VMware creates Security Hardening Guides that provide prescriptive guidance about deploying and operating VMware products in a secure manner. For vSphere, this guide is called the vSphere Security Configuration Guide (formerly know as the Hardening Guide).

Presented in a spreadsheet format, the vSphere Security Configuration Guide enables you to view security guidelines easily, and describes how to apply them, either through the vSphere Client or command-line interfaces. In addition, the vSphere Security Configuration Guide includes script examples for enabling security automation. For more information, see the VMware Security Hardening Guides webpage at https://www.vmware.com/security/hardening-guides.html.

The vSphere Security Configuration Guide does not discuss securing the following items:
  • Software running inside the virtual machine, such as the Guest OS and applications
  • Traffic running through the virtual machine networks
  • Security of add-on products

The vSphere Security Configuration Guide is not meant to be used as a "compliance" tool. The vSphere Security Configuration Guide does enable you to take initial steps towards compliance, but used by itself, it does not ensure that your deployment is compliant. For more information about compliance, see Security Versus Compliance in the vSphere Environment.

Reading the vSphere Security Configuration Guide

The vSphere Security Configuration Guide is a spreadsheet that contains security-related guidelines to assist you with modifying your vSphere security configuration. These guidelines are organized into the following columns.

Table 1. vSphere Security Configuration Guide Spreadsheet Columns
Column Heading Description

Guideline ID

A unique two-part ID to reference a security configuration or hardening recommendation. The first part indicates the component, defined as follows:

  • ESXi: ESXi hosts
  • VM: Virtual machines
  • vNetwork: Virtual switches

Description

A short explanation of the particular recommendation.

Vulnerability Discussion

Description of the vulnerability behind a particular recommendation.

Configuration Parameter

Provides the applicable configuration parameter or filename, if any.

Desired Value

The desired state or value of the recommendation. Possible values include:

  • N/A
  • Site Specific
  • False
  • True
  • Enabled
  • Disabled
  • Not present or False

Default Value

The default value set by vSphere.

Is desired value the default?

States if the security setting is the default product configuration.

Action Type

The type of action to take on the particular recommendation. Actions include:

  • Update
  • Audit Only
  • Modify
  • Add
  • Remove

Assessment using Web Client

Steps for checking on the value by using the Web Client.

Negative Functional Impact

Description, if any, of a potential negative impact from using the security recommendation.

Remediation using Web Client

Steps for setting (remediating) the value by using the Web Client.

vSphere API

Link to the applicable vSphere API documentation.

ESXi Shell Command Assessment

Steps for checking on the value by using the ESXi shell commands.

ESXi Shell Command Remediation

Steps for setting (remediating) the value by using the ESXi shell commands.

vCLI Command Assessment

Steps for checking on the value by using the vCLI commands.

vCLI Command Remediation

Steps for setting (remediating) the value by using the vCLI commands.

PowerCLI Command Assessment

Steps for checking on the value by using the PowerCLI commands.

PowerCLI Command Remediation

Steps for setting (remediating) the value by using the PowerCLI commands.

Able to set using Host Profile

Whether the setting can be accomplished by using Host Profiles (applies only to ESXi guidelines).

Reference

Link to documentation or other related information based on the recommendation.

DISA STIG ID

The reference ID for the Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs).

Hardening

If TRUE, then the guideline has only one implementation to be compliant. If FALSE then you can satisfy the guideline implementation by more than one configuration setting. The actual setting is often site-specific.

Site Specific Setting

If TRUE, then the setting to be compliant with the guideline depends on rules or standards that are specific to that vSphere deployment.

Audit Setting

If TRUE, then the value of the listed setting might need to be modified to satisfy site-specific rules.

Note: These columns might change over time as required. For example, recent additions include the DISA STIG ID, Hardening, and Site Specific Setting columns. Check https://blogs.vmware.com for announcements about updates to the vSphere Secure Configuration Guide.

Do not blindly apply guidelines in the vSphere Secure Configuration Guide to your environment. Rather, take time to evaluate each setting and make an informed decision whether you want to apply it. At a minimum, you can use the instructions in the Assessment columns to verify the security of your deployment.

The vSphere Secure Configuration Guide is an aid to begin implementing compliance in your deployment. When used with the Defense Information Systems Agency (DISA) and other compliance guidelines, the vSphere Secure Configuration Guide enables you to map vSphere security controls to the compliance flavor per each guideline.