To secure an ESXi host against an unauthorized intrusion and misuse, VMware imposes constraints on several parameters, settings, and activities. To meet your configuration needs, you can loosen the constraints. If you do, make sure that you are working in a trusted environment and take other security measures.

What Are the ESXi Built-In Security Features

ESXi mitigates risks to your hosts as follows:

  • The ESXi Shell interface and the SSH interface are deactivated by default. Keep these interfaces deactivated unless you are performing troubleshooting or support activities. For day-to-day activities, use the vSphere Client, where activity is subject to role-based access control and modern access control methods.
  • Only some firewall ports are open by default. You can explicitly open firewall ports that are associated with specific services.
  • By default, all ports that are not required for management access to the host are closed. Open ports if you need additional services.
  • ESXi runs only services that are essential to managing its functions. The distribution is limited to the features required to run ESXi.
  • By default, weak ciphers are deactivated and communications from clients are secured by SSL. The exact algorithms used for securing the channel depend on the SSL handshake. Default certificates created on ESXi use PKCS#1 SHA-256 with RSA encryption as the signature algorithm.
  • An internal web service is used by ESXi to support access by Web clients. The service has been modified to run only functions that a Web client requires for administration and monitoring. As a result, ESXi is not vulnerable to web service security issues reported in broader use.
  • VMware monitors all security alerts that can affect ESXi security and issues a security patch if needed. To view a list of security alerts, go to https://blogs.vmware.com/security/2024/05/where-did-my-vmware-security-advisories-go.html.
  • Insecure services such as FTP and Telnet are not installed, and the ports for these services are closed by default.
  • To protect hosts from loading drivers and applications that are not cryptographically signed, use UEFI Secure boot. Enabling Secure Boot is done at the system BIOS. No additional configuration changes are required on the ESXi host, for example, to disk partitions. See UEFI Secure Boot for ESXi Hosts.
  • If your ESXi host has a TPM 2.0 chip, enable and configure the chip in the system BIOS. Working together with Secure Boot, TPM 2.0 provides enhanced security and trust assurance rooted in hardware. See Securing ESXi Hosts with Trusted Platform Module.
  • In ESXi 8.0 and later, you can run the SSH process under a sandbox domain. The shell then has reduced privileges, and only permits access to a limited subset of commands. For more information, see the VMware knowledge base article at https://kb.vmware.com/s/article/87386.

Taking Further ESXi Security Measures

Consider the following recommendations when evaluating host security and administration.

Limit access to ESXi hosts
If you activate access to the Direct Console User Interface (DCUI), the ESXi Shell, or SSH, enforce strict access security policies.
The ESXi Shell has privileged access to certain parts of the host. Provide only trusted users with ESXi Shell login access.
Do not access managed ESXi hosts directly
Use the vSphere Client to administer ESXi hosts that are managed by a vCenter Server. Do not access managed hosts directly with the VMware Host Client, and do not change managed hosts from the DCUI.
If you manage hosts with a scripting interface or API, do not target the host directly. Instead, target the vCenter Server system that manages the host and specify the host name.
Use DCUI only for troubleshooting
Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting. To administer your ESXi hosts, use the vSphere Client (or the VMware Host Client), or one of the VMware CLIs or APIs. See ESXCLI Concepts and Examples. If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts.
Use only VMware sources to upgrade ESXi components
The host runs several third-party packages to support management interfaces or tasks that you must perform. VMware only supports upgrades to these packages that come from a VMware source. If you use a download or patch from another source, you might compromise management interface security or functions. Check third-party vendor sites and the VMware knowledge base for security alerts.