Entra ID CIS Assessment with SmartProfiler-SecID
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAlmost all CIS tests are automated with SmartProfiler for VMWare CIS Assessment.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Other than CIS, SmartProfiler for VMWare ESXi Cis Assessment includes other tests. We offer 193 tests that cover every facet of VMWare ESXi.
SmartProfiler for VMWare ESXi supports latest ESXi Version 8.0 to check misconfiguration across your VMWare infrastructure. Impact and recommendations are highlighted in report to fix the issues.
SmartProfiler for VMWare ESXi Cis Assessment can be used by system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to
develop, deploy, assess, or secure solutions that incorporate VMware ESXi 8. The SmartProfiler Automated tool for VMware ESXi is designed to perform a complete assessment.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for VMware ESXi CIS Assessment requires connection to VMWare Host and be able to read the data for all tests.
SmartProfiler needs access to VMWare ESXi host in order to connect and execute all tests. When registering the VMWare ESXi host, you need to provide Host Name or IP Address.
VMWare CLI modules are already included in the product, so installing them is not necessary before running the assessment. Before beginning the assessment, the product automatically imports necessary VMWare CLI PowerShell modules.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Microsoft 365 CIS Assessment is simple to use and execute in four-steps.
It depends on the number of Virtual Machines resources in the VMWare Host. It typically takes 1-2 hours to perform CIS Assessment.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple VMWare ESXi Hosts. You can add unlimited VMWare ESXi Hosts in the tool. However, each VMWare ESXi Host requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for VMWare ESXi CIS Assessment. SmartProfiler offers additional tests which are not included in CIS V1.1.0 list for VMWare ESXi.
| Category | CISWB | Test |
| Hardware | CIS v1.1.0 | Host hardware must have auditable authentic and up to date system & device firmware |
| Hardware | CIS v1.1.0 | Host hardware must enable UEFI Secure Boot |
| Hardware | CIS v1.1.0 | Host hardware must enable Intel TXT if available |
| Hardware | CIS v1.1.0 | Host hardware must enable and configure a TPM 2.0 |
| Hardware | CIS v1.1.0 | Host integrated hardware management controller must be secure |
| Hardware | CIS v1.1.0 | Host integrated hardware management controller must enable time synchronization |
| Hardware | CIS v1.1.0 | Host integrated hardware management controller must enable remote logging of events |
| Hardware | CIS v1.1.0 | Host integrated hardware management controller must secure authentication |
| Hardware | CIS v1.1.0 | Host hardware must enable AMD SEV-ES if available |
| Hardware | CIS v1.1.0 | Host hardware must enable Intel SGX if available |
| Hardware | CIS v1.1.0 | Host hardware must secure unused external hardware ports |
| Hardware | CIS v1.1.0 | Host integrated hardware management controller must deactivate internal networking |
| Base | CIS v1.1.0 | Host must run software that has not reached End of General Support status |
| Base | CIS v1.1.0 | Host must have all software updates installed |
| Base | CIS v1.1.0 | Host must enable Secure Boot enforcement |
| Base | CIS v1.1.0 | Host image profile acceptance level must be PartnerSupported or higher |
| Base | CIS v1.1.0 | Host must only run binaries delivered via signed VIB |
| Base | CIS v1.1.0 | Host must have reliable time synchronization sources |
| Base | CIS v1.1.0 | Host must have time synchronization services enabled and running |
| Base | CIS v1.1.0 | Host must require TPM-based configuration encryption |
| Base | CIS v1.1.0 | Host must not suppress warnings about unmitigated hyperthreading vulnerabilities |
| Base | CIS v1.1.0 | Host must restrict inter-VM transparent page sharing |
| Base | CIS v1.1.0 | Host must use sufficient entropy for cryptographic operations |
| Base | CIS v1.1.0 | Host must enable volatile key destruction |
| Management | CIS v1.1.0 | Host should deactivate SSH |
| Management | CIS v1.1.0 | Host must deactivate the ESXi shell |
| Management | CIS v1.1.0 | Host must deactivate the ESXi Managed Object Browser (MOB) |
| Management | CIS v1.1.0 | Host must deactivate SLP |
| Management | CIS v1.1.0 | Host must deactivate CIM |
| Management | CIS v1.1.0 | Host should deactivate SNMP |
| Management | CIS v1.1.0 | Host must automatically terminate idle DCUI sessions |
| Management | CIS v1.1.0 | Host must automatically terminate idle shells |
| Management | CIS v1.1.0 | Host must automatically deactivate shell services |
| Management | CIS v1.1.0 | Host must not suppress warnings that the shell is enabled |
| Management | CIS v1.1.0 | Host must enforce password complexity |
| Management | CIS v1.1.0 | Host must lock an account after a specified number of failed login attempts |
| Management | CIS v1.1.0 | Host must unlock accounts after a specified timeout period |
| Management | CIS v1.1.0 | Host must configure the password history setting to restrict the reuse of passwords |
| Management | CIS v1.1.0 | Host must be configured with an appropriate maximum password age |
| Management | CIS v1.1.0 | Host must configure a session timeout for the API |
| Management | CIS v1.1.0 | Host must automatically terminate idle host client sessions |
| Management | CIS v1.1.0 | Host must have an accurate DCUI.Access list |
| Management | CIS v1.1.0 | Host must have an accurate Exception Users list |
| Management | CIS v1.1.0 | Host must enable normal lockdown mode |
| Management | CIS v1.1.0 | Host should enable strict lockdown mode |
| Management | CIS v1.1.0 | Host must deny shell access for the dcui account |
| Management | CIS v1.1.0 | Host must deny shell access for the vpxuser account |
| Management | CIS v1.1.0 | Host must display a login banner for the DCUI and Host Client |
| Management | CIS v1.1.0 | Host must display a login banner for SSH connections |
| Management | CIS v1.1.0 | Host must enable the highest version of TLS supported |
| Logging | CIS v1.1.0 | Host must configure a persistent log location for all locally stored system logs |
| Logging | CIS v1.1.0 | Host must transmit system logs to a remote log collector |
| Logging | CIS v1.1.0 | Host must log sufficient information for events |
| Logging | CIS v1.1.0 | Host must set the logging informational level to info |
| Logging | CIS v1.1.0 | Host must deactivate log filtering |
| Logging | CIS v1.1.0 | Host must enable audit record logging |
| Logging | CIS v1.1.0 | Host must configure a persistent log location for all locally stored audit records |
| Logging | CIS v1.1.0 | Host must store one week of audit records |
| Logging | CIS v1.1.0 | Host must transmit audit records to a remote log collector |
| Logging | CIS v1.1.0 | Host must verify certificates for TLS remote logging endpoints |
| Logging | CIS v1.1.0 | Host must use strict x509 verification for TLS-enabled remote logging endpoints |
| Network | CIS v1.1.0 | Host firewall must only allow traffic from authorized networks |
| Network | CIS v1.1.0 | Host must block network traffic by default |
| Network | CIS v1.1.0 | Host must restrict use of the dvFilter network API |
| Network | CIS v1.1.0 | Host must filter Bridge Protocol Data Unit (BPDU) packets |
| Network | CIS v1.1.0 | Host should deactivate virtual hardware management network interfaces |
| Network | CIS v1.1.0 | Host should reject forged transmits on standard virtual switches and port groups |
| Network | CIS v1.1.0 | Host should reject MAC address changes on standard virtual switches and port groups |
| Network | CIS v1.1.0 | Host should reject promiscuous mode requests on standard virtual switches and port groups |
| Network | CIS v1.1.0 | Host must restrict access to a default or native VLAN on standard virtual switches |
| Network | CIS v1.1.0 | Host must restrict the use of Virtual Guest Tagging (VGT) on standard virtual switches |
| Network | CIS v1.1.0 | Host must isolate management communications |
| Features – CIM | CIS v1.1.0 | Host CIM services if enabled must limit access |
| Features -Core Storage | CIS v1.1.0 | Host must isolate storage communications |
| Features -Core Storage | CIS v1.1.0 | Host must ensure all datastores have unique names |
| Features -iSCSI | CIS v1.1.0 | Host iSCSI client if enabled must employ bidirectional/mutual CHAP authentication |
| Features -iSCSI | CIS v1.1.0 | Host iSCSI client if enabled must employ unique CHAP authentication secrets |
| Features SNMP | CIS v1.1.0 | Host SNMP services if enabled must limit access |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must use FIPS 140-2/140-3 validated ciphers |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must use FIPS 140-2/140-3 validated cryptographic modules |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must not allow use of gateway ports |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must set a timeout count on idle sessions |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must set a timeout interval on idle sessions |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must display the system login banner before granting access |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must ignore .rhosts files |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must disable stream local forwarding |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must disable TCP forwarding |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must not permit tunnels |
| Features SSH | CIS v1.1.0 | Host SSH daemon if enabled must not permit user environment settings |
| Virtual Machine | CIS v1.1.0 | Virtual machines must enable Secure Boot |
| Virtual Machine | CIS v1.1.0 | Virtual machines must require encryption for vMotion |
| Virtual Machine | CIS v1.1.0 | Virtual machines must require encryption for Fault Tolerance |
| Virtual Machine | CIS v1.1.0 | Virtual machines should deactivate 3D graphics features when not required |
| Virtual Machine | CIS v1.1.0 | Virtual machines must be configured to lock when the last console connection is closed |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit console sharing. |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit PCI/PCIe device passthrough functionality |
| Virtual Machine | CIS v1.1.0 | Virtual machines must prevent unauthorized modification of devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary audio devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary AHCI devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary USB/XHCI devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary serial port devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary parallel port devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary CD/DVD devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must remove unnecessary floppy devices |
| Virtual Machine | CIS v1.1.0 | Virtual machines must deactivate console drag and drop operations |
| Virtual Machine | CIS v1.1.0 | Virtual machines must deactivate console copy operations |
| Virtual Machine | CIS v1.1.0 | Virtual machines must deactivate console paste operations |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit access through the -dvfilter- network API |
| Virtual Machine | CIS v1.1.0 | Virtual machines must deactivate virtual disk shrinking operations |
| Virtual Machine | CIS v1.1.0 | Virtual machines must deactivate virtual disk wiping operations |
| Virtual Machine | CIS v1.1.0 | Virtual machines must restrict sharing of memory pages with other VMs |
| Virtual Machine | CIS v1.1.0 | Virtual machines must not be able to obtain host information from the hypervisor |
| Virtual Machine | CIS v1.1.0 | Virtual machines must enable diagnostic logging |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit the number of retained diagnostic logs |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit the size of diagnostic logs |
| Virtual Machine | CIS v1.1.0 | Virtual machines must limit informational messages from the virtual machine to the VMX file |
| Virtual Machine | CIS v1.1.0 | Virtual machines should have virtual machine hardware version 19 or newer |
| VMware Tools | CIS v1.1.0 | VMware Tools must be a version that has not reached End of General Support status |
| VMware Tools | CIS v1.1.0 | VMware Tools must have all software updates installed |
| VMware Tools | CIS v1.1.0 | VMware Tools should configure automatic upgrades as appropriate for the environment |
| VMware Tools | CIS v1.1.0 | VMware Tools on deployed virtual machines must prevent being recustomized |
| VMware Tools | CIS v1.1.0 | VMware Tools must limit the automatic addition of features |
| VMware Tools | CIS v1.1.0 | VMware Tools must limit the automatic removal of features |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate GlobalConf unless required |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate ContainerInfo unless required |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate Appinfo information gathering unless required |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate Guest Store Upgrade operations unless required |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate Service Discovery unless required |
| VMware Tools | CIS v1.1.0 | VMware Tools must limit the use of MSI transforms when reconfiguring VMware Tools |
| VMware Tools | CIS v1.1.0 | VMware Tools must enable VMware Tools logging |
| VMware Tools | CIS v1.1.0 | VMware Tools must send VMware Tools logs to the system log service |
| VMware Tools | CIS v1.1.0 | VMware Tools must deactivate Guest Operations unless required |
Below tests, as recommended by VMWare Experts globally, are not included in the VMWare ESXi CIS Version 1.1.0 tests list. We recommend executing below tests as part of VMWare ESXi security & Compliance Assessment.
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for VMWare ESXi Cis Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAbout SmartProfiler SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks
Read MoreOrganizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read More