Press "Enter" to skip to content

ESXi – Hardening

Similar pages:
ESXi – Hardening
VM Hardening
vCenter Hardening
In-Guest Hardening

Automatically unlock a locked account after a specific amount of time.
Desired Value: 900

get-vmhost | Get-AdvancedSetting Security.AccountUnlockTime | Format-Table Entity, Name, Value

Set new value:

get-vmhost | Get-AdvancedSetting Security.AccountUnlockTime | Set-AdvancedSetting -Value 900

Set the count of maximum failed login attempts before the account is locked out.
Desired Value: 3

get-vmhost | Get-AdvancedSetting Security.AccountLockFailures | Format-Table Entity, Name, Value

Set new value:

get-vmhost | Get-AdvancedSetting Security.AccountLockFailures | Set-AdvancedSetting -Value 3

Do not permit password reuse.
Desired Value: 5

get-vmhost | Get-AdvancedSetting Security.PasswordHistory | Format-Table Entity, Name, Value

Set new value:

get-vmhost | Get-AdvancedSetting Security.PasswordHistory | Set-AdvancedSetting -Value 5

Establish a policy for password complexity.
Desired Value:
– mix of at least three from the following four character classes:
– lowercase letters
– uppercase letters
– numbers
– and special characters such as underscore or dash

– least 7 characters and less than 40
– Passwords must not contain a dictionary word or part of a dictionary word.

Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Format-Table Entity, Value

Use the Authentication Proxy to protect passwords during Active Directory domain joins.

Get-VMHost | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus

Use Active Directory for ESXi user authentication.

Get-VMHost | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus

Warning for potential hyperthreading security vulnerability is suppressed.
Desired value:0

get-vmhost | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Format-Table Entity, Name, Value
get-vmhost | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value 0

Set a timeout to automatically terminate idle DCUI sessions.
Desired value: 600

get-vmhost | Get-AdvancedSetting UserVars.DcuiTimeOut | Format-Table Entity, Name, Value
get-vmhost | Get-AdvancedSetting UserVars.DcuiTimeOut |Set-AdvancedSetting -Value 600

Configure or disable CIM.
Desired value: False

Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'sfcbd-watchdog'} | Format-Table VMHost, Label, Policy, Running

Enable Managed Object Browser (MOB).
Desired value: False

get-vmhost | Get-AdvancedSetting Config.HostAgent.plugins.solo.enableMob | Format-Table Entity, Value

Configure or disable SLP.
Desired value: False

Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'slpd'} | Format-Table VMHost, Label, Policy, Running

Disable SNMP.
Desired value: True

Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'snmpd'} | Format-Table VMHost, Running

Disable SSH / TSM-SSH
Desired value: true

get-vmhost | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"} | where {$_.Running -eq "True"} | Format-Table VMHost, Key

Check policy configuration

get-vmhost | get-vmhostservice | where-object {$_.key -eq "TSM-SSH" -or $_.key -eq "TSM"} | Format-Table VMhost, Key, Policy, Running

Configure the ESXi firewall for additional defense-in-depth.
Desired value:

List rules with “Allowed IP addresses” not set to “All”

Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} | Format-Table VMHost, Name, Enabled, IncomingPorts, OutgoingPorts, Protocols, ServiceRunning

List rules with “Allowed IP addresses” set to “All”

Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} | Format-Table VMHost, Name, Enabled, IncomingPorts, OutgoingPorts, Protocols, ServiceRunning

List not default rules

$ServiceName = @(
'rabbitmqproxy',
'HPProvider',
'vSphere High Availability Agent',
'NTP Client',
'SSH Server',
'syslog',
'vSphere Web Client',
'VMware vCenter Agent',
'vMotion',
'vCenter update manager',
'trusted-infrastructure-kmxa',
'iofiltervp',
'DNS Client',
'NFC',
'vvold',
'vSphere Web Access'
)

Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.Name -notin $ServiceName)} | Format-Table  VMHost, Name, IncomingPorts, OutgoingPorts, Protocols

Enable UEFI Secure Boot.
Desired value: enabled

Ensure that a TPM 2.0 is installed and enabled on the host.
Desired value: enabled

Hardware firmware is up to date.

Enable bidirectional/mutual CHAP authentication for iSCSI traffic.
Desired value: enabled

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}

Set DCUI.Access to allow trusted users to override lockdown mode.

Get-VMHost | Get-AdvancedSetting DCUI.Access

Audit the users on the Exception Users List.

(Get-View -Id (Get-VMHost -Name * | Get-View).ConfigManager.HostAccessManager).QueryLockdownExceptions()

Enable normal lockdown mode to restrict access to ESXi.

(Get-VMHost -Name * | Get-View).Config.LockdownMode

Set the logging informational level.

Get-VMHost | Get-AdvancedSetting Config.HostAgent.log.level| Format-Table Entity, Value

Configure persistent logging.

Get-VMHost | Get-AdvancedSetting Syslog.global.logDir | Format-Table Entity, Value

Validate that the configured log target is successfully receiving information from the ESXi host

esxcli system syslog mark --message "Syslog Test Message"

Configure remote logging.

Get-VMHost | Get-AdvancedSetting Syslog.global.logHost | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting Syslog.global.logHost | Set-AdvancedSetting -Value udp://<IP ADDRESS>:514

Block guest OS BPDU transmissions.

Get-VMHost | Get-AdvancedSetting Net.BlockGuestBPDU | Format-Table Entity, Value
Get-vmhost | Get-AdvancedSetting Net.BlockGuestBPDU |Set-AdvancedSetting -Value 1

Audit use of dvfilter network APIs.

Get-VMHost | Get-AdvancedSetting Net.DVFilterBindIpAddress | Format-Table Entity, Value

Ensure hardware management controller interfaces are isolated on their own network segment and protected with perimeter access controls.

Ensure ESXi management interfaces are isolated on their own network segment.

Ensure vMotion interfaces are isolated on their own network segment and protected with perimeter access controls.

Ensure vSAN interfaces are isolated on their own network segment and protected with perimeter access controls.

Audit use of server hardware out-of-band management network interfaces.

Ensure that the “Forged Transmits” policy is set to reject on both the vSphere Standard Switch and on its port groups.

Get-VMHost | Get-VirtualSwitch -Standard | Get-SecurityPolicy | Format-List *
Get-VMHost | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Format-List *

Ensure that the “MAC Address Changes” policy is set to reject on both the vSphere Standard Switch and on its port groups.

Ensure that the “Promiscuous Mode” policy is set to reject on both the vSphere Standard Switch and on its port groups.

Disable ESXi Shell.

Set a timeout to automatically terminate idle ESXi Shell and SSH sessions.

Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600

Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run.

Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Format-Table Entity, Value

Set new value:

Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600

Warning for support and troubleshooting interfaces is suppressed.

Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0

ESXi is a version with active maintenance by VMware.

Configure NTP or PTP.

Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'ntpd'} | Format-Table VMHost, Running, Policy

List NTP Server

Get-VMHost |Sort Name|

Select Name, @{N=“NTPServer“;E={$_ |Get-VMHostNtpServer}},
    @{N=“ServiceRunning“;E={(Get-VmHostService -VMHost $_ |Where-Object {$_.key-eq “ntpd“}).Running}},
    @{N=“Policy”;E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key-eq “ntpd“} | Select -ExpandProperty Policy)}}

Ensure that deprecated SSL/TLS protocols are disabled.

Get-VMHost | Get-AdvancedSetting UserVars.ESXiVPsDisabledProtocols | Format-Table Entity, Value

Restrict transparent page sharing to VMs configured with sched.mem.pshare.salt.

Get-VMHost | Get-AdvancedSetting Mem.ShareForceSalting | Format-Table Entity, Value

ESXi is up to date.

Verify Image Profile and VIB Acceptance Levels.

Only run binaries delivered via VIB.

Get-VMHost | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value TRUE

Sources and useful links

https://via.vmw.com/scg

Configure Multiple Security Settings on the ESXi Hosts by Using PowerCLI

Was this page helpful?