Strictly control access to different vCenter Server components to increase security for the system.

The following guidelines help ensure security of your environment.

Use Named Accounts to Access vCenter Server

  • Grant the Administrator role only to those administrators who are required to have it. You can create custom roles or use the No cryptography administrator role for administrators with more limited privileges. Do not apply this role to any group whose membership is not strictly controlled.
  • Make sure that applications use unique service accounts when connecting to a vCenter Server system.

Monitor Privileges of vCenter Server Administrator Users

Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators.

Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy. For example, by default the Administrator role allows users to interact with files and programs inside the guest operating system of a virtual machine. Assigning that role to too many users can lessen virtual machine data confidentiality, availability, or integrity. Create a role that gives the administrators the privileges they need, but remove some of the virtual machine management privileges. See also Privilege Recorder.

Minimize Access to the vCenter Server Appliance

Do not allow users to log directly in to the vCenter Server Appliance. Users who are logged in to the vCenter Server Appliance can cause harm, either intentionally or unintentionally, by altering settings and modifying processes. Those users also have potential access to vCenter Server credentials, such as the SSL certificate. Allow only users who have legitimate tasks to perform to log in to the system and ensure that login events are audited.

Grant Minimal Privileges to Database Users

The database user requires only certain privileges specific to database access.

Some privileges are required only for installation and upgrade. You can remove these privileges from the database administrator after vCenter Server is installed or upgraded.

Restrict Datastore Browser Access

Assign the Datastore.Browse datastore privilege only to users or groups who really need that privilege. Users with the privilege can view, upload, or download files on datastores associated with the vSphere deployment through the Web browser or the vSphere Client.

Restrict Users from Running Commands in a Virtual Machine

By default, a user with the Administrator role can interact with the files and the programs of a guest operating system within a virtual machine. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a custom nonguest access role without the Virtual machine.Guest operations privilege. See Restrict Users from Running Commands Within a Virtual Machine.

Consider Modifying the Password Policy for vpxuser

By default, vCenter Server changes the vpxuser password automatically every 30 days. Ensure that this setting meets company policy, or configure the vCenter Server password policy. See Set the vCenter Server Password Policy.
Note: Make sure that password aging policy is not too short.

Check Privileges After Restarting vCenter Server

Check for privilege reassignment when you restart vCenter Server. If the user or group that has the Administrator role on the root folder cannot be validated during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On administrator, administrator@vsphere.local by default. This account can then act as the vCenter Server administrator.

Reestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous vCenter Single Sign-On administrator account (administrator@vsphere.local by default).

Use High Encryption Levels for Remote Desktop Protocol

On each Windows computer in the infrastructure, ensure that the Remote Desktop Protocol (RDP) Host Configuration settings are set to ensure the highest level of encryption appropriate for your environment.

Verify vSphere Client Certificates

Instruct users of the vSphere Client or other client applications to heed certificate verification warnings. Without certificate verification, the user might be the subject of a MiTM attack.

Set the vCenter Server Password Policy

By default, vCenter Server changes the vpxuser password automatically every 30 days. You can change that value from the vSphere Client.


  1. Log in to the vCenter Server system by using the vSphere Client.
  2. Select the vCenter Server system in the object hierarchy.
  3. Click Configure.
  4. Click Advanced Settings and click Edit Settings.
  5. Click the Filter icon and enter VimPasswordExpirationInDays.
  6. Set VirtualCenter.VimPasswordExpirationInDays to comply with your requirements.

Removing Expired or Revoked Certificates and Logs from Failed Installations

Leaving expired or revoked certificates or leaving vCenter Server installation logs for failed installation on your vCenter Server system can compromise your environment.

Removing expired or revoked certificates is required for the following reasons.
  • If expired or revoked certificates are not removed from the vCenter Server system, the environment can be subject to a MiTM attack

  • In certain cases, a log file that contains the database password in plain text is created on the system if vCenter Server installation fails. An attacker who breaks into the vCenter Server system, might gain access to this password and, at the same time, access to the vCenter Server database.