STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 8.0 vCenter Security Technical Implementation Guide

V-258966

CAT II (Medium)

The vCenter Server must not override port group settings at the port level on distributed switches.

Rule ID

SV-258966r961863_rule

STIG

VMware vSphere 8.0 vCenter Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366

Discussion

Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port Group level. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could exploit that broader access. If there are cases where particular VMs require unique configurations then a different port group with the required configuration should be created instead of overriding port group settings.

Check Content

If distributed switches are not used, this is not applicable.

From the vSphere Client, go to "Networking".

Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties.

Review the "Override port policies".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

(Get-VDPortgroup).ExtensionData.Config.Policy

If there are any distributed port groups that allow overridden port policies, this is a finding.

Note: This does not apply to the "Block Ports" or "Configure reset at disconnect" policies.

Fix Text

From the vSphere Client, go to "Networking".

Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties.

Click "Edit".

Select advanced and update all port policies besides "Block Ports" to "disabled" and click "OK".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$spec.Policy.VlanOverrideAllowed = $False
$spec.Policy.UplinkTeamingOverrideAllowed = $False
$spec.Policy.SecurityPolicyOverrideAllowed = $False
$spec.Policy.IpfixOverrideAllowed = $False
$spec.Policy.BlockOverrideAllowed = $True
$spec.Policy.ShapingOverrideAllowed = $False
$spec.Policy.VendorConfigOverrideAllowed = $False
$spec.Policy.TrafficFilterOverrideAllowed = $False
$pg.ReconfigureDVPortgroup_Task($spec)
}