The ESXi hypervisor is secured out of the box. You can further protect ESXi hosts by using lockdown mode and other built-in features. For consistency, you can set up a reference host and keep all hosts in sync with the host profile of the reference host. You can also protect your environment by performing scripted management, which ensures that changes apply to all hosts.

You can enhance protection of ESXi hosts that are managed by vCenter Server with the following actions. See the Security of the VMware vSphere Hypervisor white paper for background and details.

Limit ESXi access

By default, the ESXi Shell and SSH services are not running and only the root user can log in to the Direct Console User Interface (DCUI). If you decide to enable ESXi or SSH access, you can set timeouts to limit the risk of unauthorized access.

Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from the vCenter Server system that manages the host.

Use named users and least privilege

By default, the root user can perform many tasks. Do not allow administrators to log in to the ESXi host using the root user account. Instead, create named administrator users from vCenter Server and assign those users the Administrator role. You can also assign those users a custom role. See Create a Custom Role.

If you manage users directly on the host, role management options are limited. See the vSphere Single Host Management - VMware Host Client documentation.

Minimize the number of open ESXi firewall ports

By default, firewall ports on your ESXi host are opened only when you start a corresponding service. You can use the vSphere Web Client or ESXCLI or PowerCLI commands to check and manage firewall port status.

See ESXi Firewall Configuration.

Automate ESXi host management

Because it is often important that different hosts in the same data center are in sync, use scripted installation or vSphere Auto Deploy to provision hosts. You can manage the hosts using scripts. Host profiles are an alternative to scripted management. You set up a reference host, export the host profile, and apply the host profile to all hosts. You can apply the host profile directly or as part of provisioning with Auto Deploy.

See Use Scripts to Manage Host Configuration Settings and see the vSphere Installation and Setup documentation for information about vSphere Auto Deploy.

Take advantage of lockdown mode

In lockdown mode, ESXi hosts can be accessed only through vCenter Server by default. Starting with vSphere 6.0, you can select strict lockdown mode or normal lockdown mode. You can define Exception Users to allow direct access to service accounts such as backup agents.

See Lockdown Mode.

Check VIB package integrity

Each VIB package has an associated acceptance level. You can add a VIB to an ESXi host only if the VIB acceptance level is the same or better than the acceptance level of the host. You cannot add a CommunitySupported or PartnerSupported VIB to a host unless you explicitly change the host's acceptance level.

See Manage the Acceptance Levels of Hosts and VIBs.

Manage ESXi certificates

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If company policy requires it, you can replace the existing certificates with certificates that are signed by a third-party or an enterprise CA.

See Certificate Management for ESXi Hosts

Consider Smart card authentication

Starting with vSphere 6.0, ESXi supports the use of smart card authentication instead of user name and password authentication. For additional security, you can configure smart card authentication. Two-factor authentication is also supported for vCenter Server.

See Configuring Smart Card Authentication for ESXi.

Consider ESXi account lockout

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. By default, a maximum of 10 failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.

Note:

The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout.

See ESXi Passwords and Account Lockout.

Security considerations for standalone hosts are similar, though the management tasks might differ. See the vSphere Single Host Management - VMware Host Client documentation.