ESX/ESXi Host Security Hardening Guide

• Installation

1. Verify integrity of software before installation, check SHA1 hash after downloading.

• Storage

1. Ensure mutual-CHAP for iSCSI authentication
2.  Unique CHAP secret for each host for iSCSI
3. Maks and zone SAN resource appropriately

• Host communication

1. Replace self-signed certificate with commercial or trusted CA
2. Configure SSL timeout, certificate non default location
3. Disable managed object browser. proxy.xml file
4. ESX only, disable vSphere Web Access
5. Ensure that ESX is configure to encrypt all sessions in proxy.xml file. httpswith Redirect or httpsOnly

• Logging for ESXi only

1. Configure remote syslog
2. Configure persistent logging (by default 1 day or after reboot)
3. Configure NTP time synchronizaiton with internal server

• Management

1. Control access by CIM-based hardware monitoring tools.create a service account, instead of root
2. For ESXi, properly configure SNMP. If not using SNMP, disalbe snmp service.
3. For ESXi, maintain the integrity of configuration file.
4. Prevent the unintended use of VMsafe CPU/memory or VMsafe-Net

• ESXi host console DCUI

1. Ensure only authorized users have access to DCUI (the users in localadmin group)
2.  Enable lockdown mode to restrict remote root access; prevent API-based access by root account
3.  Make sure root account is not a member of any groups other than defaults.
4. Disable technical support mode (TSM via Out-of-Band access)