Security of the ESXi management interface is critical to protect against unauthorized intrusion and misuse. If a host is compromised in certain ways, the virtual machines it interacts with might also be compromised. To minimize the risk of an attack through the management interface, ESXi is protected with a built-in firewall.
To protect the host against unauthorized intrusion and misuse, VMware imposes constraints on several parameters, settings, and activities. Constraints can be relaxed to meet configuration needs, but if you do so, you must take measures to protect the network as a whole and the devices connected to the host.
Consider the following recommendations when evaluating host security and administration.
- To improve security, restrict user access to the management interface and enforce access security policies such as setting up password restrictions.
- Provide only trusted users with ESXi Shell login access. The ESXi Shell has privileged access to certain parts of the host.
- When possible, run only the essential processes, services, and agents such as virus checkers, and virtual machine backups.
- When possible, use the vSphere Web Client or a third-party network management tool to administer ESXi hosts instead of working though the command-line interface as the root user. When you use the vSphere Web Client, you always connect to the ESXi host through a vCenter Server system.
The host runs several third-party packages to support management interfaces or tasks that an operator must perform. VMware does not support upgrading these packages from anything other than a VMware source. If a download or patch is used from another source, management interface security or functions might be compromised. Regularly check third-party vendor sites and the VMware knowledge base for security alerts.
In addition to implementing the firewall, you can mitigate risks to ESXi hosts using other methods.
- Make sure that all firewall ports that are not specifically required for management access to the host are closed. Ports must be specifically opened if additional services are required.
- Replace the default certificates, and do not enable weak ciphers. By default, weak ciphers are disabled and all communications from clients are secured by TLS. The exact algorithms used for securing the channel depend on the TLS handshake. Default certificates created on ESXi use SHA-1 with RSA encryption as the signature algorithm.
- Install security patches. VMware monitors all security alerts that might affect ESXi security, and if needed, issues a security patch.
- Non secure services such as FTP and Telnet are not installed, and the ports for these services are closed. Because more secure services such as SSH and SFTP are easily available, always avoid using these insecure services in favor of their safer alternatives. If you must use non secure services, implement sufficient protection for the ESXi hosts and open the corresponding ports.
You can put ESXi hosts in lockdown mode. When lockdown mode is enabled, the host can be managed only from vCenter Server. No users other than vpxuser have authentication permissions, and direct connections to the host are rejected.