You must follow multiple best practices at all times when you operate your vCenter Server for the management domain.

Table 1. vCenter Server

Best Practice


Assign correct roles to vCenter Server users.


Users and service accounts must only be assigned privileges they require. Least privilege principle requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability, or integrity loss.

Use unique service accounts for applications that connect to vCenter Server.


Create a service account for each application that connects to vCenter Server. Only grant the required permissions for the application to run.

Restrict the use of the built-in single sign-on Administrator account.


Only use the administrator@vsphere.local account for emergencies and situations where no other option exists. The built-in single sign-on account must not be used for daily operations. Set up a policy that restricts the use of the account.

vCenter Server must restrict access to cryptographic permissions.


These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography. Only the Administrator and any site-specific cryptographic group must have the following permissions:

  • Cryptographic Operations privileges

  • Global.Diagnostics

  • Host.Inventory.Add host to cluster

  • Host.Inventory.Add standalone host

  • Host.Local operations.Manage user groups.

Use templates to deploy virtual machines


Use templates that contain a hardened, patched, and properly configured operating system to create other, application-specific templates. You can also use the application template to deploy virtual machines.

The vCenter Server must use LDAPS when adding an SSO identity source


To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere SSO. When configuring an identity source and supplying an SSL certificate, vCenter Server will enforce LDAPs.

The vCenter Server must implement Active Directory authentication


The vCenter Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. Using Active Directory for authentication provides more robust account management capabilities.

The vCenter Server must use a limited privilege account when adding an LDAP identity source


When adding an LDAP identity source to vSphere SSO the account used to bind to AD must be minimally privileged. This account only requires read rights to the base DN specified. Any other permissions inside or outside of that OU are unnecessary and violate least privilege.