You must follow multiple best practices at all times when you operate your ESXi hosts.

Table 1. Security Best Practices for Securing ESXi Hosts

Best Practice

Description

Add only system accounts to the ESXi exception users list.

VMW-ESXI-00125

You can add users to the exception users list from the vSphere Client. These user accounts do not lose their permissions when the host enters lockdown mode. Only add service accounts such as backup agents. Do not add administrative users or user groups to exception users list.

Install security patches and updates for ESXi hosts.

VMW-ESXI-00129

You install all security patches and updates on the ESXi hosts as soon as the update bundles are available in SDDC Manager.

Do not apply patches to ESXi manually or by using vSphere Update Manager or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment unless directed to do so by support. If you patch the environment without using SDDC Manager can not only lead to a less-secure environment, but may cause issues with automated upgrades or actions in the future.

Do not provide root or administrator level access to CIM-based hardware monitoring tools or other third-party applications.

VMW-ESXI-01106

The CIM system provides an interface that activates hardware-level management from remote applications through a set of standard APIs. Create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. If a CIM write access is required, create a new role with only the Host.CIM.Interaction permission and apply that role to your CIM service account.

The ESXi host must use approved certificates.

VMW-ESXI-01113

The default self-signed, VMCA-issued host certificate must be replaced with a certificate from a trusted Certificate Authority (CA).

Ensure that a TPM 2.0 is installed and activated on the host.

VMW-ESXI-01129

ESXi can use Trusted Platform Modules (TPM) to activate advanced security features that prevent malware, remove dependencies, and secure hardware life cycle operations. We recommend all servers be configured with a TPM 2.0 and the TPM be activated in the system firmware.

Note:

Activating TPM functionality deactivates Quick Boot, making patch cycles longer but forcing the system to go through the process of attestation to help prevent malware loading at boot.

Ensure that the hardware firmware is up to date.

VMW-ESXI-01130

Hardware firmware can be affected by serious issues related to confidentiality, integrity, or availability. Ensure that the latest firmware updates are applied to all components of your systems. Compare hardware firmware versions to latest available versions on the vendor support web sites.

Note:

Always read release notes. Test, and deploy by using staged rollouts.

Ensure hardware management controller interfaces are isolated on their own network segments and protected with perimeter access controls.

VMW-ESXI-01131

Ensure that all out-of-band hardware management interfaces are on a network segment (VLAN, etc.), dedicated only to hardware management, free of workloads and unrelated systems, and controlled with perimeter security controls, such that only authorized vSphere Administrators can access those interfaces from authorized workstations.

Audit use of server hardware out-of-band management network interfaces.

VMW-ESXI-01132

Some hardware management controllers have the ability to present virtual network interfaces to ESXi as a management interface. These approaches create access backdoors and can be used by adversaries to circumvent network-based/perimeter firewalls and IDS/IPS tools, as well as gain access to system consoles. Only activate this and other hardware management functionality and tools, if there is a clear return on investment of time and effort in maintaining and securing these tools.