STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host must be configured to disable non-essential capabilities by disabling SSH.

DISA Rule

SV-207636r378841_rule

Vulnerability Number

V-207636

Group Title

SRG-OS-000095-VMM-000480

Rule Version

ESXI-65-000035

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit then select the SSH service and click the Stop button to stop the service. Use the pull-down menu to change the Startup policy to "Start and stop manually" and click OK.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService

Check Contents

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}

If the ESXi SSH service is running, this is a finding.

Vulnerability Number

V-207636

Documentable

False

Rule Version

ESXI-65-000035

Severity Override Guidance

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}

If the ESXi SSH service is running, this is a finding.

Check Content Reference

M

Target Key

2925

Comments