U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

ESXi 5 vCenter Server STIG Version 2 Release 1 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
VMware VCenter Server 5.0 cpe:/a:vmware:vcenter_server:5.0 (View CVEs)

Checklist Highlights

Checklist Name:
ESXi 5 vCenter Server STIG
Checklist ID:
Version 2 Release 1
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

This VMware ESXi Version 5 vCenter Server (ESXi 5 vCenter) Technology Overview, along with the ESXi 5 vCenter STIG, provides the technical security policies, requirements, and implementation details for applying security concepts to the vCenter Server. The VMware vSphere 5 Security Hardening Guide contains product-specific, best-practices requirements for VMware ESXi 5 vCenter Server. This hardening guide describes the ESXi 5 built-in security features, and the measures to safeguard ESXi 5 from attack. This hardening guide may be used to secure the vSphere 5 environment for VMware vCenter Server 5 and VMware ESXi 5. This guide was used as input into this STIG. The Windows Server 2008 R2 Security Technical Implementation Guide contains product-specific requirements for Windows Server 2008 R2, which is used as the base operating system to support the VMware vCenter Server, VMware vSphere Update Manager, and the VMware vSphere Update Manager Download Server. This STIG may be used as a guide for enhancing the base operating system security configuration of the Windows 2008 R2 Server hosting VMware vSphere applications. The VMware vCenter Server Security Technical Implementation Guide may be used as a guide for enhancing the security configuration of the vCenter Server system, including the vSphere Update Manager. This Overview is for ESXi 5 vCenter Server. The ESXi 5 vCenter STIG assumes familiarity with some common vSphere 5 concepts and terminology. Some of these concepts and terms are defined and explained in this document in order to facilitate uniform interpretation of the requirements. Important info about the files included in the STIG.zip file. The following files are included in this STIG. The file names listed below are generic; the actual file names will be specific to the technology and checklist release. STIG_Overview.doc or .pdf. This file will contain the overview and background information, as well as screen captures, network diagrams, and other important information that could not be stored in the XML file. manual-STIG.zip - This file will contain the appropriate files listed below. The manual-STIG files are for manually viewing the STIG in a browser or a utility such as STIG Viewer. The manual-STIG.zip files must be extracted to the same directory for use. manual-xccdf.xml This is the STIG XML file that contains the manual check procedures. STIG_unclass.xsl This is the transformation file that will allow the XML to be presented in a "human friendly" format. DoD-DISA-logos-as-JPEG.jpg - Contains logos used by STIG_unclass.xsl.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

The security requirements contained within this STIG are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls in a VMware vSphere environment centrally managed by a vCenter Server. This document is not a guide to Windows system administration.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Directive (DoDD) 8500.1 and 8500.2


Comments or proposed revisions to this document should be sent via email to disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.


Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:



Not provided.


Not provided.

Change History:

Version 1, Release 5 - 25 April 2014
Version 1, Release 4 - 24 January 2014
Version 1, Release 3 - 30 September 2013
Version 1, Release 2 - 26 September 2013
Version 1, Release 1 - 17 July 2013
Version 1, Release 6 - 26 January 2015
4/28/2016 - Version 1, Release 7
moved to FINAL - 6/7/2016
Updated URL to reflect change to the DISA website - http --> https
Updated URLs - 6/14/19
sunset per DISA - 10/29/2021


URL Description


Reference URL Description

NIST checklist record last modified on 10/29/2021