1 will not be enabled for port
    SV-16747r1_rule ESX0190 MEDIUM Virtual switch port group is configured to VLAN 1001 to 1024. The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN ID values of 1 to 4094 place the virtual switch in VST mode. However VLAN 1 will not be enabled for port
    SV-16748r1_rule ESX0200 MEDIUM Virtual switch port group is configured to VLAN 4095. The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN IDs that have VLAN ID 4095 are able reach other port groups located on other VLANs. Basically, VLAN ID 40
    SV-16749r1_rule ESX0210 MEDIUM Port groups are not configured with a network label. Port Groups define how virtual machine connections are made through the virtual switch. Port groups may be configured with bandwidth limitations and VLAN tagging policies for each member port. Multiple ports may be aggregated under port groups to provide
    SV-16751r1_rule ESX0230 MEDIUM Virtual switches are not labeled. Virtual switches within the ESX Server require a field for the name of the switch. This label is important since it serves as a functional descriptor for the switch, just as physical switches require a hostname. Labeling virtual switches will indicate t
    SV-16752r1_rule ESX0240 MEDIUM Virtual switch labels begin with a number. Virtual switches within the ESX Server require a field for the name of the switch. This label is important since it serves as a functional descriptor for the switch. The labels of the virtual switches will not contain a number as the first character, si
    SV-16754r1_rule ESX0250 HIGH The MAC Address Change Policy is set to “Accept” for virtual switches. Each virtual NIC in a virtual machine has an initial MAC address assigned when the virtual adapter is created. Each virtual adapter also has an effective MAC address that filters out incoming network traffic with a destination MAC address different from
    SV-16756r1_rule ESX0260 HIGH Forged Transmits are set to “Accept” on virtual switches Each virtual NIC in a virtual machine has an initial MAC address assigned when the virtual adapter is created. Each virtual adapter also has an effective MAC address that filters out incoming network traffic with a destination MAC address different from t
    SV-16757r1_rule ESX0270 HIGH Promiscuous Mode is set to “Accept” on virtual switches. ESX Server has the ability to run virtual and physical network adapters in promiscuous mode. Promiscuous mode may be enabled on public and private virtual switches. When promiscuous mode is enabled for a public virtual switch, all virtual machines connect
    SV-16800r1_rule ESX0600 MEDIUM VirtualCenter server is hosting other applications such as database servers, e-mail servers or clients, dhcp servers, web servers, etc. VirtualCenter availability is critical since it controls and manages the entire virtual infrastructure. ESX Server will still function without VirtualCenter, however, management of the virtual machines is lost. VirtualCenter should be installed on a dedic
    SV-16801r1_rule ESX0610 MEDIUM Patches and security updates are not current on the VirtualCenter Server. Organizations need to stay current with all applicable VirtualCenter Server software updates that are released from VMware. If updates and patches are not installed, then security vulnerabilities may be open. Open vulnerabilities may provide an access po
    SV-16805r1_rule ESX0650 MEDIUM VirtualCenter virtual machine is not configured in an ESX Server cluster with High Availability enabled. If the ESX Server hosting the VirtualCenter virtual machine fails, the single point of central administration to the entire virtual infrastructure is gone. To mitigate this potential scenario, High Availability (HA) will be configured through VMware HA.
    SV-16806r1_rule ESX0660 MEDIUM VirtualCenter virtual machine does not have a CPU reservation. Virtual machine settings affect the availability of the VirtualCenter virtual machine as well. If the virtual machine is not configured with resource reservations, there is no guarantee that the resources will be available. System AdministratorInformati
    SV-16807r1_rule ESX0670 MEDIUM VirtualCenter virtual machine does not have a memory reservation. Virtual machine settings affect the availability of the VirtualCenter virtual machine as well. If the virtual machine is not configured with resource reservations, there is no guarantee that the resources will be available. System AdministratorInformati
    SV-16808r1_rule ESX0680 LOW VirtualCenter virtual machine CPU alarm is not configured. To ensure that system administrators are notified if there is a resource problem on the VirtualCenter virtual machine, alarms should be configured to email the administrator. If alarms are not configured, system administrators will not be aware of any res
    SV-16809r1_rule ESX0690 LOW VirtualCenter virtual machine memory alarm is not configured. To ensure that system administrators are notified if there is a resource problem on the VirtualCenter virtual machine, alarms should be configured to email the administrator. If alarms are not configured, system administrators will not be aware of any res
    SV-16810r1_rule ESX0700 MEDIUM Unauthorized users have access to the VirtualCenter virtual machine. Virtual machines may be accessed by anyone with the proper permissions. If the VirtualCenter virtual machine is accessed by a normal virtual machine user, specific settings in the virtual infrastructure may be changed or modified. Modifications may inclu
    SV-16811r1_rule ESX0710 MEDIUM No dedicated VirtualCenter administrator created within the Windows Administrator Group on the Windows Server for managing the VirtualCenter environment. By default, the local administrator or domain administrator is allowed to log on to VirtualCenter. These administrators are allowed since VirtualCenter requires a user with local administrator privileges to run. To limit the local administrative access, a
    SV-16812r1_rule ESX0720 MEDIUM No logon warning banner is configured for VirtualCenter users. Once users are authenticated by VirtualCenter, users should be presented with a warning message. presenting a warning message prior to user logon may assist the prosecution of trespassers on the computer system. Guidelines published by the US Department o
    SV-16813r1_rule ESX0730 MEDIUM VI Client sessions with VirtualCenter are unencrypted. User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component,
    SV-16814r1_rule ESX0740 MEDIUM VI Web Access sessions with VirtualCenter are unencrypted. User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component,
    SV-16821r1_rule ESX0810 MEDIUM VirtualCenter does not log user, group, permission or role changes. VirtualCenter Servers not configured to log user, group, permission and role changes will not have the ability to review past system and user events. Recording these events is critical to establishing a recorded history of system events, enabling system
    SV-16831r1_rule ESX0940 MEDIUM Nonpersistent disk mode is set for virtual machines. The security issue with nonpersistent disk mode is that attackers may undo or remove any traces that they were ever on the machine with a simple shutdown or reboot. Once the virtual machine has been shutdown, the vulnerability used to access the virtual m
    SV-16834r1_rule ESX0970 MEDIUM Clipboard capabilities (copy and paste) are enabled for virtual machines. Several security issues arise with the clipboard. The first is that the system administrator might turn on the clipboard transfer and use it. However, deselecting the clipboard check box will not turn off the function, since a reboot is required. So, the
    SV-16836r1_rule ESX0980 MEDIUM VMware Tools drag and drop capabilities are enabled for virtual machines. The drag and drop operation may be used to transfer files from the guest virtual machine to the computer connecting to the virtual machine via the VI Console. Files may be moved from the guest virtual machine to the VI Console computer through the drag a
    SV-16837r1_rule ESX0990 MEDIUM The VMware Tools setinfo variable is enabled for virtual machines. The virtual machine operating system sends informational messages to the ESX Server host through VMware Tools. These messages are setinfo messages and typically contain name-value pairs that define virtual machine characteristics or identifiers that the E
    SV-16838r1_rule ESX1000 LOW Configuration tools are enabled for virtual machines. There are other settings that should be specified in the configuration files for virtual machines. The connectable setting disables connecting and disconnecting removable devices from within the virtual machine. The diskShrink setting shrinks the virtual
    SV-16839r1_rule ESX1010 MEDIUM Virtual machines are not time synchronized with the ESX Server or an authoritative time server. The accuracy of time within the virtualization environment is difficult due to the timer interrupt issue. Time drifts may be as dramatic as 5-10 minutes. Inaccurate time causes other inaccuracies within the virtualization environment, which may include ev
    SV-16841r1_rule ESX1030 MEDIUM Test and development virtual machines are not logically separated from production virtual machines. Test and development can be defined by using the folllowing definitions from the Enclave STIG. Testing is a process of technical investigation intended to reveal quality-related information about the product with respect to the context in which it is int
    SV-16917r1_rule ESX0869 MEDIUM VirtualCenter Server assets are not properly registered in VMS. The Vulnerability Management System (VMS) was developed to interface with the DoD Enterprise tools to assist all DoD CC/S/As in the identification of security vulnerabilities and track the issues through the lifecycle of the vulnerabilities existence. To
    SV-16926r1_rule ESX0872 MEDIUM VirtualCenter Server assets are not configured with the correct posture in VMS. Correctly configuring the VirtualCenter Server asset in VMS will ensure that the appropriate vulnerabilities are assigned to the asset. If the asset is not configured with the correct posture, vulnerabilities may be open on the asset. These open vulnerab
    SV-18021r1_rule ESX0725 MEDIUM VirtualCenter is not using DoD approved certificates. User sessions with VirtualCenter should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client and VI Web Access. To encrypt session data, the sending component,
    SV-83303r1_rule ESX0005 HIGH VMware ESX management software that is no longer supported by the vendor for security updates must not be installed on a system. VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must tran