Objective 1.2 – Secure ESXi and vCenter Server 2

To increase the security of ESXi, vCenter, and other vSphere components, you will need to use different approaches, as follows:

• Protecting the physical layer: For example, for the networking part, use dedicated VLAN for different traffic.
• Securing network communications: This at least applies to infrastructural components. By default, management traffic is already encrypted. Note that one new feature of vSphere 6.5 is the ability to also encrypt vMotion traffic.
• Applying the minimum privileges: Limit all the services, permissions, access to minimize the attack surface.

Hardening is a process that enhances the security of a system, a service, or an entire infrastructure, by reducing the attack surface and minimizing the possible vulnerabilities and related risks.

VMware has built in a set of Security Hardening Guides (https://www.vmware.com/security/hardening-guides.html), including one related to the vSphere environment. The vSphere 6.5 Security Configuration Guide is a spreadsheet file with several possible hardening actions and guidelines, each classified with a risk profile. There are also some example scripts, for enabling security automation.

The Security Guide contains in-depth information on how to secure ESXi hosts (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-A706C6C6-DF07-455B-99B9-5B8F8580F1EB.html) and vCenter components (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-8C5F5839-37EC-409E-8C46-C8AD146CBC73.html):
https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-652-security-guide.pdf