Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
vCenter Server Security Best Practices Following vCenter Server security best practices helps you ensure the integrity of your vSphere environment.
Verify Thumbprints for Legacy ESXi Hosts In vSphere 6 and later, hosts are assigned VMCA certificates by default. If you change the certificate mode to thumbprint, you can continue to use thumbprint mode for legacy hosts. You can verify the thumbprints in the vSphere Web Client.
Verify that SSL Certificate Validation Over Network File Copy Is Enabled Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. Starting with vSphere 5.5, ESXi uses NFC for operations such as copying and moving data between datastores by default, but you might have to enable it if it is disabled.
Required Ports for vCenter Server and Platform Services Controller The vCenter Server system, both on Windows and in the appliance, must be able to send data to every managed host and receive data from the vSphere Web Client and the Platform Services Controller services. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
Additional vCenter Server TCP and UDP Ports vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.