VMware Security Hardening Guides provide prescriptive guidance about deploying and operating VMware products in a secure manner. For vSphere, this guide is called the vSphere Security Configuration Guide (formerly known as the Hardening Guide). Starting in vSphere 8.0 Update 3, the information from the vSphere Security Configuration Guide known as security controls is now included in this guide.

Security controls provide security best practices for vSphere. The security controls do not map directly to regulatory guidelines or frameworks. Thus, do not use them as a way towards achieving compliance. Also, the security controls are not intended for use as a security checklist.

Security is always a tradeoff. When you implement security controls, you might affect usability, performance, or other operational tasks negatively. Consider your workloads, usage patterns, organizational structure, and so on carefully before making security changes, whether the advice is from VMware or from other industry sources.

If your organization is subject to regulatory compliance needs, see https://core.vmware.com/compliance. This site features compliance kits and product audit guides to help vSphere administrators and regulatory auditors secure and attest virtual infrastructure for regulatory frameworks, such as NIST 800-53v4, NIST 800-171, PCI DSS, HIPAA, CJIS, ISO 27001, and more.

These vSphere security controls do not discuss securing the following items:
  • Software running inside the virtual machine, such as the Guest OS and applications
  • Traffic running through the virtual machine networks
  • Security of add-on products

These vSphere security controls are not meant to be used as a "compliance" tool. These security controls do enable you to take initial steps towards compliance, but used by themselves, they do not ensure that your deployment is compliant. For more information about compliance, see Security Versus Compliance in the vSphere Environment.

Do not blindly apply security controls to your environment. Rather, take time to evaluate each setting and make an informed decision whether you want to apply it. At a minimum, you can use the instructions in the Assessment sections to verify the security of your deployment.

These security controls are an aid to begin implementing compliance in your deployment. When used with the Defense Information Systems Agency (DISA) and other compliance guidelines, you can map vSphere security controls to the compliance flavor per each guideline.

Definitions for Security Controls Terms

In the security control sections that follow, the following terms and definitions are used.

Table 1. Security Controls Definitions
Control Term Definition
Installation Default Value What the control defaults to in this version of vSphere when you first install the product.
Baseline Suggested Value A reasonable recommendation for how you should configure this control, if no other guidance is present. Regulatory compliance guidance might supersede these recommendations, for example.
Action Needed

The suggested action for a particular control.

Modify: Make the change. For controls that are outside vSphere, such as hardware settings, this documentation always assumes that the control is set insecurely by default and recommends modifying the configuration.

Audit: Ensure that the default is in use, the expected value is present, or exceptions to the control are documented. When auditing a control whose default is the suggested value, two lines of thought are possible. First: Only by setting the parameters explicitly can they be audited and known. Second: All configuration changes require "care and feeding" over time, so where there is a secure default, you can use it to help simplify an environment. This documentation takes the latter approach, but you can choose your own course.

Controls that are unimplemented have zero effect on security. They are listed as "audit" in this documentation, but can be removed.

Potential Functional Impact if Default Value Is Changed Does this change potentially cause problems? Most security controls present tradeoffs in some way. What might changing this control require in exchange?
PowerCLI Command Assessment An example PowerCLI command to determine how the control is set.
PowerCLI Command Remediation Example An example PowerCLI command to set the control to the recommendation.