The ESXi hypervisor is secured out of the box. You can further protect ESXi hosts by using lockdown mode, and other built-in features. If you set up a reference host and make changes to all hosts based on that host's host profiles, or if you perform scripted management, you further protect your environment by assuring changes apply to all hosts.

Use the following features, discussed in detail in this guide, to enhance protection of ESXi hosts that are managed by vCenter Server. See also the Security of the VMware vSphere Hypervisor white paper.

Limit ESXi Access

By default, the ESXi Shell and SSH services are not running and only the root user can log in to the Direct Console User Interface (DCUI). If you decide to enable ESXi or SSH access, you can set timeouts to limit the risk of unauthorized access.

Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from vCenter Server that manages the host.

Use Named Users and Least Privilege

Many tasks can be performed by the root user by default. Instead of allowing administrators to log in to the ESXi host using the root user account, you can apply different host configuration privileges to different named users from the vCenter Server permissions management interface. You can create a custom roles, assign privileges to the role, and associate the role with a named user and an ESXi host object from the vSphere Web Client.

In a single host scenario, you manage users directly. See the vSphere Administration with the vSphere Client documentation.

Minimize the Number of Open ESXi Firewall Ports

By default, firewall ports on your ESXi host are opened only when you start a corresponding service. You can use the vSphere Web Client or ESXCLI or PowerCLI commands to check and manage firewall port status.

See ESXi Firewall Configuration.

Automate ESXi Host Management

Because it is often important that different hosts in the same data center are in sync, use scripted installation or vSphere Auto Deploy to provision hosts. You can manage the hosts using scripts. An alternative to scripted management are host profiles. You set up a reference host, export the host profile, and apply the host profile to your host. You can apply the host profile directly or as part of provisioning with Auto Deploy.

See Use Scripts to Manage Host Configuration Settings and see the vSphere Installation and Setup for information about vSphere Auto Deploy.

Take Advantage of Lockdown Mode

In lockdown mode, ESXi hosts can be accessed only through vCenter Server by default. Starting with vSphere 6.0, you can select strict lockdown mode or normal lockdown mode, and you can define Exception Users to allow direct access to service accounts such as backup agents.

See Lockdown Mode.

Check VIB Package Integrity

Each VIB package has an associated acceptance level. You can add a VIB to an ESXi host only if the acceptance level is the same or better than the acceptance level of the host. You cannot add a CommunitySupported or PartnerSupported VIB to a host unless you explicitly change the host's acceptance level.

See Check the Acceptance Levels of Hosts and VIBs.

Manage ESXi Certificates

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If company policy requires it, you can replace the existing certificates with certificates that are signed by a third-party CA.

See Certificate Management for ESXi Hosts

Smart Card Authentication

Starting with vSphere 6.0, ESXi supports smart card authentication as an option instead of user name and password authentication.

See Configuring Smart Card Authentication for ESXi.

ESXi Account Lockout

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.

See ESXi Passwords and Account Lockout.

Security considerations for standalone hosts are similar, though the management tasks might differ. See the vSphere Administration with the vSphere Client documentation.