Strictly control access to different vCenter Server components to increase security for the system.
The following guidelines help ensure security of your environment.
Use Named Accounts
If the local Windows administrator account currently has full administrative rights to vCenter Server, remove those access rights and grant those rights to one or more named vCenter Server administrator accounts. Grant full administrative rights only to those administrators who are required to have it. Do not grant this privilege to any group whose membership is not strictly controlled.Note:
Starting with vSphere 6.0, the local administrator no longer has full administrative rights to vCenter Server by default. Using local operating system users is not recommended.
Install vCenter Server using a service account instead of a Windows account. The service account must be an administrator on the local machine.
Make sure that applications use unique service accounts when connecting to a vCenter Server system.
Avoid allowing users to log directly in to the vCenter Server host machine. Users who are logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate. Allow only those users who have legitimate tasks to perform to log in to the system and ensure that login events are audited.
Monitor Privileges of vCenter Server Administrator Users
Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators.
Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy. For example, by default the Administrator role allows users to interact with files and programs inside a virtual machine's guest operating system. Assigning that role to too many users can lessen virtual machine data confidentiality, availability, or integrity. Create a role that gives the administrators the privileges they need, but remove some of the virtual machine management privileges.
Grant Minimal Privileges to vCenter Server Database Users
The database user requires only certain privileges specific to database access. In addition, some privileges are required only for installation and upgrade. These privileges can be removed after the product is installed or upgraded.
Restrict Datastore Browser Access
The datastore browser functionality allows users with proper privileges to view, upload, or download files on datastores associated with the vSphere deployment through the Web browser or the vSphere Web Client. Assign theprivilege only to users or groups who really need those privileges.
Restrict Users from Running Commands in a Virtual Machine
By default, a user with vCenter Server Administrator role can interact with files and programs within a virtual machine's guest operating system. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a nonguest access role without the Guest Operations privilege. See Restrict Users from Running Commands Within a Virtual Machine.
Verify Password Policy for vpxuser
By default, vCenter Server changes the vpxuser password automatically every 30 days. Ensure that this setting meets your policies, or configure the policy to meet your company's password aging policies. See Set the vCenter Server Password Policy.
Make sure that password aging policy is not too short.
Check Privileges after vCenter Server Restart
Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account email@example.com. This account can then act as the administrator.
Reestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous firstname.lastname@example.org account.
Use High RDP Encryption Levels
On each Windows computer in the infrastructure, ensure that Remote Desktop Host Configuration settings are set to ensure the highest level of encryption appropriate for your environment.
Verify vSphere Web Client Certificates
Instruct users of one of thevSphere Web Client or other client applications to never ignore certificate verification warnings. Without certificate verification, the user might be subject of a MiTM attack.