Strictly control vCenter Server administrator privileges to increase security for the system.
Full administrative rights to vCenter Server should be removed from the local Windows administrator account and granted to a special-purpose local vCenter Server administrator account. Grant full vSphere administrative rights only to those administrators who are required to have it. Do not grant this privilege to any group whose membership is not strictly controlled.
Avoid allowing users to log in directly to the vCenter Server system. Allow only those users who have legitimate tasks to perform to log into the system and ensure that these events are audited.
Install vCenter Server using a service account instead of a Windows account. You can use a service account or a Windows account to run vCenter Server. Using a service account allows you to enable Windows authentication for SQL Server, which provides more security. The service account must be an administrator on the local machine.
Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder of the server cannot be verified as a valid user or group, the Administrator privileges are removed and assigned to the local Windows Administrators group.
Grant minimal privileges to the vCenter Server database user. The database user requires only certain privileges specific to database access. In addition, some privileges are required only for installation and upgrade. These can be removed after the product is installed or upgraded.