Security Settings in vSphere vCenter and ESXi

Mindwatering Incorporated

Author: Tripp W Black

Created: 11/20 at 01:45 PM

 

Category:
VMWare
Host Configuration, vCenter

Task:
Document a standard security checklist for vSphere vCenter and its ESXi hosts.

---



ESXi Checklist:

1a. Are ESXi host BIOS settings set to use UEFI Secure Boot?
- UEFI secure boot checks that drivers and low-level apps are cryptographically signed.
- Installation software and VIBs still digitally signed, downloaded from VMware/Broadcom?
- Before switching, check to see if the host will still boot: /usr/lib/vmware/secureboot/bin/secureBoot.py -c

1b. Do ESXi hosts have TPM module?
- Locks the ESXi install to specific TPM on the server motherboard. Very recommended.
- Minus is that the ESXi cannot be quickly just restored. I has to be reinstalled from scratch on a new host w/ a new TPM.

1c. Is TPM enabled in BIOS?
- VMware/BC uses the TPM and TXT attestation w/ image and VIBs, and VMs can re-use
- - TPM 2.0 installed and activated (SHA-256 hashing, TIS/FIFO interface)
- - TXT Activated
- - Early implementations had bugs, make sure BIOS firmware up-to-date, see VMware KB 78243

1d. Is the host BIOS firmware up-to-date?
- Most servers can be partly kept-up-to-date by a management site that typically also runs an ILO while the host is still not in maintenance mode
- However, it may be wise to put the host in maintenance mode just in case.

1e. What is host boot order?
- Does it need to be changed to disk first?
- Typically booting by USB or DVDROM is performed by during upgrades, but leaving hosts this way allows someone to boot a different software if the datacenter has a security breach or the "sneaker foot" accidentally inserts the disk into the wrong host and cycles its power button.

1f. Do all the hosts BIOS management sites have NTP enabled?

1g. Are the hosts BIOS management sites on a separate network from VM traffic?

1h. Are unused BIOS management site features disabled?

1i. Assuming the management BIOS site supports disabling hardware, does your company want unused USB or other ports disabled?

1j. If using Intel chipsets, some management BIOS systems support Software Guard Extensions (vSGX); if so, is it Activated for vSphere to use?
- The VM OS must support SEV-ES, and can limit vMotion features or even snapshots

1k. If using AMD chipsets, some management BIOS systems support Encrypted Virtualization-Encrypted State (SEV-ES); if so, is it Activated?
- The VM OS must support SEV-ES, and can limit vMotion features or even snapshots

1m. If the management BIOS system supports virtual/emulated hardware, especially virtual networks, are they disabled?
- A virtual network enabled at the BIOS level will look like a real NIC; which can be a security issue if forgotten that the NIC is really a virtual one.

1n. Are the management BIOS passwords been updated so not the default?
- Just in case this was missed, or a previous admin set-up the hosts

2. FTP or Telnet enabled?
- Disabled by default. Should be kept disabled.
- Use SSH/SCP for file transfers instead. If you want a GUI, Filezilla is a good one that supports both old FTP and SCP.

3. Is SSH being run jailed?
- In ESXi 8.0 and later, SSH can be run "sandboxed", in what we would historically called "jailed".
- Sandboxed SSH can only run a subset of SSH commands with reduced privileges.
- Is this desired, if so has this been configured?

4. vSphere ESXi and vCenter versions
- vSphere running version tested Common Criteria Evaluation and Validation Scheme (commoncriteriaportal.org)
- e.g. current as of 2025/11 is ESXi 8.0 Update 3e

5. Networks isolated on vLANs or separate networks?
- Management
- vMotion
- Storage
- VM networks

6. Networks Layer2 isolation and tagging?
- VLAN isolation
- VGT, EST, or VST port group mapping
- Both separate Virtual Networks mapped to hardware VLANS, and VST port groups perform great network isolation

7. Linked clones running?
- Cannot access the "parent" disk, and only the produced snapshot, but do share the same network and software from the point of cloning.

8a. Storage I/O limits for rogue VM?
- vSphere or ESXi UI --> VM --> Settings --> Virtual Hardware (tab) --> Hard disk(s) --> VM storage policy or Custom --> Limit - IOPS
- Policy or manual/custom, not both

8b. Storage I/O limits for/per datastore?
- vSphere or ESXi UI --> Inventory --> Datastores (view/icon) --> select datastore --> Configure (tab) --> General (left sub menu) --> Datastore Capabilities (heading) --> Edit (button in heading) --> Toggle radio button to Enable Storage I/O Control and statistics collection --> click OK (button)
- Note NFS datastores do not display the Edit button

8c. Storage DRS enabled for Storage I/O limits?
- vSphere UI --> Inventory --> select storage DRS cluster --> Manage --> Storage DRS --> Edit (button) --> Advanced Options --> Configuration Parameters --> Add (button) --> Heading: EnforceStorageProfiles, Value: 0, 1, or 2 --> Click OK (button to save)
- Note: 0 (default) no policy enforcement, 1 enabled enforcement, 2 "hard" enabled enforcement (analogous w/ DRS hard rules)

9. iSCSI CHAP?

10. NFS?
- Ignore - read/write no_root_squash enabled, as is NORMAL
- NFS server have IP restrictions to limit access to only ESX hosts/network(s)?

11a. ESXi Services/ports secured?
- ESXi is a single-user (root equivalent) so typically Linux hardening is not applicable (e.g. chmod u/g/o)
- SSH and other ports protected by other corporate network firewalls to limit external access?
- ESXi firewall restricting access to management network(s), storage network(s), etc.
- Lockdown mode utilized once host added to vCenter?
- - DCUI is excepted from lockdown. DCUI role assigned users in the DCUI advanced configuration option, can access via DCUI even w/o membership in the vCenter or ESXi admin roles

11b. ESXi and vSphere certs should either have their CA root imported to the corporate browsers, or replaced by the corporate CA. Done?
- Otherwise, users will be used to certificate warnings and "trained" for a MiTM spoof.

11c. ESXi Host light-out (ILO/DRAC) account(s) and network access limited to the management network and its admins only?

11d. ESX local and vSphere local and LDAP, administrative roles matched to users match job description?
- e.g. ESXi shell access, has an administrator role assigned to users, check user memberships in administrative and staff roles for ESXi and vCenter?
- custom roles created and users assigned for in-between "none" and the admin role access?
- root usage discontinued once LDAP admin groups mapped to ESXi/vCenter administrator roles?

12a. ESXi Shell or SSH in use?
- Both shell and SSH are disabled by default, and access limited to vSphere client for day-to-day use
- If enabled, is there a needed reason why day-to-day running?

12b. Are additional services beyond the ones required for management access enabled/open/running?
- If so, are they currently being used?

13c. By default, weak ciphers are disabled by default. Have any been enabled?
- If so, why, and are still needed?

13. SNMP (log) agent utilized?
- UDP (default)
- TCP, if so (TLS configured)?
- ESXi support v3, is communication v3?

14. Backup software on same LAN as storage and/or management LAN(s)?
- On same management/storage network for access and isolation from normal VM traffic and local office/business traffic?
- If using cloud backup software, firewall configured to limit local lan access to ESXi hosts and storage and minimum ports needed?

15. Update VIBs (installation bundles) certified/supported "acceptance level" documented/known?
- Are all levels allowed - VMwareCertified, VMwareAccepted, PartnerSupported, CommunitySupported levels?

16. ESXi includes default Security Advanced System Settings. Have they been reviewed for updates?
- The default settings have security in mind.
- For example, welcome messages are empty/blank so they don't advertise who/what they are. However, corporate RM and lawyers typically would rather have a legal message presented instead often for compliance or legal reasons.
- Have the legal messages been added?
- This is also where the account logouts and the password quality limitations are applied.

17. Are scripts that use APIs using a service account with a custom role to limit their ability to administrate beyond their scripted intents?
- The APIs support scripting which is very advantageous to automate changes to the ESXi hosts as it is less prone to user missed steps.

18. If using DPUs/the Distributed Services Engine is enabled, if so, is this desired?
- ESXi 8.0 and higher allow offloading system functions to DPUs/SmartNICs
- ESXi Shell and SSH interface to the DSE is deactivated by default. Is this desired?
- Like the Shell and SSH interface, the DSE doesn't have role-based access control methods applied.

19. Is the vSphere Authentication Proxy being used for ESXi-hosts?
- The Authentication Proxy can alleviate manual individual host LDAP/AD set-up when scripting via the API is not being performed.
- Automatically adds hosts to AD when deployed with vSphere Auto Deploy
- WARNING: Do not use if adding Tanzu to vSphere. It is NOT supported.

20. Is Smart Card Authentication installed, is it desired?
- Most admins don't login to the ESXi hosts often enough to care. However, certain companies in certain industries might want this.
- vSphere --> Configure --> Authentication Services --> Smart Card Authentication panel --> Edit --> Certificates (page) --> Add the trusted CA, intermediary certs in PEM format, switch to the Smart Card Authentication (page) --> Enable Smart Card Authentication checkbox --> Click OK (button) to save.
- CAUTION: In the case of an AD DC outage/network outage, use local ESXi account with normal username and password

21. Are there sensitive VMs that contain PII, or PCI data?
- Class I PII and PCI compliance typically require encryption of data at rest, as well as during transit
- If applicable, and as required, are VMs encrypted that need it?
- - Has the Key Provider been set-up?
- - Has the delegated "class 1" hosts been enabled for encryption?
- - Has the VM been enabled via the vSphere client or API to encrypt its disks by updating each disk's Storage Policy?
- If datastores have a Storage Policy requiring encryption, it affects any VM that is tried to be placed on it.
- CAUTION: A host enabled for encryption also means that its support bundle logs are encrypted, core dumps are encrypted, and VM swap files are encrypted which can lead to paging load issues if ESXi hosts are two busy and VMs are using swap.

22. Are VMs that require a vTPM set-up with a vTPM VM boot security?
- vTPM is software-based TPM, and requires VMware license add-on to use
- Added as a device to the VM settings just like other hardware
- IMPORTANT: a vTPM does encrypt the VM files, but not the actual VM disks by default. That has to be also done afterwards, or only separately.


---



vCenter:
1a. Are user to role assignments proper and maintained?
- Are local users restricted/limited to special cases?
- Has the Administrator role assignments been limited to select few?
- Are logins delineated between "personal" every-day logins and service-accounts or administrative accounts?
- - Are the everyday login roles limited to standard view-only and read-only levels?
- Are role assignments based/well-mapped to actual job duties that limit access to only what is needed "for the job"?
- - Administrator role
- - Database/datastore roles
- - VM roles
- Are custom roles implemented for the users assigned for in-between "none" and the admin role access?
- As admin@local usage discontinued once LDAP admin groups mapped to vCenter administrator roles?

1b. Is Administrative vSphere role separated form/for in-VM administrative access?
- By default, a user with the Administrator role had interact with the files and programs w/in a guest VM OS.
- Are users with the Administrative as-built role been limited to just those with both?
- Is there a separate VM administration custom role(s) built and assigned to administrators (people) for the VM administrative access they need?
- Is there a separate vSphere administration custom role(s) built and assigned to administrators (people) for vSphere administration tasks?
- - These admin folks do NOT have the Virtual Machine -> Guest Operations role

2. Datastore browser (icon) view restricted?
- Datastore --> Browse datastore - Is this privilege given to users that really need to look at the folders, files, etc?

3. Has the automatic password rollover for the vpxuser been reviewed and accepted?
- vCenter changes password by default every 30 days
- Change by configuring/updating the vCenter Server password policy (vCenter --> Configure --> Advanced Settings --> Edit Settings --> VirtualCenter.VimPasswordExpirationInDays = n days)

4. Is there are regular audit for admins and users that no longer exist?
- If a user or group cannot be found/validated during vCenter start-up/restart, the Administrator role is removed from that user/group.
- By default, the role is given to administrator@vsphere.local (the default local account) for emergency purposes
- Is the password known/retrievable for the local admin account in case of a LDAP failure for emergency use?

5. The vSphere root CA should be imported to the corporate browsers, or replaced by the corporate CA's certificates. Done?
- Otherwise, users and admins will be used to certificate warnings and "trained" for a MiTM spoof.

6. Expired or Revoked Certificates or Logs removed?
- Expired or revoked certificates can be subjected to a MiTM attack
- In some cases, a log file can contain a password in plain text if a vCenter installation/upgrade fails. After failed installations, the log should be exported to a safe location. cleaned there, and the log removed from the vCenter.

7a. Has the local vCenter embedded firewall been updated to restrict access?
- Embedded firewall uses IP-based restrictions
- vCenter must have access to all ESXi hosts, vCenter database (if external), other vCenter related components, LDAP, DNS, PTP, NTP, backup appliances, etc.
- Watch for external script jump boxes that require CLI / SDK REST access (including an external Aria/Orchestrator).

7b. Are firewalls adjacent to the management network configured with only ports open for administrative or external components?
- Ports list new URL is ports.broadcom.com
- Most important for external consideration:
- - vCenter/vSphere Tanzu: 443 TCP (vSphere/Tanzu Management UI, REST API, SOAP API)
- - vCenter NFS: 111 TCP, and 2049 TCP/UDP
- - vCenter iSCSI: 3260 TCP (initiators and targets)
- - LDAP: 636 TCP (AD/LDAP secure)
- - MS DC AD: 636 TCP (AD/LDAP secure), 2020 TCP (vSphere IWA)

8. Is the vCenter management network(s) restricted to just people and the other infrastructure items in #7 above?
- Does your company use a admin jump box (bastion host) within the management network where the RDP port is open, which then has a NIC on the management network?
- If using a jump/bastion host, is its software installed have everything needed to do day-to-day jobs, fix components in an emergency, and have nothing else installed?

9. Do you periodically evaluate vCenter plug-ins removing those for software no longer installed, etc?

10. Is PTP or NTP being used? Is it enabled?
- If the various components experience time-shift, eventually encryption and certificate validation, based on time, will fail.
- If the systems are synced to the second, or fraction thereof, then comparing component logs becomes MUCH easier.

11. Are the built in vCenter Single Sign-On password policy requirements compatible with your LDAP one?
- Default vCenter policy: 8 characters, 1 min lowercase, 1 numeric, 1 special character, not less than 20 characters. Is that matching your corporate LDAP policy?
- Password lockout in vCenter is 5 attempts, does that meet corporate policy?
- The CLI, dir-cli password reset command can reset a password. Administrators, with the vCenter SSO role, can use this command to reset a login account.
- The CLI, dir-cli password change command can change passwords. Users can use this command to change "this" ID password.

12a. If you have pre ESXi 6.x hosts, they use legacy thumbprints, are they upgraded to a current version?
- Are older hosts being upgraded?
- Are any hosts using thumbprints?

12b. ESXi 6. and later can be changed to use the thumbprint mode. if desired, they have to be verified in vCenter. Is this being done over time?
- vCenter --> Configure --> Settings --> General --> Edit (button) --> SSL Settings, then evaluate each host
- The current in-use thumbprint can be retrieved using the DCUI on the host console (F2 --> View Support Information)
- Click Verify next to each host to verify. Click OK, then Save, to save.

13a. Does the vSphere logout/timeout need to be changed?
- Installation default: 120 minutes
- Many company RM depts or lawyers implement 15 or 30 minutes
- AdministrationClient ConfigurationSession timeout

13b. Does the vSphere multiple failed login timeout period need to be changed?
- Blocks user who failed too many times from trying again for a while
- Installation default: 180 (seconds)
- Many company RM depts or lawyers implement 15 or 30 minutes (900 and 1800 respectively)
- AdministrationSingle Sign OnConfigurationLocal AccountsLockout Policy

13c. Does the vSphere how many login attempts to be for lockout need to be changed?
- Installation default: 5

13d. Does the vSphere automatic unlock of a locked account need to be changed?
- Installation default: 300 (seconds)
- Many company RM depts or lawyers implement 0 (never unlock)

13e. Does password complexity need to be updated to match LDAP or company standards?
- Installation default: min length: 8, max length: 20, special character: 1, alphabetic: 2, uppercase: 1, lowercase: 1, numeric: 1, identical adjacent: 3
- Corporate LDAP may require 15 to 64 characters, and allow 1 or 2 identical adjacent ones.

14. Do the vCenter SSH banner need to be updated?
- Installation default: VMware vCenter <version>
- Often changed by RM depts or lawyers to standard corporate banner text.

15. Does the default task and event rollover need to be updated?
- vCenter object tasks and events rollover to save storage space
- Installation default: 30
- If increasing, you may need to rollover the vCenter to a new one and change the sizing of the appliance. In other words, watch the disk space utilization and keep under 80%.

16. Does your company use, or require external logging?
- e.g. Log Insight, or other solution
- vCenter --> Configure --> Advanced Settings --> Logging

17. Does your company need to enable FIPS-validated ciphers?
- Changing will restart vCenter
- View the current: Developer Center --> API Explorer --> appliance (drop down selection) --> system/security/global_fips (category twistie - expand) --> Get (selection) --> click Execute (under Try it out)
- To change the current to true: Developer Center --> API Explorer --> appliance (drop down selection) --> system/security/global_fips (category twistie - expand) --> Put (selection) --> request body field: { "enabled": true }, click Execute (under Try it out)
-CAUTION: Enabling disables RSA SecureID, some CAC cards will no longer function, certificates with key sizes greater than 3072 bits may not work

18. Does your company need to keep the SSO Audit Event Log?
- Location: /var/log/audit/sso-events/audit_events.log
- Folder archives at 50 MB, and last 10 are kept.
- If more needed, the oldest events are actually in the lowest number (audit_events-1.log.gz), not 10. Create automation to get this last one.

Note:
For VM security and encryption see ESXi hosts security lists items #20 onward.


VMware 8.0.x versions we download previously are below.
Caution: these are not likely latest documents, but are attached for our internal staff use as the documentation links to them keep failing.

vSphere 8.0.x
vmware-vsphere-security-configuration-guide-803-20240813-01.zip

In this older zip, the main PDF has a good overview. The actual audit is w/in the Tools folder, where there are Powershell scripts.

WARNING:
Do NOT run these w/o first reviewing them and testing them on a host and a vCenter that doesn't matter. In other words, take backups of your vCenter and restore the vCenter on a host on a "nowhere" isolated network. Then backup and restore the configuration of one your hosts to a physical host. Then perform the evaluation and remediation, and see what is the good, the bad, and the ugly from running these.

We downloaded this Zip from VMware but it doesn't mean that their Powershell scripts won't harm your configuration, especially the ones with "remediate" in them.


VCF 8.x
vmware-cloud-foundation-security-configuration-guide-8-guidance.pdfvmware-cloud-foundation-security-configuration-guide-8-guidance.pdf


vSphere 8.0.3d STIG with K8s (Tanzu / Grid)
VMware_vSphere_Supervisor_8.0.3d_STIG_Hardening_Overview.pdfVMware_vSphere_Supervisor_8.0.3d_STIG_Hardening_Overview.pdf
VMware_vSphere_with_Tanzu_8_VKr_1.32.0_STIG_Hardening_Overview.pdfVMware_vSphere_with_Tanzu_8_VKr_1.32.0_STIG_Hardening_Overview.pdf



vCF 9.0.x
vmware-cloud-foundation-security-configuration-guide-90-guidance.pdfvmware-cloud-foundation-security-configuration-guide-90-guidance.pdf
vmware-cloud-foundation-security-configuration-guide-90-controls.csvvmware-cloud-foundation-security-configuration-guide-90-controls.csv


VCF Security Git location:
The PDF guides are attached, and they link to the github folder where the needed accompanying security hardening guideline specifics are detailed.
github.com/vmware/vcf-security-and-compliance-guidelines/


VCF Security Technical Implementation Guide (STIG) Hardening Guides
VMware creates these on their products for the NIST 800-53 guidance. The git repository are drafts they do NOT consider "as good as a STIG". Files ending in -srg are readiness guides, and -stig are official STIG content.

DoD Compliance main page:
github.com/vmware/dod-compliance-and-automation/

The vSphere 8.03x Report:
github.com/vmware/dod-compliance-and-automation/tree/master/vsphere/8.0/docs/reports


2025/11
- The security guides and locations are changing and disappearing. We found some of the missing guides after creating this document from previous notes. The guides have more items to check and possibly remediate than this document.












previous page

×