On April 23, 2020, the Defense Information Systems Agency (DISA) has made available the third update to VMware vSphere 6.5 STIGs originally released in 2019. VMware vSphere 6.5 STIG Version 1, Release 4 includes minor updates to both the ESXi and the vCenter Server STIGs.
Per the revision history provided in the updated STIG download, the following changes were made:
VMware vSphere 6.5 ESXi STIG
- V-100543 – Reinstated requirement
- The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
- V-94481 – Removed deprecated setting
- The ESXi host must enable TLS 1.2 exclusively for the SFCB service
- V-94483 – Removed deprecated setting
- The ESXi host must exclusively enable TLS 1.2 for the ioFilter, vSANVP, and reverse proxy services.
- V-94507, V-94509, V-94511, V-94529, V-94531, V-94533, V-94535, V-94543, V94545, V-94547, V-94549 – Removed duplicates
- The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.
VMware vSphere 6.5 vCenter Server STIG
- V-94839 – Altered check/fix
- The vCenter Server for Windows must use LDAPS when adding an SSO identity source.
- V-94841 – Altered check/fix
- The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.
- V-94757 – Altered check/fix
- The vCenter Server for Windows must configure the vpxuser auto-password to be changed every 30 days.
You can download the updated STIG from DISA’s public STIG site: DISA Virtualization STIG Downloads.
Updated vRealize Operations alert content downloads are available from the Downloads page.