The ESXi hypervisor is secured out of the box. You can further protect ESXi hosts by using lockdown mode and other built-in features. For consistency, you can set up a reference host and keep all hosts in sync with the host profile of the reference host. You can also protect your environment by performing scripted management, which ensures that changes apply to all hosts.

You can enhance protection of ESXi hosts that are managed by vCenter Server with the following actions. Security considerations for standalone hosts are similar, though the management tasks might differ. See the vSphere Single Host Management - VMware Host Client documentation.

Limit ESXi Access

By default, the ESXi Shell and the SSH services are not running and only the root user can log in to the Direct Console User Interface (DCUI). If you decide to enable ESXi or SSH access, you can set timeouts to limit the risk of unauthorized access. Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from the vCenter Server system that manages the host.

See Using the ESXi Shell.

Use Named Users and Least Privilege

By default, the root user can perform many tasks. Do not allow administrators to log in to the ESXi host using the root user account. Instead, create named administrator users from vCenter Server and assign those users the Administrator role. You can also assign those users a custom role. See Create a vCenter Server Custom Role.

If you manage users directly on the host, role management options are limited. See the vSphere Single Host Management - VMware Host Client documentation.

Minimize the Number of Open ESXi Firewall Ports

By default, firewall ports on your ESXi host are opened only when you start a corresponding service. You can use the vSphere Client, or ESXCLI or PowerCLI commands to check and manage firewall port status.

See Configuring the ESXi Firewall.

Automate ESXi Host Management

Because it is often important that different hosts in the same data center are in sync, use scripted installation or vSphere Auto Deploy to provision hosts. You can manage the hosts using scripts. Host profiles are an alternative to scripted management. You set up a reference host, export the host profile, and apply the host profile to all hosts. You can apply the host profile directly or as part of provisioning with Auto Deploy.

See Use Scripts to Manage ESXi Host Configuration Settings and see the vCenter Server Installation and Setup documentation for information about vSphere Auto Deploy.

Take Advantage of ESXi Lockdown Mode

In lockdown mode, ESXi hosts can be accessed only through vCenter Server by default. You can select strict lockdown mode or normal lockdown mode. You can define Exception Users to allow direct access to service accounts such as backup agents.

See Configuring and Managing Lockdown Mode on ESXi Hosts.

Check VIB Package Integrity

Each vSphere Installation Bundle (VIB) package has an associated acceptance level. You can add a VIB to an ESXi host only if the VIB acceptance level is the same or better than the acceptance level of the host. You cannot add a CommunitySupported or PartnerSupported VIB to a host unless you explicitly change the acceptance level of the host.

See Manage the Acceptance Levels of ESXi Hosts and vSphere Installation Bundles.

Manage ESXi Certificates

The VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If your company policy requires it, you can replace the existing certificates with certificates that are signed by a third-party or an enterprise certificate authority.

See Managing Certificates for ESXi Hosts.

Consider Smart Card Authentication for ESXi

ESXi supports the use of smart card authentication instead of user name and password authentication. Two-factor authentication is also supported for vCenter Server. You can configure user name and password authentication and smart card authentication at the same time.

See Configuring and Managing Smart Card Authentication for ESXi.

Consider ESXi Account Lockout

Account locking is supported for access through SSH and through the vSphere Web Services SDK. By default, a maximum of five failed attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
Note: The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout.

See ESXi Passwords and Account Lockout.