Configure vSphere SSO lockout policy max attempts to match ESXi.
Configure vSphere SSO lockout policy unlock time to match ESXi.
Ensure vSphere SSO domain password policies are correct for your site
Ensure vCenter Server management interfaces are isolated on their own network segment or as part of an isolated ESXi management network.
Ensure that the “Forged Transmits” policy is set to reject.
Ensure that the “MAC Address Changes” policy is set to reject
Ensure that the “Promiscuous Mode” policy is set to reject.
Ensure that participation in CDP or LLDP is intentional.
Ensure that NetFlow traffic is being sent to authorized collectors.
Ensure that VMs do not have port security settings that allows them to operate outside policy.
Ensure that port mirroring is being used legitimately.
vCenter Server is a version with active maintenance by VMware.
Limit access to vCenter Server by restricting DCLI.
Limit access to vCenter Server by restricting SSH.
Ensure password expiration for the root user is correct for your site
Configure File-Based Backup and Recovery.
Configure the vCenter Server firewall for additional defense-in-depth.
Remove unnecessary NICs.
Configure remote logging.
Configure vCenter Server timekeeping.
vCenter Server is up to date.
Sources and useful links