vSphere 6.5 Security Configuration guide and Mike’s blog post about it. In particular, he writes:
I’d like to take this opportunity to remind folks what the vSphere Hardening Guide and/or the vSphere Security Configuration Guide is and is not. It is not meant to be used as a “compliance” tool nor a set of boxes to check. It is not a set of mandates. Blanket application of ANY changes to a system should be carefully reviewed before being made. It is a set of guidelines that attempts to explain risk and start a risk management conversation between IT and security and “guide” both teams into setting up the product in a secure fashion.
I’ve definitely seen this used as a “we must set all the settings to the hardening guide,” which just causes operations issues, thus generating workarounds, and certainly does not automatically improve your security stance.
Here’s the article: