Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.
Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.
Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.
Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.
Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective "Applied to" category is configured if appropriate. Log into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding.
Log into vSphere Web Client with credentials authorized for administration. Remediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General Configure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies Ensure the rules have been enabled, and configure the respective "Applied to" category if appropriate.
Verify no unwanted services are enabled. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services. Verify that any unwanted services are disabled. If there are services that should not be enabled, this is a finding.
Configure Partner Security Services to the disabled state. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services >> Select the partner security service. Hover over the "No." column Click the pencil icon Disable it
View the configuration and vendor documentation of the ALG application to find the minimum ports, protocols, and services which are required for operation of the ALG. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General Verify the NSX Distributed Firewall policy restricts the use of ports, protocols, and/or services with the Ports, Protocol, and Service Management (PPSM) and IAVM requirements. If ports, protocols, and/or services are not disabled or restricted as required by the PPSM, this is a finding.
Disable ports, protocols, and/or services not required for operation of the ALG application. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General >> Click on Green check in the number column to disable an individual distributed firewall rule >> Publish Changes. Once configuration is saved successfully verify the check is greyed out.
Verify denied by default policy. Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration If the action for the Default Rule is "Allow", this is a finding.
Configure the "Default Rule" to deny by default with "Block". Log into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall Expand "Default Section Layer 3" in Configuration Expand the Action for the rule named "Default Rule" Change the action to "Block" Select "OK" Select "Publish Changes"
Verify the vSphere Web Client sessions terminate after "10" minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Find the session.timeout = line in the webclient.properties file. If the session timeout is not set to "10" in the webclient.properties file, this is a finding.
Change the timeout value by editing the webclient.properties file. On the system where vCenter is installed locate the webclient.properties file. Windows: C:\ProgramData\VMware\vCenter Server\cfg\vsphere-client Edit the file to include the line "session.timeout = 10" where "10" is the timeout value in minutes. Uncomment the line if necessary. After editing the file the vSphere Web Client service must be restarted.
Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. If this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.
Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. Verify each ESXi host is set to a remote syslog server.
Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.
Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.
Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.
Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.
Verify each rule in the NSX Firewall has been configured to "Log". Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. The "Log" option must be selected for each rule. If the "Log" option has not been enabled for all rules, this is a finding.
Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule's section. For each rule, select the pencil icon in the "Action" column. Select the radio button next to the "Log" option to turn on logging for each rule.
Verify "SpoofGuard" Default Policy is "Enabled" and "firewall" service is "Enabled" on all hosts. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the "SpoofGuard" tab on the left side menu. Verify Default Policy for "All Networks Operation Mode" is set to "Enabled". Next, select the "Installation" tab on the left side menu and verify "firewall" is "Enabled". If "SpoofGuard" Default Policy is not "Enabled" or "firewall" service is not "Enabled" on all hosts, this is a finding.
Set "SpoofGuard" Default Policy to "Enabled" and "firewall" service to "Enabled" on all hosts. Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the "SpoofGuard" tab on the left side menu. Set the Default Policy for All Networks Operation Mode to "Enabled". Next, select the "Installation" tab on the left side menu. Select Firewall and set to "Enabled".