Guideline ID : ESXi.remove-revoked-certificates
Vulnerability Discussion : By default, each ESXi host does not have CRL checking available. Revoked certificates must be checked and removed manually. These are typically custom generated certificates from a corporate certificate authority or 3rd party authority.
Risk Profile : 1, 2, 3
Description : Leaving expired or revoked certificates or leaving vCenter Server installation logs for failed installation on your vCenter Server system can compromise your environment.
Removing expired or revoked certificates is required for the following reasons.
… Read The Rest ......
Guideline ID : ESXi.mask-zone-san
Vulnerability Discussion : You should use zoning and LUN masking to segregate SAN activity. For example, you manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.
Risk Profile : 1, 2, 3
Description : Mask and zone SAN resources appropriately.
Zoning provides access control in the SAN topology. Zoning defines which HBAs can connect to which targets. When … Read The Rest ......
Guideline ID : ESXi.create-local-admin
Vulnerability Discussion : By default each ESXi host has a single “root” admin account that is used for local administration and to connect the host to vCenter Server. To avoid sharing a common root account it is recommended on each host to create at least one named user account and assign it full admin privileges and to use this account in lieu of a shared “root” account. Set a highly complex password for the “root” account and secure it in a safe location. Limit the use of “root” but do not remove the “root” account.
Risk … Read The Rest ......
A Risk Profile is a way to categorize the security level. Some Security guidelines are “1” or some are “2” & “3” because these are things you should be doing as per the organization requirement
Example: Setting users is something you do for all Risk Profiles. We should look at Risk Profile “3” is that it’s based on common sense/industry standard practice IT Operations.
Here is the detailed categorization for the each or the Risk profile.
Risk Profile 1: These security guidelines that can only be applicable in the highest security environments. E.g. Top-secret government or military, extremely sensitive data, … Read The Rest ......