STIG no unused ports on a distributed virtual port group.

Post date: Jul 17, 2015 8:15:30 PM

Rule Title: The system must ensure there are no unused ports on a distributed virtual port group.

STIG ID: ESXI5-VMNET-000020 Rule ID: SV-51235r2_rule Vuln ID: V-39377

Severity: CAT III

The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.

As Virtual Network Adapters are connected to ports on a distributed virtual switch portgroup regardless if a VM is off or a template or if the network adapter is not connected to the VM. I decieded this would be a great place to look for getting an accurate count of ports required for a vdportgroup. This will apply the stig to all distributed virtual portgroup in a vCenter.


#Author: KnightUSN


$VDPGs = get-vdportgroup | ?{$_.IsUplink -eq $false}

ForEach($VDPG in $VDPGs){

$reqports = (Get-VDPort -ConnectedOnly -VDPortgroup $VDPG).count

$VDPG | Set-VDPortgroup -NumPorts $reqports