These security controls provide a baseline set of vCenter Server security best practices. They are structured in a way that explains the benefits and tradeoffs of implementing the control. To make changes, you can use the vSphere Client, PowerCLI, or the vCenter Server Management Interface, depending on the control.
PowerCLI and Variables Used
Some of the PowerCLI examples used here requires that the VMware.vSphere.SsoAdmin module be installed.
The PowerCLI commands in this section use the following variables:
- $VC="vcenter_server_name"
- $VDS="vsphere_distributed_switch_name"
- $VDPG="vsphere_distributed_port_group"
Set vSphere Client Inactivity Timeout
The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
Idle vSphere Client sessions can be left open indefinitely if a user forgets to log out, thereby increasing the risk of unauthorized privileged access.
Set Failed Login Attempts Interval
The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
By limiting the number of failed login attempts, the risk of unauthorized access using user password guessing, otherwise known as brute-forcing, is reduced.
Configure the vSphere SSO Lockout Policy Maximum Attempts
The vCenter Server must lock an account after a specified number of failed login attempts.
Repeated failed logins for an account can signal security issues. To limit brute force attempts, lock the account after a certain threshold, balancing between avoiding automatic connection retries and potential denial-of-service attacks.
Configure the vSphere SSO Lockout Policy Unlock Time
The vCenter Server must unlock accounts after a specified timeout period.
Repeated failed logins can suggest security threats. vCenter Server accounts should not automatically unlock when they have been locked due to multiple login failures. Ensure that you have your [email protected] information and that it is valid.
- Values
- Installation Default Value: 300
- Recommended Action
- Modify the installation default value.
- Potential Functional Impact if Default Value Is Changed
- There is the opportunity for denial-of-service when accounts do not automatically unlock.
- PowerCLI Command Remediation Example
-
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -AutoUnlockIntervalSec 0
- Setting Location in the vSphere Client
Enforce Password Complexity
The vCenter Server must enforce password complexity.
Modern best practices for passwords (see NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.
Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected] (or, if you specified a different domain during installation, administrator@mydomain). These rules do not apply to Active Directory users when vCenter Server is joined to a domain, because AD enforces those password policies.
- Values
-
Installation Default Value:
Maximum Length: 20
Minimum Length: 8
At least 1 special
At least 2 alphabetic
At least 1 uppercase
At least 1 lowercase
At least 1 numeric
3 identical adjacent
- Recommended Action
- Modify the installation default values.
- Potential Functional Impact if Default Value Is Changed
- Other products and services within the VMware ecosystem might not expect changes to password complexity requirements and could fail installation.
- PowerCLI Command Remediation Example
-
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinLength 15 -MaxLength 64 -MinNumericCount 1 -MinSpecialCharCount 1 -MinAlphabeticCount 2 -MinUppercaseCount 1 -MinLowercaseCount 1 -MaxIdenticalAdjacentCharacters 3
- Setting Location in the vSphere Client
Configure the Maximum Number of Days Between Password Changes
The vCenter Server must be configured with an appropriate maximum password age.
Modern best practices for passwords (see NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.
Restrict Password Reuse
Configure the password history setting to restrict the reuse of passwords on the vCenter Server.
Password complexity guidelines sometimes cause users to reuse older passwords. Configuring the password history setting on the vCenter Server can help prevent this situation.
Configure the Login Banner Text for SSH Access
Configure the vCenter Server login banner text for access using SSH.
vCenter Server allows a login message, which deters intruders and communicates obligations to authorized users. This configuration establishes the text displayed when a client connects using SSH. The default text leaks information to attackers about system configuration and should be changed.
- Values
-
Installation Default Value: VMware vCenter Server version
Type: vCenter Server with an embedded Platform Services Controller
- PowerCLI Command Remediation Example
-
Get-AdvancedSetting -Entity $VC -Name etc.issue | Set-AdvancedSetting -Value "Authorized users only. Actual or attempted unauthorized use of this system is prohibited and may result in criminal, civil, security, or administrative proceedings and/or penalties. Use of this information system indicates consent to monitoring and recording, without notice or permission. Users have no expectation of privacy in any use of this system. Any information stored on, or transiting this system, or obtained by monitoring and/or recording, may be disclosed to law enforcement and/or used in accordance with Federal law, State statute, and organization policy. If you are not an authorized user of this system, exit the system at this time."
Set Task and Retention Interval
The vCenter Server must have task and event retention set to an appropriate interval.
vCenter Server retains task and event data, which ages out to save storage space. The age is configurable. This only impacts local storage of event data on the vCenter Server Appliance.
Activate Remote Logging
Activate remote logging of vCenter Server events.
Remote logging to a central host enhances the security of vCenter Server by storing logs securely. Remote logging simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record. The vpxd.event.syslog.enabled setting activates remote logging.
Activate FIPS
The vCenter Server must activate FIPS-validated cryptography.
FIPS cryptography makes a number of changes to the system to remove weaker ciphers. Activating FIPS causes vCenter Server to restart.
- Potential Functional Impact if Default Value Is Changed
- FIPS cryptography makes a number of changes to the system to remove weaker ciphers. Enabling FIPS causes vCenter Server to restart.
- PowerCLI Command Remediation Example
-
$spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec
- Setting Location in the vSphere Client
- See Activate and Deactivate FIPS on the vCenter Server Appliance.
Configure Audit Records
The vCenter Server must produce audit records that contain information to establish what type of events occurred.
It is important to ensure that sufficient information is present in audit logs for diagnostics and forensics purposes. The config.log.level setting configures audit records.
Deactivate MAC Learning
All distributed switch port groups must deactivate MAC Learning unless used intentionally.
MAC Learning enables a distributed switch to provide network connectivity to systems where more than one MAC address is used on a vNIC. This can be useful in special cases like nested virtualization (running ESXi inside ESXi, for example). MAC learning also supports unknown unicast flooding. Normally, when a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is activated by default, but only if MAC learning is enabled. Deactivate MAC Learning unless it is in use intentionally for a known workload that requires it.
- Potential Functional Impact if Default Value Is Changed
- Some workloads do legitimately use these network tactics and are negatively affected by the defaults and desired state.
- PowerCLI Command Assessment
-
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled
- PowerCLI Command Remediation Example
-
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.DefaultPortConfig.MacManagementPolicy = New-Object VMware.Vim.DVSMacManagementPolicy $ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy = New-Object VMware.Vim.DVSMacLearningPolicy $ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy.Enabled = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Configure the Login Message Banner Details
Configure the vCenter Server login banner details for the vSphere Client.
vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration sets the detailed text from the vSphere Client login page message.
- PowerCLI Command Assessment
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_login_banner -title login_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
- PowerCLI Command Remediation Example
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_login_banner -title login_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
Activate the Login Banner
Activate the vCenter Server login banner for the vSphere Client.
vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration activates the display of the message on the vSphere Client login page.
- PowerCLI Command Assessment
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
- PowerCLI Command Remediation Example
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
Configure the Login Banner Text
Configure the vCenter Server login banner text for the vSphere Client.
vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration establishes the text displayed on the vSphere Client login page.
- PowerCLI Command Assessment
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
- PowerCLI Command Remediation Example
-
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
Separate Authentication and Authorization for Administrators
The vCenter Server must separate authentication and authorization for administrators.
Combining authentication and authorization, as services such as Active Directory do, risks infrastructure breaches if compromised. Thus, for vCenter Server, ensure that you segregate authentication and authorization for administrators. Consider using local SSO groups for authorization to better manage risk where feasible.
Set the Forged Transmits Policy to Reject
Set all distributed switches and their port groups to reject forged transmits.
A virtual machine can impersonate network adapters by changing MAC addresses, posing security threats. By setting the Forged Transmits option to Reject on all distributed switches and port groups, ESXi verifies MAC addresses and prevents such impersonation.
- Potential Functional Impact if Default Value Is Changed
- Some workloads do legitimately use these network tactics and are affected negatively by default setting.
- PowerCLI Command Assessment
-
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
Set the MAC Address Changes Policy to Reject
Set the MAC Address Changes policy to Reject on both the vSphere Standard Switch and its port groups.
Allowing virtual machines to change MAC addresses poses security risks, enabling potential network adapter impersonation. Rejecting MAC changes on all distributed switches and port groups prevents this, but might impact certain applications like Microsoft Clustering or MAC address-dependent licensing. Make exceptions to this security guidance as necessary.
- Potential Functional Impact if Default Value Is Changed
- Some workloads do legitimately use these network tactics and are affected negatively by the a setting of Reject.
- PowerCLI Command Assessment
-
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
Set the Promiscuous Mode Policy to Reject
Set the Promiscuous Mode policy to Reject on both the vSphere Standard Switch and its port groups.
Activating promiscuous mode on a port group allows all connected virtual machines to read all network packets, posing a potential security risk. Although allowing promiscuous mode is sometimes necessary for debugging or monitoring, the default setting of Reject is recommended. Make exceptions for specific port groups as required.
- Potential Functional Impact if Default Value Is Changed
- Some workloads do legitimately use these network tactics and are affected negatively by the setting of Reject.
- PowerCLI Command Assessment
-
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
Reset Port Configuration When Virtual Machines Are Disconnected
The vCenter Server must reset port configuration when virtual machines are disconnected.
When a virtual machine is disconnected from the virtual switch port, it is desirable to reset the port configuration, so that another virtual machine that attaches has a port in a known state.
- PowerCLI Command Assessment
-
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.Policy | Select-Object -ExpandProperty PortConfigResetAtDisconnect
- PowerCLI Command Remediation Example
-
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $ConfigSpec.Policy.PortConfigResetAtDisconnect = $true $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Deactivate Cisco Discovery Protocol or Link Layer Discovery Protocol
Deactivate participation in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) on distributed switches unless used intentionally.
The vSphere Distributed Virtual Switch can engage in CDP or LLDP, potentially sharing sensitive unencrypted information, like IP addresses and system names, on the network. Thus, CDP and LLDP can aid adversaries in understanding or impersonating your environment. However, CDP and LLDP are also extremely helpful for legitimate use cases. Deactivate CDP and LLDP unless necessary for troubleshooting or configuration validation.
- PowerCLI Command Assessment
-
(Get-VDSwitch -Name $VDS).ExtensionData.config.LinkDiscoveryProtocolConfig | Select-Object -ExpandProperty Operation
- PowerCLI Command Remediation Example
-
$VDview = Get-VDSwitch -Name $VDS | Get-View $ConfigSpec = New-Object VMware.Vim.VMwareDVSConfigSpec $ConfigSpec.LinkDiscoveryProtocolConfig = New-Object VMware.Vim.LinkDiscoveryProtocolConfig $ConfigSpec.LinkDiscoveryProtocolConfig.Protocol = 'cdp' $ConfigSpec.LinkDiscoveryProtocolConfig.Operation = 'none' $ConfigSpec.ConfigVersion = $VDview.Config.ConfigVersion $VDview.ReconfigureDvs_Task($ConfigSpec)
Ensure That Authorized Collectors Receive NetFlow Traffic
The vCenter Server must ensure that NetFlow traffic is being sent to authorized collectors.
The vSphere Distributed Switch can export unencrypted NetFlow data, revealing details about virtual network and traffic patterns. Verify that NetFlow usage is authorized and configured correctly to prevent information leaks.
- PowerCLI Command Assessment
-
(Get-VDSwitch -Name $VDS).ExtensionData.config.IpfixConfig.CollectorIpAddress | Select-Object -ExpandProperty CollectorIpAddress (Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value
- PowerCLI Command Remediation Example
-
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.DefaultPortConfig.IpfixEnabled = New-Object VMware.Vim.BoolPolicy $ConfigSpec.DefaultPortConfig.IpfixEnabled.Inherited = $false $ConfigSpec.DefaultPortConfig.IpfixEnabled.Value = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Configure Virtual Machine Port Security
The vCenter Server must not override port group settings at the port level on distributed switches, except to block ports.
While port-level configuration overrides might be needed for unique virtual machine setups, be sure to monitor them to prevent unauthorized use. Unmonitored overrides could allow broader access if a less secure Distributed Switch configuration is exploited.
- PowerCLI Command Remediation Example
-
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $ConfigSpec.Policy.UplinkTeamingOverrideAllowed = $false $ConfigSpec.Policy.BlockOverrideAllowed = $true $ConfigSpec.Policy.LivePortMovingAllowed = $false $ConfigSpec.Policy.VlanOverrideAllowed = $false $ConfigSpec.Policy.SecurityPolicyOverrideAllowed = $false $ConfigSpec.Policy.VendorConfigOverrideAllowed = $false $ConfigSpec.Policy.ShapingOverrideAllowed = $false $ConfigSpec.Policy.IpfixOverrideAllowed = $false $ConfigSpec.Policy.TrafficFilterOverrideAllowed = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Remove Port Mirroring
The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
The vSphere Distributed Switch can mirror traffic between ports, enabling traffic observation. To maintain security, any unauthorized port mirroring sessions on distributed switches must be removed.
Restrict Virtual Guest Tagging
The vCenter Server must restrict the use of Virtual Guest Tagging (VGT) on Distributed Switches.
Setting a port group to VLAN 4095 allows Virtual Guest Tagging (VGT), requiring the virtual machine to process VLAN tags. Activate VGT only for those virtual machines that are authorized and equipped to manage VLAN tags. Inappropriate use can cause service denial or unauthorized VLAN traffic interaction.
- PowerCLI Command Assessment
-
Get-VDPortgroup -Name $VDPG | Where {$_.ExtensionData.Config.Uplink -ne "True"} | Select Name,VlanConfiguration
Check for VMware Maintenance on the vCenter Server Version
Ensure that the vCenter Server version has not reached VMware End of General Support status.
Restrict Access to SSH
The vCenter Server SSH service must be deactivated.
vCenter Server Appliance is delivered as an appliance, and intended to be managed through the vCenter Server Management Interface, the vSphere Client, and the APIs. SSH is a troubleshooting and support tool to be activated only when necessary. vCenter Server High Availability uses SSH to coordinate the replication and failover between the nodes. Use of this feature requires SSH to remain activated.
- PowerCLI Command Assessment
-
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
Verify the root User Password Expiration
The vCenter Server root account password expiration must be configured appropriately.
Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.
- Potential Functional Impact if Default Value Is Changed
- Failure to reset the password before the expiration means that recovery procedures are necessary.
- PowerCLI Command Assessment
-
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
Configure File-Based Backup and Recovery
Configure File-Based Backup and Recovery so that you can recover your vCenter Server Appliance and its configuration using the vCenter Server installer. Backup and restore is an important part of protecting your environment.
Configure the Firewall to Only Allow Traffic from Authorized Networks
The vCenter Server Appliance must configure the firewall to only allow traffic from authorized networks.
Ensure that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the system. Outgoing (egress) traffic is not blocked, nor are related or established connections, so vCenter Server Appliance is still able to communicate with systems where it initiates the connection. Use perimeter firewalls to curtail those types of connections.
Configure Remote Log Server
Configure a remote log server for the vCenter Server.
Remote logging to a central host enhances the security of vCenter Server by storing logs securely. Remote logging simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record.
Configure Time Synchronization
vCenter Server must have reliable time synchronization sources.
Cryptography, audit logging, cluster operations, and incident response and forensics heavily rely on synchronized time. Network Time Protocol (NTP) must have at least four sources. If you must choose between two sources and one source, one source is preferable.
- PowerCLI Command Assessment
-
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
Install Software Updates
Ensure that vCenter Server has all software updates installed.
By keeping vCenter Server patches up to date, vulnerabilities can be mitigated. Attackers can exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges.
When applying updates, update vCenter Server first, if an update is available, then proceed with updating ESXi. This sequence ensures that the management layer is updated before updating the ESXi hosts.
Rotate the vpxuser Password
The vCenter Server must configure the vpxuser password to be rotated on an appropriate interval.
The VirtualCenter.VimPasswordExpirationInDays setting configures the rotation period. Ensure that the vCenter Server is properly rotating the password that it automatically sets on the ESXi hosts.
- PowerCLI Command Assessment
-
Get-AdvancedSetting -Entity $VC -Name VirtualCenter.VimPasswordExpirationInDays
