From VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide
Part of SRG-APP-000516
Associated with: CCI-000366
Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port-Group level. There are cases where particular VMs require unique configurations, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could surreptitiously exploit that broader access.
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Properties. View the Properties pane and verify all Override port policies are set to disabled. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | Get-View | Select Name, @{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}}, @{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}}, @{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}}, @{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}}, @{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}}, @{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}}, @{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}}, @{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}}, @{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run. This does not apply to the reset port configuration on disconnect policy. If any port level overrides are enabled and not documented, this is a finding.
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Properties. Click Edit and change all Override port policies to disabled. From a PowerCLI command prompt while connected to the vCenter server run the following commands: $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.VlanOverrideAllowed = $False $spec.Policy.UplinkTeamingOverrideAllowed = $False $spec.Policy.SecurityPolicyOverrideAllowed = $False $spec.Policy.IpfixOverrideAllowed = $False $spec.Policy.BlockOverrideAllowed = $False $spec.Policy.ShapingOverrideAllowed = $False $spec.Policy.VendorConfigOverrideAllowed = $False $spec.Policy.TrafficFilterOverrideAllowed = $False $spec.Policy.PortConfigResetAtDisconnect = $True $pg.ReconfigureDVPortgroup_Task($spec) }
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer