Follow all best practices for securing a vCenter Server system. Additional steps help you make your vCenter Server more secure.

Configure Precision Time Protocol or Network Time Protocol

Ensure that all systems use the same relative time source. This time source must be in sync with an agreed-upon time standard such as Coordinated Universal Time (UTC). Synchronized systems are essential for certificate validation. Precision Time Protocol (PTP) and Network Time Protocol (NTP) also make it easier to track an intruder in log files. Incorrect time settings make it difficult to inspect and correlate log files to detect attacks, and make auditing inaccurate. See Synchronize the Time in vCenter Server with an NTP Server.

Restrict vCenter Server Network Access

Restrict access to components that are required to communicate with the vCenter Server. Blocking access from unnecessary systems reduces the potential for attacks on the operating system.

For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.

Configure a Bastion Host

To help protect your assets, configure a bastion host (also called a jump box) to perform elevated administrative tasks. A bastion host is a special-purpose computer that hosts a minimal number of administrative applications. All other unnecessary services are removed. The host typically resides on the management network. A bastion host increases the protection of assets through restricting login to key individuals, requiring firewall rules to log in, and adding monitoring through auditing tools.