Hardening ESXi checklist
description
Transcript of Hardening ESXi checklist
-
7/17/2019 Hardening ESXi checklist
1/64
ID Product Version Component Subcomponent
apply-patches vSphere 5,5 ESXI Install
config-firewall-access vSphere 5,5 ESXI Communication
config-ntp vSphere 5,5 ESXI Communication
config-persistent-logs vSphere 5,5 ESXI Logging
config-snmp vSphere 5,5 ESXI Communication
create-local-admin vSphere 5,5 ESXi Access
disable-dcui vSphere 5,5 ESXI Console
disable-esxi-shell vSphere 5,5 ESXI Console
disable-mob vSphere 5,5 ESXI Communication
disable-ssh vSphere 5,5 ESXi Console
-
7/17/2019 Hardening ESXi checklist
2/64
enable-ad-auth vSphere 5,5 ESXI Access
enable-auth-proxy vSphere 5,5 ESXI Communication
enable-chap-auth vSphere 5,5 ESXI Storage
enable-host-profiles vSphere 5,5 ESXi Logging
enable-lockdown-mode vSphere 5,5 ESXI Console
enable-remote-dump vSphere 5,5 ESXi Logging
enable-remote-syslog vSphere 5,5 ESXI Logging
esxi-no-self-signed-certs vSphere 5,5 ESXI Communication
limit-cim-access vSphere 5,5 ESXI Console
mask-zone-san vSphere 5,5 ESXI Storage
-
7/17/2019 Hardening ESXi checklist
3/64
remove-authorized-keys vSphere 5,5 ESXi Console
remove-revoked-certificates vSphere 5.5 ESXi Communication
set-dcui-access vSphere 5,5 ESXi Console
set-password-complexity vSphere 5,5 ESXI Access
set-shell-interactive-timeout vSphere 5,5 ESXI Console
set-shell-timeout vSphere 5,5 ESXI Console
unique-chap-secrets vSphere 5,5 ESXI Storage
verify-acceptance-level-accepted vSphere 5,5 ESXI Install
verify-acceptance-level-certified vSphere 5,5 ESXI Install
verify-acceptance-level-supported vSphere 5,5 ESXI Install
-
7/17/2019 Hardening ESXi checklist
4/64
verify-admin-group vSphere 5,5 ESXI Access
verify-config-files vSphere 5,5 ESXI Console
verify-dvfilter-bind vSphere 5,5 ESXI Communication
verify-install-media vSphere 5,5 ESXI Install
verify-kernel-modules vSphere 5,5 ESXI Install
vmdk-zero-out vSphere 5,5 ESXi Storage
-
7/17/2019 Hardening ESXi checklist
5/64
Title
Keep ESXi system properly patched.
Configure the ESXi host firewall to restrict
access to services running on the host
Configure NTP time synchronization
Configure persistent logging for all ESXi host
Ensure proper SNMP configuration
Create a non-root user account for localadmin access
Disable DCUI to prevent local administrative
control.
Disable ESXi Shell unless needed for
diagnostics or troubleshooting.
Disable Managed Object Browser (MOB)
Disable SSH
-
7/17/2019 Hardening ESXi checklist
6/64
Use Active Directory for local user
authentication.
When adding ESXi hosts to Active Directoryuse the vSphere Authentication Proxy to
protect passwords
Enable bidirectional CHAP, also known as
Mutual CHAP, authentication for iSCSI traffic.
Configure Host Profiles to monitor and alert
on configuration changes
Enable lockdown mode to restrict remote
access.
Configure a centralized location to collect ESXi
host core dumps using the "ESXi Dump
Collector"
Configure remote logging for ESXi hosts
Use default self-signed certificates for ESXi
communication if required by local policy.
Do not provide administrator level access (i.e.
root) to CIM-based hardware monitoring
tools or other 3rd party applications.
Mask and zone SAN resources appropriately.
-
7/17/2019 Hardening ESXi checklist
7/64
Remove keys from SSH authorized_keys file.
Remove revoked SSL certificates from the ESXi
server
Set DCUI.Access to allow trusted users to
override lockdown mode
Establish a password policy for password
complexity.
Set a timeout to automatically terminate idle
ESXi Shell and SSH sessions.
Set a timeout to limit how long the ESXi Shell
and SSH services are allowed to run
Ensure uniqueness of CHAP authentication
secrets.
Verify Image Profile and VIB Acceptance
Levels.
Verify Image Profile and VIB Acceptance
Levels.
Verify Image Profile and VIB Acceptance
Levels.
-
7/17/2019 Hardening ESXi checklist
8/64
Verify Active Directory group membership for
the "ESXi Admins" group.
Verify contents of exposed configuration files
Prevent unintended use of dvfilter network
APIs.
Verify the integrity of the installation media
before installing ESXi
Verify no unauthorized kernel modules are
loaded on the host.
Zero out VMDK files prior to deletion
-
7/17/2019 Hardening ESXi checklist
9/64
Vulnerability Discussion Risk Profile Control TypeBy staying up to date on ESXi patches, vulnerabilities in the
hypervisor can be mitigated. An educated attacker can
exploit known vulnerabilities when attempting to attain
access or elevate privileges on an ESXi host. 1,2,3 OperationalUnrestricted access to services running on an ESXi host can
expose a host to outside attacks and unauthorized access.
Reduce the risk by configuring the ESXi firewall to only allow
access from authorized networks. 1,2,3 ConfigurationBy ensuring that all systems use the same relative time
source (including the relevant localization offset), and that
the relative time source can be correlated to an agreed-upon
time standard (such as Coordinated Universal TimeUTC), 1,2,3 Parameter
ESXi can be configured to store log files on an in-memory filesystem. This occurs when the host's "/scratch" directory is
linked to "/tmp/scratch". When this is done only a single
day's worth of logs are stored at any time, in addition log files 1,2,3 ParameterIf SNMP is not being used, it should remain disabled. If it is
being used, the proper trap destination should be
configured. If SNMP is not properly configured, monitoring
information can be sent to a malicious host that can then use 1,2,3 ParameterBy default each ESXi host has a single "root" admin account
that is used for local administration and to connect the host
to vCenter Server. To avoid sharing a common root accountit is recommended on each host to create at least one named 1,2,3 ConfigurationThe DCUI allows for low-level host configuration such as
configuring IP address, hostname and root password as well
as diagnostic capabilities such as enabling the ESXi shell,
viewing log files, restarting agents, and resetting 1 ParameterESXi Shell is an interactive command line environment
available from the DCUI or remotely via SSH. Access to this
mode requires the root password of the server. The ESXi
Shell can be turned on and off for individual hosts. Activities 1,2,3 ParameterThe managed object browser (MOB) provides a way to
explore the object model used by the VMkernel to manage
the host; it enables configurations to be changed as well. This
interface is meant to be used primarily for debugging the 1,2,3 ParameterThe ESXi shell, when enabled, can be accessed directly from
the host console through the DCUI or remotely using SSH.
Remote access to the host should be limited to the vSphere
Client, remote command-line tools (vCLI/PowerCLI), and 1,2,3 Parameter
-
7/17/2019 Hardening ESXi checklist
10/64
Join ESXi hosts to an Active Directory (AD) domain to
eliminate the need to create and maintain multiple local user
accounts. Using AD for user authentication simplifies the ESXi
host configuration, ensures password complexity and reuse 1,2,3 ConfigurationIf you configure your host to join an Active Directory domain
using Host Profiles the active directory credentials are savedin the host profile and are transmitted over the network. To
avoid having to save active directory credentials in the Host 1,2,3 ParametervSphere allows for the use of bidirectional authentication of
both the iSCSI target and host. Choosing not to enforce more
stringent authentication can make sense if you create a
dedicated network or VLAN to service all your iSCSI devices. 1,2,3 ParameterMonitoring for configuration drift and unauthorized changes
is critical to ensuring the security of an ESXi host. Host
Profiles provide an automated method for monitoring host
configurations against an established template and for 1,2,3 ParameterEnabling lockdown mode disables direct access to an ESXi
host requiring the host be managed remotely from vCenter
Server. This is done to ensure the roles and access controls
implemented in vCenter are always enforced and users 1,2,3 ParameterWhen a host crashes, an analysis of the resultant core dump
is essential to being able to identify the cause of the crash to
identify a resolution. Installing a centralized dump collector
helps ensure that core files are successfully saved and made 1,2,3 ParameterRemote logging to a central log host provides a secure,
centralized store for ESXi logs. By gathering host log files
onto a central host you can more easily monitor all hosts
with a single tool. You can also do aggregate analysis and 1,2,3 ParameterA host has self-signed certificates when first deployed, but
these can be replaced by certificate authority (CA)signed
certificates if required by local policy. Self-signed certificates
can be as secure as certificates that are issued by an external 1,2,3 ConfigurationThe CIM system provides an interface that enables hardware-
level management from remote applications via a set of
standard APIs. To ensure that the CIM interface remains
secure provide only the minimum access necessary to these 1,2,3 Operational
You should use zoning and LUN masking to segregate SANactivity. For example, you manage zones defined for testing
independently within the SAN so they do not interfere with
activity in the production zones. Similarly, you can set up 1,2,3 Operational
-
7/17/2019 Hardening ESXi checklist
11/64
ESXi hosts come with SSH which can be enabled to allow
remote access without requiring user authentication. To
enable password free access copy the remote users public
key into the "/etc/ssh/keys-root/authorized_keys" file on the 1,2,3 ConfigurationBy default, each ESXi host does not have CRL checking
available. Revoked certificates must be checked and removedmanually. These are typically custom generated certificates
from a corporate certificate authority or 3rd party authority. 1,2,3 OperationalLockdown disables direct host access requiring that admins
manage hosts from vCenter Server. However, if a host
becomes isolated from vCenter Server, the admin is locked
out and can no longer manage the host. To avoid becoming 1,2,3 ParameterESXi uses the pam_passwdqc.so plug-in to set password
strength and complexity. It is important to use passwords
that are not easily guessed and that are difficult for password
generators to determine. Note, ESXi imposes no restrictions 1,2,3 ParameterIf a user forgets to log out of their SSH session the idle
connection will remain indefinitely, increasing the potential
for someone to gain privileged access to the host. The
ESXiShellInteractiveTimeOutallows you to automatically 1,2,3 ParameterWhen the ESXi Shell or SSH services are enabled on a host
they will run indefinitely. To avoid having these services left
running set the ESXiShellTimeOut. The ESXiShellTimeOut
defines a window of time after which the ESXi Shell and SSH 1,2,3 ParameterThe mutual authentication secret for each host should be
different; if possible, the secret should be different for each
client authenticating to the server as well. This ensures that if
a single host is compromised, an attacker cannot create 1,2,3 ParameterVerify the ESXi Image Profile to only allow signed VIBs. An
unsigned VIB represents untested code installed on an ESXi
host. The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified- VIBs created, tested and signed by 2 ParameterVerify the ESXi Image Profile to only allow signed VIBs. An
unsigned VIB represents untested code installed on an ESXi
host. The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified- VIBs created, tested and signed by 1 Parameter
Verify the ESXi Image Profile to only allow signed VIBs. Anunsigned VIB represents untested code installed on an ESXi
host. The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified- VIBs created, tested and signed by 3 Parameter
-
7/17/2019 Hardening ESXi checklist
12/64
The AD group used by vSphere is defined by the
"esxAdminsGroup" attribute, by default this attribute is set
to "ESX Admins". All members of the "ESX Admins" group are
granted full administrative access to all ESXi hosts in the 1,2,3 ConfigurationAlthough most configurations on ESXi are controlled via an
API, there are a limited set of configuration files that areused directly to govern host behavior. These specific files are
exposed via the vSphere HTTPS-based file transfer API. Any 1 OperationalIf you are not using products that make use of the dvfilter
network API (e.g. VMSafe), the host should not be configured
to send network information to a VM. If the API is enabled,
an attacker might attempt to connect a VM to it, thereby 1,2,3 ParameterAlways check the SHA1 hash after downloading an ISO,
offline bundle, or patch to ensure integrity and authenticity
of the downloaded files. If you obtain physical media from
VMware and the security seal is broken, return the software 1,2,3 OperationalVMware provides digital signatures for kernel modules. By
default the ESXi host does not permit loading of kernel
modules that lack a valid digital signature. However, this
behavior can be overridden allowing unauthorized kernel 1,2,3 OperationalTo help prevent sensitive data in VMDK files from being read
off the physical disk after it is deleted, the virtual disk should
be zeroed out prior to deletion. This will make it more
difficult for someone to reconstruct the contents of the 1,2 Operational
-
7/17/2019 Hardening ESXi checklist
13/64
Assessment ProcedureEmploy a process to keep ESXi hosts up to date with patches in accordance with industry-standards
and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with
this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email
alerts for them.
From the vSphere web client, select the host and go to "Manage" -> "Security Profile". In the
"Firewall" section select "Edit...". For each enabled service, (e.g. ssh, vSphere Web Access, http
client) provide a range of allowed IP addresses.From the vSphere web client select the host and click "Manage" -> "Time Configuration" and click the
"Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the
startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is
recommended to synchronize the ESXi clock with a time server that is located on the management
Logon to the ESXi shell and run "ls -al " to verify " scratch" is not linked to " tmp scratch". If"/scratch" is linked to "/tmp/scratch" change it to a persistent datastore. First, Identify the datastore
path where you want to place scratch, then login to the vSphere web client, navigating to the host
and select "Manage" -> "Advanced System Settings", enter "Syslog.global.LogDir" in the filter. Set theFrom the ESXi Shell or vCLI run "esxcli system snmp get" to determine if SNMP is being used. If SNMP
is not being used, make sure that it is disabled by running " esxcli system snmp set --enable false ". If
SNMP is being used, refer to the vSphere Monitoring and Performance guide, chapter 8 for steps to
configure the required parameters. Notes: (1) SNMP must be configured on each ESXi host. (2) youLocal ESXi user accounts cannot be created using the vSphere web client, you must use the vSphere
client. Connect directly to the ESXi host using the vSphere Client. Login as root. Select the "Local
Users & Groups" tab and add a local user, be sure to grant shell access to this user. Then select the"Permissions" tab and assign the "Administrator" role to the user. Repeat this for each ESXi hosts.From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to
"Services" and click "Edit...". Select "Direct Console UI", click "Stop" and change the Startup Policy "to
Start and Stop Manually". Note, consider using Lockdown mode to restrict access to the DCUI
opposed to disabling the DCUI. If the DCUI is disabled and the host becomes isolated from vCenterFrom the DCUI: select "Troubleshooting Options" from the main menu and select "Enable ESXi Shell".
From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to
"Services" and click "Edit...". Select "ESXi Shell", click "Stop" and change the Startup Policy "to Start
and Stop Manually".. Note: A host warning is displayed in the vSphere web client anytime the ESXi
To determine if the MOB is enabled run the following command from the ESXi shell: " vim-cmd
proxysvc/service_list". To disable the MOB run ' vim-cmd proxysvc/remove_service "/mob"
"httpsWithRedirect"'. Note: You cannot disable the MOB while a host is in lockdown mode.From the DCUI main menu select "Troubleshooting Options -> Disable ESXi SSH". From the vSphere
web client select the host and select "Manage" -> "Security Profile". Scroll down to "Services" and
click "Edit...". Select "SSH", click "Stop" and change the Startup Policy "to Start and Stop Manually".
Notes: A host warning is displayed in the vSphere web client anytime SSH is enabled on a host. If the
-
7/17/2019 Hardening ESXi checklist
14/64
From the vSphere Web Client, select the host and go to "Manage" -> "Authentication Services" and
click the "Join Domain" button. Provide the domain name along with the user credentials for an AD
user that has the rights to join computers to the domain. Notes: (1) you can use Host Profiles to
automate adding hosts to an AD domain. (3) Consider using the vSphere Authentication proxy toInstall and configure the Authentication proxy. From the vSphere web client, navigate to "Host
Profiles", select the host profile, select "Manage" -> "Edit Host profile". Expand "Security andServices" -> "Security Settings" -> "Authentication Configuration". Select "Active Directory
configuration" and set the "Join Domain Method" to "Use vSphere Authentication Proxy to add the
In the vSphere client navigate to the host and select "Configuration" -> "Storage Adaptors" -> "iSCSI
Initiator Properties" -> "CHAP" -> "CHAP (Target Authenticates Host)". Verify "Use Chap" is selected
with a Name and a "Secret" configured.Configure a reference ESXi host with the desired configuration and use the host to create a Host
Profile. Attach the host profile to other hosts with identical hardware configurations. Monitor hosts
compliance to the host profile from the vSphere Client. Note: a separate Host Profile is needed for
different hardware configurations.From the DCUI 1. Log in directly to the ESXi host. 2. Open DCUI on the host. 3. Press F2 for Initial
Setup. 4. Toggle the Configure Lockdown Mode setting. From the vSphere web client, select the
host then select "Manage" -> "Security Profile". Scroll down to "Lockdown Mode" and click "Edit...".
Select the Enable Lockdown Mode checkbox. DO NOT use with "dcui-disable" guideline. If the DCUI is
Step 1: Install and configure a dump collector (ESXi Dump Collector). Step 2: From the ESXi Shell or
vCLI enable remote dump collection for each host using the " esxcli system coredump network set"
command.Step 1: Install Enable a syslog host (vSphere Syslog Collector recommended). Step 2: From the
vSphere web client select the host and click "Manage" -> "Advanced Sytem Settings", and enter
"Syslog.global.logHost" in the filter. Set the "Syslog.global.logHost" to the hostname of your syslog
server. Note: when setting a remote log host it is also recommended to set the
Connect to each ESX/ESXi host with an internet browser, https:///. View the details of
the SSL certificate, determine if it is issued by a trusted CA, either commercial or organizational. To
change SSL certificates refer to KB http://kb.vmware.com/kb/2057340Create a limited-privileged service account for CIM and other 3rd party applications. This account
should access the system via vCenter, and needs to be provided only the "CIM Interaction" privilege.
This will enable the account to obtain a CIM ticket, which can then be used to perform both read and
write CIM operations on the target host If an account must connect to the host directly, then this
Zoning and masking capabilities for each SAN switch and disk array are vendor specific, as are the
tools for managing LUN masking.
-
7/17/2019 Hardening ESXi checklist
15/64
For day-to-day operations disable SSH on your ESXi hosts. In the event that SSH is enabled, even
temporarily, monitor the contents of the "/etc/ssh/keys-root/authorized_keys" to ensure no users
are allowed to access the host without proper authentication. To check for SSH keys added to the
authorized_keys file logon to the ESXi shell as root and verify the /etc/ssh/keys-root/authorized_keys
Using the script called out in "verify-ssl-certificates" in the vCenterServer section to assess if there arerevoked SSL certificates on your ESXi server. If a revoked certificate is found, replace the SSL
certificate with a valid one.From the vSphere client, select the host and select "Manage" -> "Advanced System Settings". Type
"DCUI.Acces" in the filter. Set the "DCUI.Access" attribute to a comma separated list the users who
are allowed to override lockdown mode. Notes: by default only the "root" user is a member of the
DCUI.Access list. It is not recommended to remove root from the DCUI.Access list as this will revoke
Ensure the "password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4"
entry in the /etc./pam.d/passwd file as outlined in the vSphere Security Guide, "Users and
Permissions" chapter meets local requirements.From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify
the ESXiShellInteractiveTimeout to the desired value. Note: the ESXi Shell and SSH services must be
disabled in order to modify the setting from the DCUI. From the vSphere web client select the host
and click "Manage" -> "Advanced System Settings" and type ESXiShellInteractiveTimeOut in the filter.From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify
the ESXiShellTimeout to the desired value. Note: the ESXi Shell and SSH services must be disabled in
order to modify the setting from the DCUI. From the vSphere web client select the host and click
"Manage" -> "Advanced System Settings" and type ESXiShellTimeOut in the filter. Set the attribute to
In the vSphere Web Client navigate to the host and select "Manage" -> "Storage Adaptors" -> "iSCSI
Initiator Properties" -> "Authentication"-> "Edit"". Verify that a different authentication secret is
configured for each ESXi host.STEP 1: Connect to each ESX ESXi host using the ESXi Shell or vCLI and execute the command "esxcli
software acceptance get" to verify the acceptance level for the host for the host is set to either
"VMwareCertified" or "VMwareAccepted". STEP 2: Connect to each ESX/ESXi host using the vCLI and
execute the command "esxcli software vib list" and verify the acceptance level for each VIB is set toSTEP 1: Connect to each ESX ESXi host using theESXi Shell or vCLI and execute the command "esxcli
software acceptance get" to verify the acceptance level for the host is set to "VMware Certified".
STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib
list" and verify the acceptance level for each VIB is set to "VMware Certified".
STEP 1: Connect to each ESX ESXi host using the ESXi Shell or vCLI and execute the command "esxclisoftware acceptance get" to verify the acceptance level for the host is at either "VMware Certified",
"VMware Supported", or "PartnerSupported". STEP 2: Connect to each ESX/ESXi host using the vCLI
and execute the command "esxcli software vib list" and verify the acceptance level for each VIB is
-
7/17/2019 Hardening ESXi checklist
16/64
From Active Directory monitor the membership of the group name that is defined by the advanced
host setting: "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" (default is ESX Admins. As with any
default group, consider changing this name to avoid possible exploits) and verify only authorized user
and group accounts are members of this group. If full admin access for the AD ESX admins group isESXi Configuration files can be found by browsing to https: host (not available if MOB is
disabled). NOTE: not all the files listed are modifiable. The files can also be retrieved using the vCLI orPowerCLI. Implement a procedure to track the files and their contents over time to ensure that they
are not improperly modified. Be sure not to monitor log files and other files whose content isIf a dvfilter-based network security appliance is not being used on the host, ensure that the following
kernel parameter has a blank value: /Net/DVFilterBindIpAddress. From the vSphere web client select
the host and click "Manage" -> "Advanced System Settings". Enter "Net.DVFilterBindIpAddress" in the
filter and verify "Net.DVFilterBindIpAddress" has an empty value. If an appliance is being used, thenAfter downloading media use the MD5 sum value to verify the integrity of the download. Compare
the MD5 sum output with the value posted on the VMware website. Notes: each operating system
will have a different method/tool for checking MD5 sum values. For microsoft you can download an
add-on product as identified in http:/support.microsoft.com/kb/841290. For Mac OS use the "md5"Each ESXi host should be monitored for unsigned kernel modules. To list all the loaded kernel
modules from the ESXi Shell or vCLI run: "esxcli system module list". For each module verify the
Signed Status field contains a trusted value, for example "VMware Signed", by running "esxcli system
module get -m ". Secure the host by disabling unsigned modules and removing the
When deleting a VMDK file with sensitive data, shut down or stop the virtual machine, and then issue
the CLI command 'vmkfstools -writezeroes' on that file prior to deleting it from the datastore.
-
7/17/2019 Hardening ESXi checklist
17/64
Configuration File Configuration Parameter Desired Value
N/A N/A N/A
N/A N/A Site Specific
/etc/ntp.conf N/A Site Specific
N/A Syslog.global.logDir Site Specific
/etc/vmware/snmp.xml N/A site-specific
N/A N/A N/A
N/A N/A Stopped
N/A N/A Stopped
N/A N/A Remove Service
N/A N/A Stopped
-
7/17/2019 Hardening ESXi checklist
18/64
N/A N/A N/A
N/A N/A Site Specific
N/A Use Chap, Name, Secret Site Specific
N/A N/A N/A
N/A vimsvc/auth/lockdown_is_enabled Enabled
N/A N/A N/A
N/A Syslog.global.logHost Site Specific
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
-
7/17/2019 Hardening ESXi checklist
19/64
/etc/ssh/keys-
root/authorized_keys N/A N/A
N/A N/A N/A
N/A DCUI.Access
N/A or list of
authorized users
/etc/pam.d/passwd
password requisite
/lib/security/$ISA/pam_passwdqc.so Site specific
N/A UserVars.ESXiShellInteractiveTimeOut Site Specific
N/A UserVars.ESXiShellTimeOut Site Specific
Secret site-dependent
N/A N/A
VMwareCertified
VMwareAccepted
N/A N/A VMwareCertified
N/A N/A
VMwareCertified
VMwareAccepted
PartnerSupported
-
7/17/2019 Hardening ESXi checklist
20/64
N/A N/A N/A
N/A N/A N/A
N/A Net.DVFilterBindIpAddress empty
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
-
7/17/2019 Hardening ESXi checklist
21/64
Change Type Is desired value the default?
Update N/A
Modify NO
Modify NO
Modify
When booting from a local disk YES.
When booting from USB/SD or when
using Auto Deploy NO.
Modify N/A
N/A NO
Modify NO
Modify YES
Remove NO
Modify YES
-
7/17/2019 Hardening ESXi checklist
22/64
N/A N/A
Modify NO
modify NO
N/A NO
Modify NO
Modify NO
Modify NO
Configuration NO
N/A N/A
N/A N/A
-
7/17/2019 Hardening ESXi checklist
23/64
N/A YES
N/A N/A
Modify NO
Modify YES
Modify NO
Modify NO
modify NO
Verify NO
Verify NO
Verify YES
-
7/17/2019 Hardening ESXi checklist
24/64
N/A N/A
N/A N/A
Modify YES
N/A N/A
YES
N/A N/A
-
7/17/2019 Hardening ESXi checklist
25/64
vSphere API
https://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.PatchManag
er.Status.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste
m.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.DateTimeSys
tem.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.SnmpSystem
.html
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste
m.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste
m.html
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste
m.html
-
7/17/2019 Hardening ESXi checklist
26/64
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect
oryAuthentication.html
http://pubs.vmware.com/vsphere-55/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect
oryAuthentication.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi
Hba.AuthenticationProperties.html
http://pubs.vmware.com/vsphere-
55/index.jsp?topic=%2Fcom.vmware.wssdk.apiref.doc%2Fvim.
profile.host.HostProfile.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.HostSystem.html
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.LocalAccoun
tManager.html
N/A
-
7/17/2019 Hardening ESXi checklist
27/64
N/A
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi
Hba.AuthenticationProperties.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ImageConfig
Manager.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ImageConfig
Manager.html
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.ImageConfig
Manager.html
-
7/17/2019 Hardening ESXi checklist
28/64
N/A
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa
nager.html
N/A
N/A
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.VirtualDiskManag
er.html
-
7/17/2019 Hardening ESXi checklist
29/64
ESXi Shell Command Assessment
# esxcli software profile get / # esxcli software vib get
#List all services: ls /etc/init.d #get service status:
/etc/init.d/[SERVICE] status
N/A
# esxcli system syslog config get
# esxcli system snmp get
N/A
# chkconfig --list DCUI
# chkconfig --list ESXShell
vim-cmd proxysvc/service_list
# chkconfig --list SSH
-
7/17/2019 Hardening ESXi checklist
30/64
TBD
N/A
# esxcli iscsi adapter auth chap get
N/A
# To check if Lockdown mode is enabled: vim-cmd -U dcui
vimsvc/auth/lockdown_is_enabled
esxcli system coredump network get
# esxcli system syslog config get
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
31/64
N/A
N/A
vim-cmd hostsvc/advopt/view DCUI.Access
N/A
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/UserVars/ESXiShellInteractiveTimeOut
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/UserVars/ESXiShellTimeOut
# esxcli iscsi adapter auth chap get
# esxcli software acceptance get # esxcli software vib list
# esxcli software acceptance get # esxcli software vib list
# esxcli software acceptance get # esxcli software vib list
-
7/17/2019 Hardening ESXi checklist
32/64
N/A
N/A
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/Net/DVFilterBindIpAddress
N/A
# esxcli system modules get -m
N/A
-
7/17/2019 Hardening ESXi checklist
33/64
ESXi Shell Command Remediation
# esxcli software profile update / # esxcli
software vib update
# /etc/init.d/[SERVICE] STOP
N/A
# esxcli system syslog config set --logDir# Configure Community String
esxcli system snmp set --communities
[COMMUNITY]
# Configure SNMP Target
N/A
# chkconfig DCUI off
#stop ESXi Shell: /etc/init.d/ESXShell stop
#disable ESXi Shell: chkconfig ESXShell off
vim-cmd proxysvc/remove_service "/mob"
"httpsWithRedirect"
# /etc/init.d/ESXShell stop # chkconfig SSH
off
-
7/17/2019 Hardening ESXi checklist
34/64
TBD
N/A
# esxcli iscsi adapter auth chap set
N/A
# To disable Lockdown mode: vim-cmd -U
dcui vimsvc/auth/lockdown_mode_exit
# To enable Lockdown mode: vim-cmd -U# Configure remote Dump Collector Server
esxcli system coredump network set -v
[VMK#] -i [DUMP_SERVER] -o [PORT]
# Enable remote Dump Collector
# esxcli system syslog config set loghost
# esxcli system syslog reload
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
35/64
N/A
N/A
vim-cmd hostsvc/advopt/update DCUI.Access
string [USERS]
N/A
# esxcli system settings advanced set -o
/UserVars/ESXiShellInteractiveTimeOut -i
# esxcli system settings advanced set -o
/UserVars/ESXiShellTimeOut -i# esxcli iscsi adapter auth chap set
Note: You can include the option --direction
uni or --direction mutual accordingly for shell
# esxcli software acceptance
set --level
# esxcli software acceptance
set --level
# esxcli software acceptance
set --level
-
7/17/2019 Hardening ESXi checklist
36/64
N/A
N/A
# esxcli system settings advanced set -o
/Net/DVFilterBindIpAddress -d
N/A
# esxcli system modules set -e false -m
# vmkfstools -w
-
7/17/2019 Hardening ESXi checklist
37/64
vCLI Command Assessment
# esxcli software profile get / # esxcli
software vib get
N/A
# vicfg-ntp --list
# esxcli system syslog config get
# esxcli system snmp get
N/A
N/A
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
38/64
vicfg-authconfig --authscheme AD --
currentdomain
# vicfg-authconfig --authscheme AD --
currentdomain
# esxcli iscsi adapter auth chap get
N/A
N/A
esxcli system coredump network get
# esxcli system syslog config get
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
39/64
N/A
N/A
N/A
N/A
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/UserVars/ESXiShellInteractiveTimeOut
# esxcli --formatter=csv --format-param=fields="Path,Int
Value" system settings advanced list | grep
/UserVars/ESXiShellTimeOut
# esxcli iscsi adapter auth chap get
# esxcli software acceptance get # esxcli
software vib list
# esxcli software acceptance get # esxcli
software vib list
# esxcli software acceptance get # esxcli
software vib list
-
7/17/2019 Hardening ESXi checklist
40/64
N/A
N/A
# esxcli --formatter=csv --format-
param=fields="Path,Int Value" system settings advanced list |
grep /Net/DVFilterBindIpAddress
N/A
# esxcli system modules get -m
N/A
-
7/17/2019 Hardening ESXi checklist
41/64
vCLI Command Remediation
# esxcli software profile update / # esxcli
software vib update
N/A
# vicfg-ntp --add
# esxcli system syslog config set --logDir# Configure Community String
esxcli system snmp set --communities
[COMMUNITY]
# Configure SNMP Target
N/A
N/A
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
42/64
vicfg-authconfig --
authscheme AD --joindomain
# vicfg-authconfig --
authscheme AD --joindomain
# esxcli iscsi adapter auth chap set
N/A
N/A# Configure remote Dump Collector Server
esxcli system coredump network set -v [VMK#]
-i [DUMP_SERVER] -o [PORT]
# Enable remote Dump Collector
# esxcli system syslog config set loghost
# esxcli system syslog reload
N/A
N/A
N/A
-
7/17/2019 Hardening ESXi checklist
43/64
N/A
N/a
N/A
N/A
# esxcli system settings advanced set -o
/UserVars/ESXiShellInteractiveTimeOut -i
# esxcli system settings advanced set -o
/UserVars/ESXiShellTimeOut -i
# esxcli iscsi adapter auth chap set
# esxcli software acceptance set --level
# esxcli software acceptance set --level
# esxcli software acceptance set --level
-
7/17/2019 Hardening ESXi checklist
44/64
N/A
N/A
# esxcli system settings advanced set -o
/Net/DVFilterBindIpAddress -d
N/A
# esxcli system modules set -e false -m
# vmkfstools -w
-
7/17/2019 Hardening ESXi checklist
45/64
PowerCLI Command Assessment
# VMware Update Manager PowerCLI Cmdlets can be used to
check this feature# List all services for a host
Get-VMHost HOST1 | Get-VMHostService
# List the services which are enabled and have rules defined
for specific IP ranges to access the service
# List the NTP Settings for all hosts
Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-
VMHostNtpServer}}
# List Syslog.global.logDir for each hostGet-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_
| Get-VMHostAdvancedConfiguration Syslog.global.logDir |
Select -ExpandProperty Values}}
# List the SNMP Configuration of a host (single host connection
required)
Get-VMHost | Get-VMHostSnmp
N/A
# List DCUI settings for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq
"DCUI" }# Check if ESXi Shell is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"
} | Select VMHost, Key, Label, Policy, Running, Required
N/A
# Check if SSH is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-
SSH" } | Select VMHost, Key, Label, Policy, Running, Required
-
7/17/2019 Hardening ESXi checklist
46/64
# Check each host and their domain membership status
Get-VMHost | Get-VMHostAuthentication | Select VmHost,
Domain, DomainMembershipStatus# Check the host profile is using vSphere Authentication proxy
to add the host to the domainGet-VMHost | Select Name, `
@{N="HostProfile";E={$_ | Get-VMHostProfile}}, # List Iscsi Initiator and CHAP Name if defined
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |
Select VMHost, Device, ChapType,
@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam
# To check if Lockdown mode is enabled
Get-VMHost | Select
Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDis
abled}}Foreach ( VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$esxcli.system.coredump.network.get()
}# List Syslog.global.logHost for each host
Get-VMHost | Select Name,
@{N="Syslog.global.logHost";E={$_ | Get-
VMHostAdvancedConfiguration Syslog.global.logHost | Select -function Test-WebServerSSL {
# Function original location: http://en-
us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-
4143-9eea-f521167d287c&ID=60
# List all user accounts on the Host -Host Local connection
required-
Get-VMHostAccount
N/A
-
7/17/2019 Hardening ESXi checklist
47/64
N/A
Use the script in the vCenterServer-verify-SSL-certificates
guideline to assess the status of installed certificates
N/A# List UserVars.ESXiShellInteractiveTimeOut for each host
Get-VMHost | Select Name,
@{N="UserVars.ESXiShellInteractiveTimeOut";E={$_ | Get-
VMHostAdvancedConfiguration# List UserVars.ESXiShellTimeOut for each host
Get-VMHost | Select Name,
@{N="UserVars.ESXiShellTimeOut";E={$_ | Get-
VMHostAdvancedConfiguration UserVars.ESXiShellTimeOut |# List Iscsi Initiator and CHAP Name if defined
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |
Select VMHost, Device, ChapType,
@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam# List the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$VMHost | Select Name,# List the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$VMHost | Select Name,
# List the Software AcceptanceLevel for each hostForeach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$VMHost | Select Name,
-
7/17/2019 Hardening ESXi checklist
48/64
N/A
N/A# List Net.DVFilterBindIpAddress for each host
Get-VMHost | Select Name,
@{N="Net.DVFilterBindIpAddress";E={$_ | Get-
VMHostAdvancedConfiguration Net.DVFilterBindIpAddress |# Check the SHA1 has of the download with the following
function
Function Get-SHA1 {
Param (# List the system modules and Signature Info for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.system.module.list() | Foreach {
-
7/17/2019 Hardening ESXi checklist
49/64
PowerCLI Command Remediation
# VMware Update Manager PowerCLI Cmdlets can be used to
check this feature
N/A
# Set the NTP Settings for all hosts
$NTPServers = "pool.ntp.org", "pool2.ntp.org"
Get-VMHost | Add-VmHostNtpServer $NTPServers
# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -
VMHost $_ -Name Syslog.global.logDir -Value "NewLocation" }# Update the host SNMP Configuration (single host connection
required)
Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -
ReadOnlyCommunity 'secret'
# Set DCUI to start manually rather than automatic for all
hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq
"DCUI" } | Set-VMHostService -Policy Off# Set ESXi Shell to start manually rather than automatic for all
hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"
} | Set-VMHostService -Policy Off
N/A
# Set SSH to start manually rather than automatic for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-
SSH" } | Set-VMHostService -Policy Off
-
7/17/2019 Hardening ESXi checklist
50/64
# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-
VMHostAuthentication -Domain domain.local -User
Administrator -Password Passw0rd -JoinDomain# Join the ESXI Host to the Domain
Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain domain.local -User
Administrator -Password Passw0rd -JoinDomain
# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |
Set-VMHostHba # Use desired parameters here
# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }Foreach ( VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$esxcli.system.coredump.network.set($null, "[VMK#]",
"[DUMP SERVER]", "[PORT]")# Set Syslog.global.logHost for each host
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -
VMHost $_ -Name Syslog.global.logHost -Value "NewLocation"
}
N/A# Create a new host user account -Host Local connection
required-
New-VMHostAccount -ID ServiceUser -Password pass -
UserAccount
N/A
-
7/17/2019 Hardening ESXi checklist
51/64
N/A
N/A
N/A# Set Remove UserVars.ESXiShellInteractiveTimeOut to 900 on
all hosts
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -
VMHost $_ -Name UserVars.ESXiShellInteractiveTimeOut -
# Set Remove UserVars.ESXiShellTimeOut to 900 on all hosts
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -
VMHost $_ -Name UserVars.ESXiShellTimeOut -Value 900 }
# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |
Set-VMHostHba # Use desired parameters here# Set the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set("VMwareCertified")# Set the Software AcceptanceLevel for each host
Foreach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set("VMwareCertified")
# Set the Software AcceptanceLevel for each hostForeach ($VMHost in Get-VMHost ) {
$ESXCli = Get-EsxCli -VMHost $VMHost
$ESXCli.software.acceptance.Set("VMwareCertified")
-
7/17/2019 Hardening ESXi checklist
52/64
N/A
N/A# Set Remove Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-
VMHostAdvancedConfiguration -VMHost $_ -Name
Net.DVFilterBindIpAddress -Value "" }
N/A
# To disable a module:
$ESXCli = Get-EsxCli -VMHost MyHost
$ESXCli.system.module.set($false, $false, "MyModuleName")
-
7/17/2019 Hardening ESXi checklist
53/64
Negative Functional Impact
Only systems in the IP whitelist/ACL will be able to
connect to services on the ESXi server
Disabling the DCUI can create a potential "lock out"
situation should the host become isolated from
vCenter Server. To recover from a "lock out" scenario
requires re-installing ESXi. Consider leaving DCUI
The MOB will no longer be available for diagnostics.
Some 3rd party tools use this interface to gather
information. Testing should be done after disabling
the MOB to verify 3rd party applications are still
-
7/17/2019 Hardening ESXi checklist
54/64
There are some operations, such as backup and
troubleshooting, that require direct access to the host.
In these cases Lockdown Mode can be disabled on a
temporary basis for specific hosts as needed, and then
-
7/17/2019 Hardening ESXi checklist
55/64
Disabling the SSH "authorized_keys" access may limit
your ability to remotely run commands on a host
without providing a valid login (e.g. prevent the ability
to run unattended remote scripting).
Use of a revoked certificates count leave your system
open to attack.
Third party VIBs tested by VMware partners are not
allowed on the host. This could include some device
drivers, CIM modules, and other add-on software.
Host customization using custom VIBs is not allowed.No VMware partner VIBs are allowed on the host, to
include non-VMware written device drivers, CIM
modules, and other third party software. Host
customization using custom VIBs is not allowed.
Host customization using custom VIBs is not allowed.
-
7/17/2019 Hardening ESXi checklist
56/64
http://pubs.vmware.com/vsphere-55/topic/com.vmware.vcli.examples.doc/cli_manage_
hosts.4.4.html
This will prevent a dvfilter-based network security
appliance from functioning
-
7/17/2019 Hardening ESXi checklist
57/64
Reference Able to set using Host Profile?
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.update_manager.doc/GUI
D-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.html NO
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
DD4322FF-3DC4-4716-8819-6688938F99D7.html YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
2553C86E-7981-4F79-B9FC-A6CECA52F6CC.html YES
http: kb.vmware.com kb 1033696
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID- YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.monitoring.doc/GUID-
8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.html YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.hostclient.doc/GUID-670B9B8C-3810-4790-AC83-57142A9FE16F.html YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
6779F098-48FE-4E22-B116-A8353D19FF56.html YEShttp: kb.vmware.com kb 2004746
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID- YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
0EF83EA7-277C-400B-B697-04BDC9173EA3.html NO
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
12E27BF3-3769-4665-8769-DA76C2BC9FFE.html YES
-
7/17/2019 Hardening ESXi checklist
58/64
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
28650C2C-93E3-4C00-B78A-7B785AA42D92.html YES
http://pubs.vmware.com/vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-
084B74BD-40A5-4A4B-A82C-0C9912D580DC.html YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.storage.doc/GUID-
AC65D747-728F-4109-96DD-49B433E2F266.html NO
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.hostprofiles.doc/GUID-
78BB234A-D735-4356-9CCF-19DD55DB8060.html NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
88B24613-E8F9-40D2-B838-225F5FF480FF.html
NO
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.install.doc/GUID-64213886-
7181-4767-9ED5-D8C989B9ECAE.html YES
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.install.doc/GUID-
9F67DB52-F469-451F-B6C8-DAE8D95976E7.html YEShttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
AC7E6DD7-F984-4E0F-983A-463031BA5FE7.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.cimsdk.smashpg.doc/03_CIM_SMA
SH_PG_Use_Cases.5.1.html
NO
http: pubs.vmware.com vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-
BFE9046A-2278-4026-809A-ED8F9D8FDACE.html
NO
-
7/17/2019 Hardening ESXi checklist
59/64
http: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
ED477079-1E7E-4EBA-AAFE-019FB335DABC.html
NO
http: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
6779F098-48FE-4E22-B116-A8353D19FF56.html
YEShttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
94F0C54F-05E3-4E16-8027-0280B9ED1009.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
94F0C54F-05E3-4E16-8027-0280B9ED1009.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.storage.doc/GUID-
AC65D747-728F-4109-96DD-49B433E2F266.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.install.doc/GUID-56600593-
EC2E-4125-B1A0-065BDD16CF2D.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.install.doc/GUID-56600593-
EC2E-4125-B1A0-065BDD16CF2D.html
NO
http: pubs.vmware.com vsphere-55/topic/com.vmware.vsphere.install.doc/GUID-56600593-
EC2E-4125-B1A0-065BDD16CF2D.html
NO
-
7/17/2019 Hardening ESXi checklist
60/64
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.wssdk.apiref.doc/vim.host.Authenti
cationManager.html NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.hostprofiles.doc/GUID-78BB234A-D735-4356-9CCF-19DD55DB8060.html
NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.ext_solutions.doc/GUID-
6013E15D-92CE-4970-953C-ACCB36ADA8AD.html
NO
http://kb.vmware.com/kb/1537 NOhttp: pubs.vmware.com vsphere-
55/topic/com.vmware.vsphere.security.doc/GUID-
E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html
http://kb.vmware.com/kb/2042473 NO
http://pubs.vmware.com/vsphere-
55/topic/com.vmware.vsphere.storage.doc/GUID-
050C0FEE-2C75-4356-B9E0-CC802333FF41.html NO
-
7/17/2019 Hardening ESXi checklist
61/64
Covered by VCM?
No
Yes
Yes
Yes
No
No
Yes
Yes
No
Yes
-
7/17/2019 Hardening ESXi checklist
62/64
Yes
No
Yes
Yes
Yes
No
Yes
No
No
No
-
7/17/2019 Hardening ESXi checklist
63/64
No
No
Yes
No
Yes
Yes
No
No
No
No
-
7/17/2019 Hardening ESXi checklist
64/64
No
No
Yes
No
No
No