vSphere Control Set

The vSphere control set is available for version 7, and 6.5/6.7 seperately.

vSphere version 7 (vCenter Server, ESXi and Virtual Machine)
  • The SSH service is running
  • The SSH service policy is On
  • The SLP service is running
  • The SLP service policy is On
  • The SFCBD Watch dog service is running
  • The SFCBD Watch dog service policy is On
  • The time after which a locked account is automatically unlocked is not meeting the criteria
  • The count of failed login attempts before which the account gets locked out exceeds the maximum permissible value
  • The Password reuse history configured for ESXi Shell and SSH sessions is lesser than acceptable level
  • Password policy is not established for password complexity
  • Local user authentication is not configured with LDAP
  • Warning for potential hyperthreading security vulnerability is suppressed
  • The idle connections to DCUI to terminate left over login session is not set to desired value
  • Managed Object Browser (MOB) is enabled
  • SNMP service is running
  • Connections allowed only from authorized infrastructure and administration workstations
  • Bidirectional CHAP is not enabled, authentication for iSCSI traffic
  • Access is not set for trusted users to override lockdown mode
  • The lockdown mode to restrict access to ESXi is not set to normal
  • The log level is not set to info
  • Persistent logging is not configured for all ESXi host
  • Remote logging is not configured for ESXi hosts
  • BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard is not enabled
  • Users and processes without privileges can make use of dvfilter network APIs
  • Forged Transmits policy is not set to reject
  • Promiscuous Mode policy is not set to reject
  • Policy is not set to reject Mac address changes
  • ESXi Shell service is running
  • The shell interactive timeout is not set as per the acceptable level
  • The shell timeout is not set as per the acceptable level
  • Timeout is not set to limit the duration of ESXi Shell and SSH services session
  • Timeout is not configured for idle ESXi Shell and SSH sessions
  • Warning for support and troubleshooting interfaces is suppressed
  • NTP Server for time synchronization not configured
  • Disable deprecated SSL or TLS protocols
  • The default setting for intra-VM TPS is not correct
  • Image Profile and VIB Acceptance Levels are none of VMware Certified, VMware Accepted or Partner Supported
  • Only run trusted binaries delivered via VIB
  • The Domain name is not set
  • The Domain membership status is not set
  • Copy/paste operations are enabled
  • Copy/paste operations are enabled
  • Virtual disk shrinking is enabled
  • Disable 3D features on Server and desktop virtual machines
  • The number of console connections is not set as per the acceptable limit
  • Informational messages from the VM to the VMX file are not limited
  • The number of retained VM diagnostic logs is larger than acceptable level
  • The configured log size is lesser than acceptable level
  • Guests can receive host information
  • Inter VM Transparent Page Sharing is Enabled
  • Access to VMs are not controlled through dvfilter network APIs
  • PCI pass through device is configured on the virtual machine
  • The configured vMotion encryption is not set to required
  • The console session is not locked
  • Floppy drive connected
  • Parallel port connected
  • Serial port connected
  • Secure boot is not enabled for guest Operating System Environment (OS)
  • The virtual machine hardware version not as per the recommended version
  • VM Virtual Disk not encrypted
  • The vSphere SSO lockout policy max attempts configured is greater than acceptable level
  • The vSphere SSO lockout policyunlock time configured is lesser than acceptable level
  • The Datacenter CLI is not disabled
  • File-Based Backup and Recovery is not Configured
  • Firewall is not configured
  • Remote logging is not enabled
  • Configure vCenter Server timekeeping
vSphere version 6.5/6.7 (ESXi and Virtual Machine)
  • PCI pass through device is configured on the virtual machine
  • Inter VM Transparent Page Sharing is Enabled
  • Independent nonpersistent disks are being used
  • Guests can receive host information
  • Virtual disk shrinking is enabled
  • Copy/paste operations are enabled
  • Access to VMs are not controlled through dvfilter network APIs
  • Informational messages from the VM to the VMX file are not limited
  • Access to VM console is not controlled via VNC protocol
  • Copy/paste operations are enabled
  • Virtual disk shrinking is enabled
  • Disable 3D features on Server and desktop virtual machines
  • Disable all but VGA mode on specific virtual machines
  • Unity window contents is enabled
  • Unity Interlock is enabled
  • Unity taskbar feature is enabled
  • Unity feature is enabled
  • Autologon feature is enabled
  • Memsfss feature is enabled
  • Copy/paste operations are enabled
  • HGFS file transfers are enabled
  • Tray icon feature is enabled
  • Versionset feature is enabled
  • Shellaction is enabled
  • Unity push feature is enabled
  • version get feature is enabled
  • Copy/paste operations are enabled
  • Unity feature is enabled
  • Protocolhandler feature is enabled
  • Floppy drive connected
  • Parallel port connected
  • Serial port connected
  • Local user authentication is not configured with LDAP
  • Bidirectional CHAP is not enabled, authentication for iSCSI traffic
  • Users and processes without privileges can make use of dvfilter network APIs
  • This symptom verifies that sshd service is stopped.
  • SNMP service is running
  • Managed Object Browser (MOB) is enabled
  • This symptom is to check Configuration of the ESXi host firewall to restrict access to services running on the host.
  • Firewall is not configured to restrict few or all services running on ESXi host
  • Forged Transmits policy is not set to reject
  • Policy is not set to reject Mac address changes
  • Promiscuous Mode policy is not set to reject
  • The count of failed login attempts before which the account gets locked out exceeds the maximum permissible value
  • The time after which a locked account is automatically unlocked is not meeting the criteria
  • BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard is not enabled
  • The idle connections to DCUI to terminate left over login session is not set to desired value
  • Password policy is not established for password complexity
  • Timeout configured for idle ESXi Shell and SSH sessions is greater than acceptable level
  • Timeout is not configured for idle ESXi Shell and SSH sessions
  • Timeout for ESXi Shell and SSH services is set for more than 15 minutes
  • Timeout is not set to limit the duration of ESXi Shell and SSH services session
  • The default setting for intra-VM TPS is not correct
  • Access is not set for trusted users to override lockdown mode
  • NTP Daemon policy is not enabled
  • This symptom verifies that the SSH service startup policy is compliant
  • NTP Server property is not configured
  • NTP Daemon service is not running
  • Persistent logging is not configured for all ESXi host
  • Remote logging is not configured for ESXi hosts