Beyond the new security features included with VMware vSphere 6.5, such as vMotion encryption and ESXi secure boot,...
there are a variety of other practices that can help secure both the hypervisor and individual virtual machines. Timeouts, lockdown mode and acceptance-level checks are just some procedures to look into to help bolster security in your vSphere environment.
One of the best practices for hypervisor security is enforcing the concept of least privilege -- essentially, prohibiting access to all unnecessary features and functionality to all except the fewest authorized users. For example, rather than using root user access for ESXi management, assign specific roles or tasks to specific named users or groups through vCenter Server. That improves security in your vSphere environment, because no one is accessing something they shouldn't be.
It's also a sound practice to apply aggressive timeouts to ESXi or Secure Shell (SSH) access to improve VMware vSphere security. This helps to ensure that an administrator who leaves their computer doesn't leave physical access open for an intruder. It'd be a pain to lock or power off every time you briefly left your computer.
Network communication depends on open ports in a firewall, so checking and minimizing the number of open ports can help to secure ESXi hosts from unexpected intrusion.
When even tighter security is appropriate in your vSphere environment, invoking ESXi lockdown mode will prevent ESXi host access, except through vCenter Server. VSphere supports multifactor authentication using smart cards, rather than usernames and passwords, ensuring management access relies on the possession of a physical device. And it's always prudent to implement an ESXi account lockout, which locks out an account after 10 failed logon attempts.
VMware vSphere Security can also benefit from standardization, using scripts or templates to automate common ESXi host management tasks in your vSphere environment. This minimizes manual variations, error or oversights that can open unexpected security vulnerabilities. You can also employ scripts and templates to spin up and configure standardized VMs to meet minimum security requirements.
Take advantage of acceptance levels to check the integrity of each vSphere installation bundle (VIB) package. This prevents adding a VIB to an ESXi host, unless the acceptance level of the VIB is equal or better than the host -- often prohibiting community-supported or partner-supported VIBs where malware might lurk.
There are some additional precautions that can help to secure individual virtual machines. For example, it's important to secure guest operating systems by testing and deploying OS patches and updates in a timely manner.
If you deploy antimalware, antispyware or other security tools in VMs, update these tools diligently to maintain their effectiveness in a vSphere environment. Minimize user access to VM consoles to mitigate user control over VM power management and removable devices -- cutting off common avenues of attack on VMs.
Test your vSphere 6.5 knowledge with this quiz
Enhanced logging gives vSphere 6.5 security a boost
How does vMotion encryption improve vSphere security?
Dig Deeper on Troubleshooting VMware products
Related Q&A from Stephen J. Bigelow
Your power users will want to be the first in line to try out upcoming features through the Office 365 targeted release program. Set up early access ... Continue Reading
Many compatibility issues can arise when moving VMs to the public cloud. Watch out for compatibility problems with partitions, OSes and image formats... Continue Reading
To migrate a VM and its dependencies from a local data center to a public cloud, use the forklift method to prepare the VM for migration, deploy the ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.