Understanding the vSphere Security Configuration Guide

VMware creates Security Hardening Guides that provide prescriptive guidance about deploying and operating VMware products in a secure manner. For vSphere, this guide is called the vSphere Security Configuration Guide (formerly known as the Hardening Guide).

The vSphere Security Configuration Guide contains security best practices for vSphere. The vSphere Security Configuration Guide does not map directly to regulatory guidelines or frameworks, and so is not a compliance guide. Also, the vSphere Security Configuration Guide is not intended for use as a security checklist. Security is always a tradeoff. When you implement security controls, you might affect usability, performance, or other operational tasks negatively. Consider your workloads, usage patterns, organizational structure, and so on carefully before making security changes, whether the advice is from VMware or from other industry sources. If your organization is subject to regulatory compliance needs, see Security Versus Compliance in the vSphere Environment or visit https://core.vmware.com/compliance. This site features compliance kits and product audit guides to help vSphere administrators and regulatory auditors secure and attest virtual infrastructure for regulatory frameworks, such as NIST 800-53v4, NIST 800-171, PCI DSS, HIPAA, CJIS, ISO 27001, and more.

The vSphere Security Configuration Guide does not discuss securing the following items:

Software running inside the virtual machine, such as the Guest OS and applications
Traffic running through the virtual machine networks
Security of add-on products

The vSphere Security Configuration Guide is not meant to be used as a "compliance" tool. The vSphere Security Configuration Guide does enable you to take initial steps towards compliance, but used by itself, it does not ensure that your deployment is compliant. For more information about compliance, see Security Versus Compliance in the vSphere Environment.

Reading the vSphere Security Configuration Guide

The vSphere Security Configuration Guide is a spreadsheet that contains security-related guidelines to assist you with modifying your vSphere security configuration. These guidelines are group into tabs based on the affected components, with some or all of the following columns.

Table 1. vSphere Security Configuration Guide Spreadsheet Columns
Column Heading	Description
Guideline ID	A unique two-part ID to reference a security configuration or hardening recommendation. The first part indicates the component, defined as follows: ESXi: ESXi hosts VM: Virtual machines vNetwork: Virtual switches
Description	A short explanation of the particular recommendation.
Discussion	Description of the vulnerability behind a particular recommendation.
Configuration Parameter	Provides the applicable configuration parameter or filename, if any.
Desired Value	The desired state or value of the recommendation. Possible values include: N/A Site Specific False True Enabled Disabled Not present or False
Default Value	The default value set by vSphere.
Is desired value the default?	States if the security setting is the default product configuration.
Action Needed	The type of action to take on the particular recommendation. Actions include: Update Audit Only Modify Add Remove
Setting Location in the vSphere Client	Steps for checking on the value by using the vSphere Client.
Negative Functional Impact in Change From Default?	Description, if any, of a potential negative impact from using the security recommendation.
PowerCLI Command Assessment	Steps for checking on the value by using PowerCLI.
PowerCLI Command Remediation Example	Steps for setting (remediating) the value by using PowerCLI.
vCLI Command Remediation	Steps for setting (remediating) the value by using the vCLI commands.
PowerCLI Command Assessment	Steps for checking on the value by using the PowerCLI commands.
PowerCLI Command Remediation	Steps for setting (remediating) the value by using the PowerCLI commands.
Able to set using Host Profile	Whether the setting can be accomplished by using Host Profiles (applies only to ESXi guidelines).
Hardening	If TRUE, then the guideline has only one implementation to be compliant. If FALSE then you can satisfy the guideline implementation by more than one configuration setting. The actual setting is often site-specific.
Site Specific Setting	If TRUE, then the setting to be compliant with the guideline depends on rules or standards that are specific to that vSphere deployment.
Audit Setting	If TRUE, then the value of the listed setting might need to be modified to satisfy site-specific rules.

Note: These columns might change over time as required. For example, recent additions include the DISA STIG ID, Hardening, and Site Specific Setting columns. Check https://blogs.vmware.com for announcements about updates to the vSphere Secure Configuration Guide.

Do not blindly apply guidelines in the vSphere Secure Configuration Guide to your environment. Rather, take time to evaluate each setting and make an informed decision whether you want to apply it. At a minimum, you can use the instructions in the Assessment columns to verify the security of your deployment.

The vSphere Secure Configuration Guide is an aid to begin implementing compliance in your deployment. When used with the Defense Information Systems Agency (DISA) and other compliance guidelines, the vSphere Secure Configuration Guide enables you to map vSphere security controls to the compliance flavor per each guideline.