Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
vCenter Server Security Best Practices Following vCenter Server security best practices helps you ensure the integrity of your vSphere environment.
Verify Thumbprints for Legacy ESXi Hosts In vSphere 6 and later, hosts are assigned VMCA certificates by default. If you change the certificate mode to thumbprint, you can continue to use thumbprint mode for legacy hosts. You can verify the thumbprints in the vSphere Web Client.
Verify that SSL Certificate Validation Over Network File Copy Is Enabled Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. Starting with vSphere 5.5, ESXi uses NFC for operations such as copying and moving data between datastores by default, but you might have to enable it if it is disabled.
vCenter Server TCP and UDP Ports vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.
Control CIM-Based Hardware Monitoring Tool Access The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. To ensure that the CIM interface is secure, provide only the minimum access necessary to these applications. If an application has been provisioned with a root or full administrator account and the application is compromised, the full virtual environment might be compromised.