You design host access controls and certificate management for ESXi according to industry standards and the requirements of your organization.

Host Access

After installation, you add ESXi hosts to a vCenter Server system for host management.

Direct access to the host console is still available and most commonly used for troubleshooting purposes. You can access ESXi hosts directly by using one of these four methods.

Table 1. Accessing ESXi Hosts

Method for ESXi Host Access

Description

Direct Console User Interface (DCUI)

Graphical interface on the console. Provides basic administrative controls and troubleshooting options.

ESXi Shell

A Linux-style bash login to the ESXi console itself.

Secure Shell (SSH) Access

Remote command-line console access.

VMware Host Client

HTML5-based client that has a similar interface to the vSphere Client but for managing individual ESXi hosts only. You use the VMware Host Client for emergency management when vCenter Server is temporarily unavailable.

You can enable or disable each method. By default, the ESXi Shell is disabled to protect the ESXi host. The Direct Console User Interface is disabled if Strict Lockdown Mode is enabled.

Table 2. Design Decisions on ESXi Host Access

Decision ID

Design Decision

Design Justification

Design Implication

VCF-MGMT-ESX-SEC-001

Configure the SSH service policy to Start and stop with host across all ESXi hosts in the management domain.

Ensures that on an ESXi host reboot, the SSH service is started ensuring access from SDDC Manager is maintained.

Might be in a direct conflict with your corporate security policy.

VCF-MGMT-ESX-SEC-002

Set the advanced setting UserVars.SuppressShellWarning to 1 across all ESXi hosts in the management domain.

Ensures that only critical messages appear in the VMware Host Client and vSphere Client by suppressing the warning message about enabled local and remote shell access.

Might be in a direct conflict with your corporate security policy.

User Access

By default, you can log in to an ESXi host only by using the root account. To have more accounts that can access the ESXi hosts in the management domain, you can add the hosts to an Active Directory domain. After the ESXi host is added to an Active Directory domain, you can grant access by using Active Directory groups. Auditing logins to the ESXi hosts becomes easier too.

For more information on identity and access management, see Identity and Access Management for VMware Cloud Foundation.

Password Management and Account Lockout Behavior

ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client. By default, you have to include a mix of characters from four character classes: Lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a password. By default, required a password length between 7 and 40 characters. Passwords cannot contain a dictionary word or part of a dictionary word.

Account locking is supported for access by using SSH and the vSphere Web Services SDK. By default, a maximum of five failed attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default. The Direct Console Interface and the ESXi Shell do not support account lockout.

VMware Cloud Foundation applies the default password policy for ESXi. For more on configuring a password policy according to security best practices, see Identity and Access Management for VMware Cloud Foundation.

Certificate Management

To establish a secure connection with VMware Cloud Builder and prevent man-in-the-middle (MiTM) attacks, the Common Name (CN) attribute of the certificate of each ESXi host must be set to the FQDN of the host.

By default, ESXi hosts are deployed with a self-signed certificate whose Common Name (CN) attribute is set to localhost.localdomain. As a result, after you assign an FQDN to each ESXi host in the domain, you must regenerate the host certificate.

Table 3. Design Decisions on Certificate Management for the ESXi Hosts

Decision ID

Design Decision

Design Justification

Design Implication

VCF-MGMT-ESX-SEC-003

Regenerate the certificate of each ESXi host after assigning the host an FQDN.

Establishes a secure connection with VMware Cloud Builder during the deployment of the management domain and prevents man-in-the-middle (MiTM) attacks.

You must manually regenerate the certificates of the ESXi hosts before the deployment of the management domain.