Securing ESXi Hosts

ESXi host security is of the upmost concern in the environment. To protect the host against unauthorized intrusion and misuse, consider the following:

Limit user access.

To improve security, restrict user access to the management interface and enforce access security policies such as setting up password restrictions.

The ESXi shell has privileged access to certain parts of the host. Therefore, provide only trusted users with ESXi shell login access.

Disable SSH access. This prevents remote access to the console of ESXi hosts.

Use only VMware sources to upgrade or patch ESXi hosts. VMware does not support upgrading these packages from any source other than a VMware source. If a download or patch is used from another source, management interface security or functions might be compromised.

Regularly check the VMware Security Center for any alerts that might impact the environment. VMware monitors all security alerts that could affect ESXi security and, if needed, issues a security patch.

ESXi runs only services essential to its functions. A limited subset of vendors have hardware agents that can run on VMware infrastructure. However, VMware does not recommend using any third-party agents on ESXi hosts.

By default, all ports not specifically required for management access to the host are closed. Ports must be specifically opened if additional services are required.

By default, weak ciphers are disabled and all communications from clients are secured by SSL. The exact algorithms used for securing the channel depend on the SSL handshake. Default certificates created on ESXi use SHA-1 with RSA encryption as the signature algorithm.

• Use a dedicated network VLAN or firewall for the ESXi host management interfaces. This prevents the chance of unauthorized parties from gaining access to the network.