vSphere Security provides information about securing your vSphere® environment for VMware® vCenter® Server and VMware ESXi.

At VMware, we value inclusion. To foster this principle within our customer, partner, and internal community, we have updated this guide to remove instances of non-inclusive language.

To help you protect your vSphere environment, this documentation describes available security features and the measures that you can take to safeguard your environment from attack.

Table 1. vSphere Security Highlights
Topics Content Highlights
Permissions and User Management
  • Permissions model (roles, groups, objects).
  • Creating custom roles.
  • Setting permissions.
  • Managing global permissions.
Host Security Features
  • Lockdown mode and other security profile features.
  • Host smart card authentication.
  • vSphere Authentication Proxy.
  • UEFI Secure Boot.
  • Trusted Platform Module (TPM).
  • VMware® vSphere Trust Authority™.
Virtual Machine Encryption
  • How does VM encryption work?
  • KMS setup.
  • Encrypting and decrypting VMs.
  • Troubleshooting and best practices.
Guest OS Security
  • Virtual Trusted Platform Module (vTPM).
  • Virtualization Based Security (VBS).
Managing TLS Protocol Configuration Changing TLS protocol configuration using a command-line utility.
Security Best Practices and Hardening Best practices and advice from VMware security experts.
  • vCenter Server security
  • Host security
  • Virtual machine security
  • Networking security
vSphere Privileges Complete listing of all vSphere privileges supported in this release.

Related Documentation

A companion document, vSphere Authentication, explains how you can use authentication services, for example, to manage authentication with vCenter Single Sign-On and to manage certificates in your vSphere environment.

In addition to these documents, VMware publishes the vSphere Security Configuration Guide (formerly known as the Hardening Guide) for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html. The vSphere Security Configuration Guide contains guidelines on security settings that can or should be set by the customer, and security settings delivered by VMware that should be audited by the customer to ensure that they are still set to default.

What Happened to the Platform Services Controller

Beginning in vSphere 7.0, deploying a new vCenter Server or upgrading to vCenter Server 7.0 requires the use of the vCenter Server appliance, a preconfigured virtual machine optimized for running vCenter Server. The new vCenter Server contains all Platform Services Controller services, preserving the functionality and workflows, including authentication, certificate management, tags, and licensing. It is no longer necessary nor possible to deploy and use an external Platform Services Controller. All Platform Services Controller services are consolidated into vCenter Server, and deployment and administration are simplified.

As these services are now part of vCenter Server, they are no longer described as a part of Platform Services Controller. In vSphere 7.0, the vSphere Authentication publication replaces the Platform Services Controller Administration publication. The new publication contains complete information about authentication and certificate management. For information about upgrading or migrating from vSphere 6.5 and 6.7 deployments using an existing external Platform Services Controller to vSphere 7.0 using vCenter Server appliance, see the vSphere Upgrade documentation.

Intended Audience

This information is for experienced system administrators who are familiar with virtual machine technology and data center operations.

Certifications

VMware publishes a public list of VMware products that have completed Common Criteria certifications. To check if a particular VMware product version has been certified, see the Common Criteria Evaluation and Validation webpage at https://www.vmware.com/security/certifications/common-criteria.html.

Support for Federal Information Processing Standard 140-2

Starting with version 6.7, vCenter Server supports the Federal Information Processing Standard (FIPS) 140-2.

FIPS 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. By default, FIPS 140-2 is always enabled after installation or upgrade of vCenter Server 6.7 or greater, and ESXi 6.7 or greater.

To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/security/certifications/fips.html.