VMware vSphere 7.0 Virtual Machine STIG Version Comparison
VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide
Comparison
There are 3 differences between versions v1 r1 (March 7, 2023) (the "left" version) and v1 r3 (Jan. 24, 2024) (the "right" version).
Check VMCH-70-000023 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
All 3D features on the virtual machine (VM) must be disabled when not required.
Check Content
From For each virtual machine do the following: From the vSphere Client, select right-click the Virtual virtual Machine, machine right-click, and go to Edit Settings. Expand Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "mks.enable3d" value "Video card" and verify it the "Enable 3D Support" checkbox is unchecked. or From set to "false". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d If the virtual machine advanced setting "mks.enable3d" does not exist exists or and is not set to "false", this is a finding. If a the virtual machine requires 3D features, advanced setting "mks.enable3d" does not exist, this is not a finding.
Discussion
For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality (e.g., most server workloads or desktops not using 3D applications).
Fix
From For each virtual machine do the following: From the vSphere Client, select right-click the Virtual virtual Machine, machine right-click, and go to Edit "Edit Settings". Expand Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "mks.enable3d" value "Video card" and uncheck set it to "false". Note: The VM must be powered off to modify the "Enable 3D Support" checkbox. Click advanced settings through the vSphere Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case, the modified settings will not take effect until a cold boot of the VM. or From "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown noted below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name mks.enable3d -Value false If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d | Set-AdvancedSetting -Value false false Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.