Securing vCenter Server
vCenter Server, like any other configuration, must indefinitely be secured as well. Securing vCenter Server includes a variety of different areas. Generally, consider the following:
Full administrative rights to vCenter Server should be removed from the local Windows administrator account and granted to a special-purpose local vCenter Server administrator account.
Grant full vSphere administrative rights only to those administrators who are required to have it. Do not grant this privilege to any group whose membership is not strictly controlled.
Avoid allowing users to log in directly to the vCenter Server system. Allow only those users who have legitimate tasks to perform to log into the system and confirm that these events are audited.
Install vCenter Server using a service account instead of the local Windows system account. Using a service account allows you to enable Windows authentication for SQL Server, which provides more security. The service account must be an administrator on the local machine, and have logon as a service rights.
Grant minimal privileges to the vCenter Server database user. The database user requires only certain privileges specific to database access. In addition, some privileges are required only for installation and upgrade. These can be removed after the product is installed or upgraded.
Connect both vCenter and the ESXi hosts to a directory service. Once complete, users and groups in the directory service should be created to simplify user and group management and to present a consistent user and group view to any interface managing the environment.
Apply the principle of least privilege to users who have access to vCenter Server. This has the following benefits:
Enhances security by reducing the attack surface.
Simplifies vCenter Server administration.
Do not add Windows special identity groups (such as Everyone) to vCenter Server roles. Create specific Windows groups for specific vSphere management tasks and assign permission only to the appropriate users.
Membership is automatically calculated by Windows and is not static.
Not using these groups reduces unplanned access issues.
Create a specific Windows group for vCenter Server system administration and verify that generic groups, such as the Windows Administrators group, do not have permissions in vCenter. This reduces the risk of Windows administrators not trained on vSphere operations from gaining privileged access to the vCenter Server system
Configure additional administrators in vCenter Single Sign-On users and groups as appropriate to allow multiple administrators access into the system in the case that an account is locked out.