STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must not override port group settings at the port level on distributed switches.

DISA Rule

SV-216839r612237_rule

Vulnerability Number

V-216839

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000017

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties. Click "Edit" and change all Override port policies to disabled.

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$spec.Policy.VlanOverrideAllowed = $False
$spec.Policy.UplinkTeamingOverrideAllowed = $False
$spec.Policy.SecurityPolicyOverrideAllowed = $False
$spec.Policy.IpfixOverrideAllowed = $False
$spec.Policy.BlockOverrideAllowed = $False
$spec.Policy.ShapingOverrideAllowed = $False
$spec.Policy.VendorConfigOverrideAllowed = $False
$spec.Policy.TrafficFilterOverrideAllowed = $False
$spec.Policy.PortConfigResetAtDisconnect = $True
$pg.ReconfigureDVPortgroup_Task($spec)
}

Check Contents

From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties.

View the Properties pane and verify all Override port policies are set to disabled.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDPortgroup | Get-View |
Select Name,
@{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}},
@{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}},
@{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}},
@{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}},
@{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}},
@{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}},
@{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}},
@{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}},
@{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name

Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run.

This does not apply to the reset port configuration on disconnect policy.

If any port level overrides are enabled and not documented, this is a finding.

Vulnerability Number

V-216839

Documentable

False

Rule Version

VCWN-65-000017

Severity Override Guidance

Check Content Reference

Target Key

4030

The vCenter Server for Windows must not override port group settings at the port level on distributed switches.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments