VMware creates Security Hardening Guides that provide prescriptive guidance about deploying and operating VMware products in a secure manner. For vSphere, this guide is called the vSphere Security Configuration Guide (formerly known as the Hardening Guide).

The vSphere Security Configuration Guide, available at https://core.vmware.com/security-configuration-guide, contains security best practices for vSphere. The vSphere Security Configuration Guide does not map directly to regulatory guidelines or frameworks, and so is not a compliance guide. Also, the vSphere Security Configuration Guide is not intended for use as a security checklist. Security is always a tradeoff. When you implement security controls, you might affect usability, performance, or other operational tasks negatively. Consider your workloads, usage patterns, organizational structure, and so on carefully before making security changes, whether the advice is from VMware or from other industry sources. If your organization is subject to regulatory compliance needs, see Security Versus Compliance in the vSphere Environment or visit https://core.vmware.com/compliance. This site features compliance kits and product audit guides to help vSphere administrators and regulatory auditors secure and attest virtual infrastructure for regulatory frameworks, such as NIST 800-53v4, NIST 800-171, PCI DSS, HIPAA, CJIS, ISO 27001, and more.

The vSphere Security Configuration Guide does not discuss securing the following items:
  • Software running inside the virtual machine, such as the Guest OS and applications
  • Traffic running through the virtual machine networks
  • Security of add-on products

The vSphere Security Configuration Guide is not meant to be used as a "compliance" tool. The vSphere Security Configuration Guide does enable you to take initial steps towards compliance, but used by itself, it does not ensure that your deployment is compliant. For more information about compliance, see Security Versus Compliance in the vSphere Environment.

How to Use the vSphere Security Configuration Guide

The vSphere Security Configuration Guide is a spreadsheet that contains security-related guidelines to assist you with modifying your vSphere security configuration. These guidelines are group into tabs based on the affected components.

Do not blindly apply guidelines in the vSphere Secure Configuration Guide to your environment. Rather, take time to evaluate each setting and make an informed decision whether you want to apply it. At a minimum, you can use the instructions in the Assessment columns to verify the security of your deployment.

The vSphere Secure Configuration Guide is an aid to begin implementing compliance in your deployment. When used with the Defense Information Systems Agency (DISA) and other compliance guidelines, the vSphere Secure Configuration Guide enables you to map vSphere security controls to the compliance flavor per each guideline.