Quick Start Guide: ESXi Assessment using GUI (Windows)

Owned by Allan Cornwell
Last updated: Dec 19, 2023
3 min read

Overview

This guide will walk through conducting an ESXi version 6.7 or 7.0 Benchmark assessment using the CIS-CAT Pro Assessor v4 GUI (Windows only). Assessor utilizes components of VMware PowerCLI to validate settings and gather information during the scan.

For more information on this process, please refer to the Configuration Guide:
https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#vmware-esxi-assessment

Requirements

  • An ESXi 6.7 or 7.0 host reachable on port 443 along with administrative or root credentials.

  • PowerShell installed on the Windows system running Assessor
    (included by default in Windows 7 SP1 / Windows Server 2008 R2 and later):
    https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2

  • The PowerShell VMware.VimAutomation.Core module contained in VMware PowerCLI.

    • Open an administrative PowerShell prompt and enter:
      Install-Module -Name VMware.PowerCLI

    • Verify the installation succeeded with:
      Get-Module VMware.* -listAvailable
      Included in the output list should be the required VMware.VimAutomation.Core module:

Implementation Steps

1

Verify PowerCLI is installed before running CIS-CAT Pro Assessor v4 (see above).

2

Launch Assessor-GUI.exe as Administrator (right-click -> ā€œRun as administratorā€).

3

Select the ā€œAdvancedā€ ā†’ ā€œAdd Remote or Local Target Systemā€ option:

Ā 

4

In the following screen, enter the required prompts.

  • Fill in the ā€œTarget System Nameā€ (cannot start with a number, contain spaces or special characters). This entry does not need to match the ESXi hostname and is used for reporting only.

  • Set the ā€œTarget System Typeā€ to ā€œLocalā€

This choice may be counterintuitive (as the target ESXi host is not local),
but is required as the assessment itself is carried out via PowerShell from the local host.

  • Under ā€œBenchmarksā€, choose the applicable Benchmark (either ESXi 6.7 or 7.0)
    as well as your desired Profile level (L1 or L2), then select ā€œAddā€.

5

You will be prompted for a connection string to your ESXi host.

Enter your ESXi username (such as root), followed by / and the password, and finally the connection IP or hostname after the @ character. Example:
root/mysecurepassword@192.168.41.60

Select ā€œOKā€œ followed by ā€œSaveā€ in the bottom right to proceed to the next screen.

6

Review your settings and choose ā€œNextā€ (no connection test is necessary for this assessment).

7

Under ā€œReport Output Optionsā€, select your desired reporting formats (HTML is recommended) and choose ā€œNextā€ to launch the ESXi assessment.

CLI & Troubleshooting Steps

For details on running an ESXi assessment via CLI instead, please refer to this KB article:

If the final report returns ā€œUnknownā€ results for each Recommendation, or you encounter Certificate or other connectivity errors, please refer to the following troubleshooting articles:



For continued issues with ESXi assessments, please open a ticket with CIS Product Support including the following information and INFO-level log files:

Ā 

Ā 

Copyright Ā© 2022 Center for Internet SecurityĀ® Privacy Policy

Ā