hardening esxi checklist

7/17/2019 Hardening ESXi checklist

1/64

ID Product Version Component Subcomponent

apply-patches vSphere 5,5 ESXI Install

config-firewall-access vSphere 5,5 ESXI Communication

config-ntp vSphere 5,5 ESXI Communication

config-persistent-logs vSphere 5,5 ESXI Logging

config-snmp vSphere 5,5 ESXI Communication

create-local-admin vSphere 5,5 ESXi Access

disable-dcui vSphere 5,5 ESXI Console

disable-esxi-shell vSphere 5,5 ESXI Console

disable-mob vSphere 5,5 ESXI Communication

disable-ssh vSphere 5,5 ESXi Console


2/64

enable-ad-auth vSphere 5,5 ESXI Access

enable-auth-proxy vSphere 5,5 ESXI Communication

enable-chap-auth vSphere 5,5 ESXI Storage

enable-host-profiles vSphere 5,5 ESXi Logging

enable-lockdown-mode vSphere 5,5 ESXI Console

enable-remote-dump vSphere 5,5 ESXi Logging

enable-remote-syslog vSphere 5,5 ESXI Logging

esxi-no-self-signed-certs vSphere 5,5 ESXI Communication

limit-cim-access vSphere 5,5 ESXI Console

mask-zone-san vSphere 5,5 ESXI Storage


3/64

remove-authorized-keys vSphere 5,5 ESXi Console

remove-revoked-certificates vSphere 5.5 ESXi Communication

set-dcui-access vSphere 5,5 ESXi Console

set-password-complexity vSphere 5,5 ESXI Access

set-shell-interactive-timeout vSphere 5,5 ESXI Console

set-shell-timeout vSphere 5,5 ESXI Console

unique-chap-secrets vSphere 5,5 ESXI Storage

verify-acceptance-level-accepted vSphere 5,5 ESXI Install

verify-acceptance-level-certified vSphere 5,5 ESXI Install

verify-acceptance-level-supported vSphere 5,5 ESXI Install


4/64

verify-admin-group vSphere 5,5 ESXI Access

verify-config-files vSphere 5,5 ESXI Console

verify-dvfilter-bind vSphere 5,5 ESXI Communication

verify-install-media vSphere 5,5 ESXI Install

verify-kernel-modules vSphere 5,5 ESXI Install

vmdk-zero-out vSphere 5,5 ESXi Storage


5/64

Title

Keep ESXi system properly patched.

Configure the ESXi host firewall to restrict

access to services running on the host

Configure NTP time synchronization

Configure persistent logging for all ESXi host

Ensure proper SNMP configuration

Create a non-root user account for localadmin access

Disable DCUI to prevent local administrative

control.

Disable ESXi Shell unless needed for

diagnostics or troubleshooting.

Disable Managed Object Browser (MOB)

Disable SSH


6/64

Use Active Directory for local user

authentication.

When adding ESXi hosts to Active Directoryuse the vSphere Authentication Proxy to

protect passwords

Enable bidirectional CHAP, also known as

Mutual CHAP, authentication for iSCSI traffic.

Configure Host Profiles to monitor and alert

on configuration changes

Enable lockdown mode to restrict remote

access.

Configure a centralized location to collect ESXi

host core dumps using the "ESXi Dump

Collector"

Configure remote logging for ESXi hosts

Use default self-signed certificates for ESXi

communication if required by local policy.

Do not provide administrator level access (i.e.

root) to CIM-based hardware monitoring

tools or other 3rd party applications.

Mask and zone SAN resources appropriately.


7/64

Remove keys from SSH authorized_keys file.

Remove revoked SSL certificates from the ESXi

server

Set DCUI.Access to allow trusted users to

override lockdown mode

Establish a password policy for password

complexity.

Set a timeout to automatically terminate idle

ESXi Shell and SSH sessions.

Set a timeout to limit how long the ESXi Shell

and SSH services are allowed to run

Ensure uniqueness of CHAP authentication

secrets.

Verify Image Profile and VIB Acceptance

Levels.


Levels.


Levels.


8/64

Verify Active Directory group membership for

the "ESXi Admins" group.

Verify contents of exposed configuration files

Prevent unintended use of dvfilter network

APIs.

Verify the integrity of the installation media

before installing ESXi

Verify no unauthorized kernel modules are

loaded on the host.

Zero out VMDK files prior to deletion


9/64

Vulnerability Discussion Risk Profile Control TypeBy staying up to date on ESXi patches, vulnerabilities in the

hypervisor can be mitigated. An educated attacker can

exploit known vulnerabilities when attempting to attain

access or elevate privileges on an ESXi host. 1,2,3 OperationalUnrestricted access to services running on an ESXi host can

expose a host to outside attacks and unauthorized access.

Reduce the risk by configuring the ESXi firewall to only allow

access from authorized networks. 1,2,3 ConfigurationBy ensuring that all systems use the same relative time

source (including the relevant localization offset), and that

the relative time source can be correlated to an agreed-upon

time standard (such as Coordinated Universal TimeUTC), 1,2,3 Parameter

ESXi can be configured to store log files on an in-memory filesystem. This occurs when the host's "/scratch" directory is

linked to "/tmp/scratch". When this is done only a single

day's worth of logs are stored at any time, in addition log files 1,2,3 ParameterIf SNMP is not being used, it should remain disabled. If it is

being used, the proper trap destination should be

configured. If SNMP is not properly configured, monitoring

information can be sent to a malicious host that can then use 1,2,3 ParameterBy default each ESXi host has a single "root" admin account

that is used for local administration and to connect the host

to vCenter Server. To avoid sharing a common root accountit is recommended on each host to create at least one named 1,2,3 ConfigurationThe DCUI allows for low-level host configuration such as

configuring IP address, hostname and root password as well

as diagnostic capabilities such as enabling the ESXi shell,

viewing log files, restarting agents, and resetting 1 ParameterESXi Shell is an interactive command line environment

available from the DCUI or remotely via SSH. Access to this

mode requires the root password of the server. The ESXi

Shell can be turned on and off for individual hosts. Activities 1,2,3 ParameterThe managed object browser (MOB) provides a way to

explore the object model used by the VMkernel to manage

the host; it enables configurations to be changed as well. This

interface is meant to be used primarily for debugging the 1,2,3 ParameterThe ESXi shell, when enabled, can be accessed directly from

the host console through the DCUI or remotely using SSH.

Remote access to the host should be limited to the vSphere

Client, remote command-line tools (vCLI/PowerCLI), and 1,2,3 Parameter


10/64

Join ESXi hosts to an Active Directory (AD) domain to

eliminate the need to create and maintain multiple local user

accounts. Using AD for user authentication simplifies the ESXi

host configuration, ensures password complexity and reuse 1,2,3 ConfigurationIf you configure your host to join an Active Directory domain

using Host Profiles the active directory credentials are savedin the host profile and are transmitted over the network. To

avoid having to save active directory credentials in the Host 1,2,3 ParametervSphere allows for the use of bidirectional authentication of

both the iSCSI target and host. Choosing not to enforce more

stringent authentication can make sense if you create a

dedicated network or VLAN to service all your iSCSI devices. 1,2,3 ParameterMonitoring for configuration drift and unauthorized changes

is critical to ensuring the security of an ESXi host. Host

Profiles provide an automated method for monitoring host

configurations against an established template and for 1,2,3 ParameterEnabling lockdown mode disables direct access to an ESXi

host requiring the host be managed remotely from vCenter

Server. This is done to ensure the roles and access controls

implemented in vCenter are always enforced and users 1,2,3 ParameterWhen a host crashes, an analysis of the resultant core dump

is essential to being able to identify the cause of the crash to

identify a resolution. Installing a centralized dump collector

helps ensure that core files are successfully saved and made 1,2,3 ParameterRemote logging to a central log host provides a secure,

centralized store for ESXi logs. By gathering host log files

onto a central host you can more easily monitor all hosts

with a single tool. You can also do aggregate analysis and 1,2,3 ParameterA host has self-signed certificates when first deployed, but

these can be replaced by certificate authority (CA)signed

certificates if required by local policy. Self-signed certificates

can be as secure as certificates that are issued by an external 1,2,3 ConfigurationThe CIM system provides an interface that enables hardware-

level management from remote applications via a set of

standard APIs. To ensure that the CIM interface remains

secure provide only the minimum access necessary to these 1,2,3 Operational

You should use zoning and LUN masking to segregate SANactivity. For example, you manage zones defined for testing

independently within the SAN so they do not interfere with

activity in the production zones. Similarly, you can set up 1,2,3 Operational


11/64

ESXi hosts come with SSH which can be enabled to allow

remote access without requiring user authentication. To

enable password free access copy the remote users public

key into the "/etc/ssh/keys-root/authorized_keys" file on the 1,2,3 ConfigurationBy default, each ESXi host does not have CRL checking

available. Revoked certificates must be checked and removedmanually. These are typically custom generated certificates

from a corporate certificate authority or 3rd party authority. 1,2,3 OperationalLockdown disables direct host access requiring that admins

manage hosts from vCenter Server. However, if a host

becomes isolated from vCenter Server, the admin is locked

out and can no longer manage the host. To avoid becoming 1,2,3 ParameterESXi uses the pam_passwdqc.so plug-in to set password

strength and complexity. It is important to use passwords

that are not easily guessed and that are difficult for password

generators to determine. Note, ESXi imposes no restrictions 1,2,3 ParameterIf a user forgets to log out of their SSH session the idle

connection will remain indefinitely, increasing the potential

for someone to gain privileged access to the host. The

ESXiShellInteractiveTimeOutallows you to automatically 1,2,3 ParameterWhen the ESXi Shell or SSH services are enabled on a host

they will run indefinitely. To avoid having these services left

running set the ESXiShellTimeOut. The ESXiShellTimeOut

defines a window of time after which the ESXi Shell and SSH 1,2,3 ParameterThe mutual authentication secret for each host should be

different; if possible, the secret should be different for each

client authenticating to the server as well. This ensures that if

a single host is compromised, an attacker cannot create 1,2,3 ParameterVerify the ESXi Image Profile to only allow signed VIBs. An

unsigned VIB represents untested code installed on an ESXi

host. The ESXi Image profile supports four acceptance levels:

(1) VMwareCertified- VIBs created, tested and signed by 2 ParameterVerify the ESXi Image Profile to only allow signed VIBs. An

unsigned VIB represents untested code installed on an ESXi


(1) VMwareCertified- VIBs created, tested and signed by 1 Parameter

Verify the ESXi Image Profile to only allow signed VIBs. Anunsigned VIB represents untested code installed on an ESXi


(1) VMwareCertified- VIBs created, tested and signed by 3 Parameter


12/64

The AD group used by vSphere is defined by the

"esxAdminsGroup" attribute, by default this attribute is set

to "ESX Admins". All members of the "ESX Admins" group are

granted full administrative access to all ESXi hosts in the 1,2,3 ConfigurationAlthough most configurations on ESXi are controlled via an

API, there are a limited set of configuration files that areused directly to govern host behavior. These specific files are

exposed via the vSphere HTTPS-based file transfer API. Any 1 OperationalIf you are not using products that make use of the dvfilter

network API (e.g. VMSafe), the host should not be configured

to send network information to a VM. If the API is enabled,

an attacker might attempt to connect a VM to it, thereby 1,2,3 ParameterAlways check the SHA1 hash after downloading an ISO,

offline bundle, or patch to ensure integrity and authenticity

of the downloaded files. If you obtain physical media from

VMware and the security seal is broken, return the software 1,2,3 OperationalVMware provides digital signatures for kernel modules. By

default the ESXi host does not permit loading of kernel

modules that lack a valid digital signature. However, this

behavior can be overridden allowing unauthorized kernel 1,2,3 OperationalTo help prevent sensitive data in VMDK files from being read

off the physical disk after it is deleted, the virtual disk should

be zeroed out prior to deletion. This will make it more

difficult for someone to reconstruct the contents of the 1,2 Operational


13/64

Assessment ProcedureEmploy a process to keep ESXi hosts up to date with patches in accordance with industry-standards

and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with

this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email

alerts for them.

From the vSphere web client, select the host and go to "Manage" -> "Security Profile". In the

"Firewall" section select "Edit...". For each enabled service, (e.g. ssh, vSphere Web Access, http

client) provide a range of allowed IP addresses.From the vSphere web client select the host and click "Manage" -> "Time Configuration" and click the

"Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the

startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is

recommended to synchronize the ESXi clock with a time server that is located on the management

Logon to the ESXi shell and run "ls -al " to verify " scratch" is not linked to " tmp scratch". If"/scratch" is linked to "/tmp/scratch" change it to a persistent datastore. First, Identify the datastore

path where you want to place scratch, then login to the vSphere web client, navigating to the host

and select "Manage" -> "Advanced System Settings", enter "Syslog.global.LogDir" in the filter. Set theFrom the ESXi Shell or vCLI run "esxcli system snmp get" to determine if SNMP is being used. If SNMP

is not being used, make sure that it is disabled by running " esxcli system snmp set --enable false ". If

SNMP is being used, refer to the vSphere Monitoring and Performance guide, chapter 8 for steps to

configure the required parameters. Notes: (1) SNMP must be configured on each ESXi host. (2) youLocal ESXi user accounts cannot be created using the vSphere web client, you must use the vSphere

client. Connect directly to the ESXi host using the vSphere Client. Login as root. Select the "Local

Users & Groups" tab and add a local user, be sure to grant shell access to this user. Then select the"Permissions" tab and assign the "Administrator" role to the user. Repeat this for each ESXi hosts.From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to

"Services" and click "Edit...". Select "Direct Console UI", click "Stop" and change the Startup Policy "to

Start and Stop Manually". Note, consider using Lockdown mode to restrict access to the DCUI

opposed to disabling the DCUI. If the DCUI is disabled and the host becomes isolated from vCenterFrom the DCUI: select "Troubleshooting Options" from the main menu and select "Enable ESXi Shell".

From the vSphere web client select the host and select "Manage" -> "Security Profile". Scroll down to

"Services" and click "Edit...". Select "ESXi Shell", click "Stop" and change the Startup Policy "to Start

and Stop Manually".. Note: A host warning is displayed in the vSphere web client anytime the ESXi

To determine if the MOB is enabled run the following command from the ESXi shell: " vim-cmd

proxysvc/service_list". To disable the MOB run ' vim-cmd proxysvc/remove_service "/mob"

"httpsWithRedirect"'. Note: You cannot disable the MOB while a host is in lockdown mode.From the DCUI main menu select "Troubleshooting Options -> Disable ESXi SSH". From the vSphere

web client select the host and select "Manage" -> "Security Profile". Scroll down to "Services" and

click "Edit...". Select "SSH", click "Stop" and change the Startup Policy "to Start and Stop Manually".

Notes: A host warning is displayed in the vSphere web client anytime SSH is enabled on a host. If the


14/64

From the vSphere Web Client, select the host and go to "Manage" -> "Authentication Services" and

click the "Join Domain" button. Provide the domain name along with the user credentials for an AD

user that has the rights to join computers to the domain. Notes: (1) you can use Host Profiles to

automate adding hosts to an AD domain. (3) Consider using the vSphere Authentication proxy toInstall and configure the Authentication proxy. From the vSphere web client, navigate to "Host

Profiles", select the host profile, select "Manage" -> "Edit Host profile". Expand "Security andServices" -> "Security Settings" -> "Authentication Configuration". Select "Active Directory

configuration" and set the "Join Domain Method" to "Use vSphere Authentication Proxy to add the

In the vSphere client navigate to the host and select "Configuration" -> "Storage Adaptors" -> "iSCSI

Initiator Properties" -> "CHAP" -> "CHAP (Target Authenticates Host)". Verify "Use Chap" is selected

with a Name and a "Secret" configured.Configure a reference ESXi host with the desired configuration and use the host to create a Host

Profile. Attach the host profile to other hosts with identical hardware configurations. Monitor hosts

compliance to the host profile from the vSphere Client. Note: a separate Host Profile is needed for

different hardware configurations.From the DCUI 1. Log in directly to the ESXi host. 2. Open DCUI on the host. 3. Press F2 for Initial

Setup. 4. Toggle the Configure Lockdown Mode setting. From the vSphere web client, select the

host then select "Manage" -> "Security Profile". Scroll down to "Lockdown Mode" and click "Edit...".

Select the Enable Lockdown Mode checkbox. DO NOT use with "dcui-disable" guideline. If the DCUI is

Step 1: Install and configure a dump collector (ESXi Dump Collector). Step 2: From the ESXi Shell or

vCLI enable remote dump collection for each host using the " esxcli system coredump network set"

command.Step 1: Install Enable a syslog host (vSphere Syslog Collector recommended). Step 2: From the

vSphere web client select the host and click "Manage" -> "Advanced Sytem Settings", and enter

"Syslog.global.logHost" in the filter. Set the "Syslog.global.logHost" to the hostname of your syslog

server. Note: when setting a remote log host it is also recommended to set the

Connect to each ESX/ESXi host with an internet browser, https:///. View the details of

the SSL certificate, determine if it is issued by a trusted CA, either commercial or organizational. To

change SSL certificates refer to KB http://kb.vmware.com/kb/2057340Create a limited-privileged service account for CIM and other 3rd party applications. This account

should access the system via vCenter, and needs to be provided only the "CIM Interaction" privilege.

This will enable the account to obtain a CIM ticket, which can then be used to perform both read and

write CIM operations on the target host If an account must connect to the host directly, then this

Zoning and masking capabilities for each SAN switch and disk array are vendor specific, as are the

tools for managing LUN masking.


15/64

For day-to-day operations disable SSH on your ESXi hosts. In the event that SSH is enabled, even

temporarily, monitor the contents of the "/etc/ssh/keys-root/authorized_keys" to ensure no users

are allowed to access the host without proper authentication. To check for SSH keys added to the

authorized_keys file logon to the ESXi shell as root and verify the /etc/ssh/keys-root/authorized_keys

Using the script called out in "verify-ssl-certificates" in the vCenterServer section to assess if there arerevoked SSL certificates on your ESXi server. If a revoked certificate is found, replace the SSL

certificate with a valid one.From the vSphere client, select the host and select "Manage" -> "Advanced System Settings". Type

"DCUI.Acces" in the filter. Set the "DCUI.Access" attribute to a comma separated list the users who

are allowed to override lockdown mode. Notes: by default only the "root" user is a member of the

DCUI.Access list. It is not recommended to remove root from the DCUI.Access list as this will revoke

Ensure the "password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4"

entry in the /etc./pam.d/passwd file as outlined in the vSphere Security Guide, "Users and

Permissions" chapter meets local requirements.From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify

the ESXiShellInteractiveTimeout to the desired value. Note: the ESXi Shell and SSH services must be

disabled in order to modify the setting from the DCUI. From the vSphere web client select the host

and click "Manage" -> "Advanced System Settings" and type ESXiShellInteractiveTimeOut in the filter.From the DCUI: select "Troubleshooting Options" -> "Modify ESXi Shell and SSH Timeouts". Modify

the ESXiShellTimeout to the desired value. Note: the ESXi Shell and SSH services must be disabled in

order to modify the setting from the DCUI. From the vSphere web client select the host and click

"Manage" -> "Advanced System Settings" and type ESXiShellTimeOut in the filter. Set the attribute to

In the vSphere Web Client navigate to the host and select "Manage" -> "Storage Adaptors" -> "iSCSI

Initiator Properties" -> "Authentication"-> "Edit"". Verify that a different authentication secret is

configured for each ESXi host.STEP 1: Connect to each ESX ESXi host using the ESXi Shell or vCLI and execute the command "esxcli

software acceptance get" to verify the acceptance level for the host for the host is set to either

"VMwareCertified" or "VMwareAccepted". STEP 2: Connect to each ESX/ESXi host using the vCLI and

execute the command "esxcli software vib list" and verify the acceptance level for each VIB is set toSTEP 1: Connect to each ESX ESXi host using theESXi Shell or vCLI and execute the command "esxcli

software acceptance get" to verify the acceptance level for the host is set to "VMware Certified".

STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib

list" and verify the acceptance level for each VIB is set to "VMware Certified".

STEP 1: Connect to each ESX ESXi host using the ESXi Shell or vCLI and execute the command "esxclisoftware acceptance get" to verify the acceptance level for the host is at either "VMware Certified",

"VMware Supported", or "PartnerSupported". STEP 2: Connect to each ESX/ESXi host using the vCLI

and execute the command "esxcli software vib list" and verify the acceptance level for each VIB is


16/64

From Active Directory monitor the membership of the group name that is defined by the advanced

host setting: "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" (default is ESX Admins. As with any

default group, consider changing this name to avoid possible exploits) and verify only authorized user

and group accounts are members of this group. If full admin access for the AD ESX admins group isESXi Configuration files can be found by browsing to https: host (not available if MOB is

disabled). NOTE: not all the files listed are modifiable. The files can also be retrieved using the vCLI orPowerCLI. Implement a procedure to track the files and their contents over time to ensure that they

are not improperly modified. Be sure not to monitor log files and other files whose content isIf a dvfilter-based network security appliance is not being used on the host, ensure that the following

kernel parameter has a blank value: /Net/DVFilterBindIpAddress. From the vSphere web client select

the host and click "Manage" -> "Advanced System Settings". Enter "Net.DVFilterBindIpAddress" in the

filter and verify "Net.DVFilterBindIpAddress" has an empty value. If an appliance is being used, thenAfter downloading media use the MD5 sum value to verify the integrity of the download. Compare

the MD5 sum output with the value posted on the VMware website. Notes: each operating system

will have a different method/tool for checking MD5 sum values. For microsoft you can download an

add-on product as identified in http:/support.microsoft.com/kb/841290. For Mac OS use the "md5"Each ESXi host should be monitored for unsigned kernel modules. To list all the loaded kernel

modules from the ESXi Shell or vCLI run: "esxcli system module list". For each module verify the

Signed Status field contains a trusted value, for example "VMware Signed", by running "esxcli system

module get -m ". Secure the host by disabling unsigned modules and removing the

When deleting a VMDK file with sensitive data, shut down or stop the virtual machine, and then issue

the CLI command 'vmkfstools -writezeroes' on that file prior to deleting it from the datastore.


17/64

Configuration File Configuration Parameter Desired Value

N/A N/A N/A

N/A N/A Site Specific

/etc/ntp.conf N/A Site Specific

N/A Syslog.global.logDir Site Specific

/etc/vmware/snmp.xml N/A site-specific

N/A N/A N/A

N/A N/A Stopped

N/A N/A Stopped

N/A N/A Remove Service

N/A N/A Stopped


18/64

N/A N/A N/A

N/A N/A Site Specific

N/A Use Chap, Name, Secret Site Specific

N/A N/A N/A

N/A vimsvc/auth/lockdown_is_enabled Enabled

N/A N/A N/A

N/A Syslog.global.logHost Site Specific

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A


19/64

/etc/ssh/keys-

root/authorized_keys N/A N/A

N/A N/A N/A

N/A DCUI.Access

N/A or list of

authorized users

/etc/pam.d/passwd

password requisite

/lib/security/$ISA/pam_passwdqc.so Site specific

N/A UserVars.ESXiShellInteractiveTimeOut Site Specific

N/A UserVars.ESXiShellTimeOut Site Specific

Secret site-dependent

N/A N/A

VMwareCertified

VMwareAccepted

N/A N/A VMwareCertified

N/A N/A

VMwareCertified

VMwareAccepted

PartnerSupported


20/64

N/A N/A N/A

N/A N/A N/A

N/A Net.DVFilterBindIpAddress empty

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A


21/64

Change Type Is desired value the default?

Update N/A

Modify NO

Modify NO

Modify

When booting from a local disk YES.

When booting from USB/SD or when

using Auto Deploy NO.

Modify N/A

N/A NO

Modify NO

Modify YES

Remove NO

Modify YES


22/64

N/A N/A

Modify NO

modify NO

N/A NO

Modify NO

Modify NO

Modify NO

Configuration NO

N/A N/A

N/A N/A


23/64

N/A YES

N/A N/A

Modify NO

Modify YES

Modify NO

Modify NO

modify NO

Verify NO

Verify NO

Verify YES


24/64

N/A N/A

N/A N/A

Modify YES

N/A N/A

YES

N/A N/A


25/64

vSphere API

https://pubs.vmware.com/vsphere-

55/topic/com.vmware.wssdk.apiref.doc/vim.host.PatchManag

er.Status.html

http://pubs.vmware.com/vsphere-

55/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSyste

m.html


55/topic/com.vmware.wssdk.apiref.doc/vim.host.DateTimeSys

tem.html


55/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionMa

nager.html


55/topic/com.vmware.wssdk.apiref.doc/vim.host.SnmpSystem

.html

N/A



m.html



m.html

N/A



m.html


26/64


55/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect

oryAuthentication.html

http://pubs.vmware.com/vsphere-55/topic/com.vmware.wssdk.apiref.doc/vim.host.ActiveDirect

oryAuthentication.html


55/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi

Hba.AuthenticationProperties.html


55/index.jsp?topic=%2Fcom.vmware.wssdk.apiref.doc%2Fvim.

profile.host.HostProfile.html


55/topic/com.vmware.wssdk.apiref.doc/vim.HostSystem.html

N/A



nager.html

N/A


55/topic/com.vmware.wssdk.apiref.doc/vim.host.LocalAccoun

tManager.html

N/A


27/64

N/A

N/A



nager.html

N/A



nager.html



nager.html


55/topic/com.vmware.wssdk.apiref.doc/vim.host.InternetScsi

Hba.AuthenticationProperties.html


55/topic/com.vmware.wssdk.apiref.doc/vim.host.ImageConfig

Manager.html



Manager.html



Manager.html


28/64

N/A

N/A



nager.html

N/A

N/A


55/topic/com.vmware.wssdk.apiref.doc/vim.VirtualDiskManag

er.html


29/64

ESXi Shell Command Assessment

# esxcli software profile get / # esxcli software vib get

#List all services: ls /etc/init.d #get service status:

/etc/init.d/[SERVICE] status

N/A

# esxcli system syslog config get

# esxcli system snmp get

N/A

# chkconfig --list DCUI

# chkconfig --list ESXShell

vim-cmd proxysvc/service_list

# chkconfig --list SSH


30/64

TBD

N/A

# esxcli iscsi adapter auth chap get

N/A

# To check if Lockdown mode is enabled: vim-cmd -U dcui

vimsvc/auth/lockdown_is_enabled

esxcli system coredump network get


N/A

N/A

N/A


31/64

N/A

N/A

vim-cmd hostsvc/advopt/view DCUI.Access

N/A

# esxcli --formatter=csv --format-param=fields="Path,Int

Value" system settings advanced list | grep

/UserVars/ESXiShellInteractiveTimeOut



/UserVars/ESXiShellTimeOut


# esxcli software acceptance get # esxcli software vib list




32/64

N/A

N/A



/Net/DVFilterBindIpAddress

N/A

# esxcli system modules get -m

N/A


33/64

ESXi Shell Command Remediation

# esxcli software profile update / # esxcli

software vib update

# /etc/init.d/[SERVICE] STOP

N/A

# esxcli system syslog config set --logDir# Configure Community String

esxcli system snmp set --communities

[COMMUNITY]

# Configure SNMP Target

N/A

# chkconfig DCUI off

#stop ESXi Shell: /etc/init.d/ESXShell stop

#disable ESXi Shell: chkconfig ESXShell off

vim-cmd proxysvc/remove_service "/mob"

"httpsWithRedirect"

# /etc/init.d/ESXShell stop # chkconfig SSH

off


34/64

TBD

N/A

# esxcli iscsi adapter auth chap set

N/A

# To disable Lockdown mode: vim-cmd -U

dcui vimsvc/auth/lockdown_mode_exit

# To enable Lockdown mode: vim-cmd -U# Configure remote Dump Collector Server

esxcli system coredump network set -v

[VMK#] -i [DUMP_SERVER] -o [PORT]

# Enable remote Dump Collector

# esxcli system syslog config set loghost

# esxcli system syslog reload

N/A

N/A

N/A


35/64

N/A

N/A

vim-cmd hostsvc/advopt/update DCUI.Access

string [USERS]

N/A

# esxcli system settings advanced set -o

/UserVars/ESXiShellInteractiveTimeOut -i


/UserVars/ESXiShellTimeOut -i# esxcli iscsi adapter auth chap set

Note: You can include the option --direction

uni or --direction mutual accordingly for shell

# esxcli software acceptance

set --level


set --level


set --level


36/64

N/A

N/A


/Net/DVFilterBindIpAddress -d

N/A

# esxcli system modules set -e false -m

# vmkfstools -w


37/64

vCLI Command Assessment

# esxcli software profile get / # esxcli

software vib get

N/A

# vicfg-ntp --list


# esxcli system snmp get

N/A

N/A

N/A

N/A

N/A


38/64

vicfg-authconfig --authscheme AD --

currentdomain

# vicfg-authconfig --authscheme AD --

currentdomain


N/A

N/A

esxcli system coredump network get


N/A

N/A

N/A


39/64

N/A

N/A

N/A

N/A



/UserVars/ESXiShellInteractiveTimeOut



/UserVars/ESXiShellTimeOut


# esxcli software acceptance get # esxcli

software vib list


software vib list


software vib list


40/64

N/A

N/A

# esxcli --formatter=csv --format-

param=fields="Path,Int Value" system settings advanced list |

grep /Net/DVFilterBindIpAddress

N/A

# esxcli system modules get -m

N/A


41/64

vCLI Command Remediation

# esxcli software profile update / # esxcli

software vib update

N/A

# vicfg-ntp --add

# esxcli system syslog config set --logDir# Configure Community String

esxcli system snmp set --communities

[COMMUNITY]

# Configure SNMP Target

N/A

N/A

N/A

N/A

N/A


42/64

vicfg-authconfig --

authscheme AD --joindomain

# vicfg-authconfig --

authscheme AD --joindomain


N/A

N/A# Configure remote Dump Collector Server

esxcli system coredump network set -v [VMK#]

-i [DUMP_SERVER] -o [PORT]

# Enable remote Dump Collector

# esxcli system syslog config set loghost

# esxcli system syslog reload

N/A

N/A

N/A


43/64

N/A

N/a

N/A

N/A


/UserVars/ESXiShellInteractiveTimeOut -i


/UserVars/ESXiShellTimeOut -i


# esxcli software acceptance set --level




44/64

N/A

N/A


/Net/DVFilterBindIpAddress -d

N/A

# esxcli system modules set -e false -m

# vmkfstools -w


45/64

PowerCLI Command Assessment

# VMware Update Manager PowerCLI Cmdlets can be used to

check this feature# List all services for a host

Get-VMHost HOST1 | Get-VMHostService

# List the services which are enabled and have rules defined

for specific IP ranges to access the service

# List the NTP Settings for all hosts

Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-

VMHostNtpServer}}

# List Syslog.global.logDir for each hostGet-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_

| Get-VMHostAdvancedConfiguration Syslog.global.logDir |

Select -ExpandProperty Values}}

# List the SNMP Configuration of a host (single host connection

required)

Get-VMHost | Get-VMHostSnmp

N/A

# List DCUI settings for all hosts

Get-VMHost | Get-VMHostService | Where { $_.key -eq

"DCUI" }# Check if ESXi Shell is running and set to start

Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"

} | Select VMHost, Key, Label, Policy, Running, Required

N/A

# Check if SSH is running and set to start

Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-

SSH" } | Select VMHost, Key, Label, Policy, Running, Required


46/64

# Check each host and their domain membership status

Get-VMHost | Get-VMHostAuthentication | Select VmHost,

Domain, DomainMembershipStatus# Check the host profile is using vSphere Authentication proxy

to add the host to the domainGet-VMHost | Select Name, `

@{N="HostProfile";E={$_ | Get-VMHostProfile}}, # List Iscsi Initiator and CHAP Name if defined

Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} |

Select VMHost, Device, ChapType,

@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam

# To check if Lockdown mode is enabled

Get-VMHost | Select

Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDis

abled}}Foreach ( VMHost in Get-VMHost ) {

$ESXCli = Get-EsxCli -VMHost $VMHost

$esxcli.system.coredump.network.get()

}# List Syslog.global.logHost for each host

Get-VMHost | Select Name,

@{N="Syslog.global.logHost";E={$_ | Get-

VMHostAdvancedConfiguration Syslog.global.logHost | Select -function Test-WebServerSSL {

# Function original location: http://en-

us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-

4143-9eea-f521167d287c&ID=60

# List all user accounts on the Host -Host Local connection

required-

Get-VMHostAccount

N/A


47/64

N/A

Use the script in the vCenterServer-verify-SSL-certificates

guideline to assess the status of installed certificates

N/A# List UserVars.ESXiShellInteractiveTimeOut for each host


@{N="UserVars.ESXiShellInteractiveTimeOut";E={$_ | Get-

VMHostAdvancedConfiguration# List UserVars.ESXiShellTimeOut for each host


@{N="UserVars.ESXiShellTimeOut";E={$_ | Get-

VMHostAdvancedConfiguration UserVars.ESXiShellTimeOut |# List Iscsi Initiator and CHAP Name if defined


Select VMHost, Device, ChapType,

@{N="CHAPName";E={$_.AuthenticationProperties.ChapNam# List the Software AcceptanceLevel for each host

Foreach ($VMHost in Get-VMHost ) {


$VMHost | Select Name,# List the Software AcceptanceLevel for each host



$VMHost | Select Name,

# List the Software AcceptanceLevel for each hostForeach ($VMHost in Get-VMHost ) {


$VMHost | Select Name,


48/64

N/A

N/A# List Net.DVFilterBindIpAddress for each host


@{N="Net.DVFilterBindIpAddress";E={$_ | Get-

VMHostAdvancedConfiguration Net.DVFilterBindIpAddress |# Check the SHA1 has of the download with the following

function

Function Get-SHA1 {

Param (# List the system modules and Signature Info for each host



$ESXCli.system.module.list() | Foreach {


49/64

PowerCLI Command Remediation

# VMware Update Manager PowerCLI Cmdlets can be used to

check this feature

N/A

# Set the NTP Settings for all hosts

$NTPServers = "pool.ntp.org", "pool2.ntp.org"

Get-VMHost | Add-VmHostNtpServer $NTPServers

# Set Syslog.global.logDir for each host

Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -

VMHost $_ -Name Syslog.global.logDir -Value "NewLocation" }# Update the host SNMP Configuration (single host connection

required)

Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -

ReadOnlyCommunity 'secret'

# Set DCUI to start manually rather than automatic for all

hosts

Get-VMHost | Get-VMHostService | Where { $_.key -eq

"DCUI" } | Set-VMHostService -Policy Off# Set ESXi Shell to start manually rather than automatic for all

hosts

Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"

} | Set-VMHostService -Policy Off

N/A

# Set SSH to start manually rather than automatic for all hosts

Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-

SSH" } | Set-VMHostService -Policy Off


50/64

# Join the ESXI Host to the Domain

Get-VMHost HOST1 | Get-VMHostAuthentication | Set-

VMHostAuthentication -Domain domain.local -User

Administrator -Password Passw0rd -JoinDomain# Join the ESXI Host to the Domain

Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain domain.local -User

Administrator -Password Passw0rd -JoinDomain

# Set the Chap settings for the Iscsi Adapter


Set-VMHostHba # Use desired parameters here

# Enable lockdown mode for each host

Get-VMHost | Foreach { $_.EnterLockdownMode() }Foreach ( VMHost in Get-VMHost ) {


$esxcli.system.coredump.network.set($null, "[VMK#]",

"[DUMP SERVER]", "[PORT]")# Set Syslog.global.logHost for each host


VMHost $_ -Name Syslog.global.logHost -Value "NewLocation"

}

N/A# Create a new host user account -Host Local connection

required-

New-VMHostAccount -ID ServiceUser -Password pass -

UserAccount

N/A


51/64

N/A

N/A

N/A# Set Remove UserVars.ESXiShellInteractiveTimeOut to 900 on

all hosts


VMHost $_ -Name UserVars.ESXiShellInteractiveTimeOut -

# Set Remove UserVars.ESXiShellTimeOut to 900 on all hosts


VMHost $_ -Name UserVars.ESXiShellTimeOut -Value 900 }

# Set the Chap settings for the Iscsi Adapter


Set-VMHostHba # Use desired parameters here# Set the Software AcceptanceLevel for each host



$ESXCli.software.acceptance.Set("VMwareCertified")# Set the Software AcceptanceLevel for each host



$ESXCli.software.acceptance.Set("VMwareCertified")

# Set the Software AcceptanceLevel for each hostForeach ($VMHost in Get-VMHost ) {


$ESXCli.software.acceptance.Set("VMwareCertified")


52/64

N/A

N/A# Set Remove Net.DVFilterBindIpAddress to null on all hosts

Get-VMHost HOST1 | Foreach { Set-

VMHostAdvancedConfiguration -VMHost $_ -Name

Net.DVFilterBindIpAddress -Value "" }

N/A

# To disable a module:

$ESXCli = Get-EsxCli -VMHost MyHost

$ESXCli.system.module.set($false, $false, "MyModuleName")


53/64

Negative Functional Impact

Only systems in the IP whitelist/ACL will be able to

connect to services on the ESXi server

Disabling the DCUI can create a potential "lock out"

situation should the host become isolated from

vCenter Server. To recover from a "lock out" scenario

requires re-installing ESXi. Consider leaving DCUI

The MOB will no longer be available for diagnostics.

Some 3rd party tools use this interface to gather

information. Testing should be done after disabling

the MOB to verify 3rd party applications are still


54/64

There are some operations, such as backup and

troubleshooting, that require direct access to the host.

In these cases Lockdown Mode can be disabled on a

temporary basis for specific hosts as needed, and then


55/64

Disabling the SSH "authorized_keys" access may limit

your ability to remotely run commands on a host

without providing a valid login (e.g. prevent the ability

to run unattended remote scripting).

Use of a revoked certificates count leave your system

open to attack.

Third party VIBs tested by VMware partners are not

allowed on the host. This could include some device

drivers, CIM modules, and other add-on software.

Host customization using custom VIBs is not allowed.No VMware partner VIBs are allowed on the host, to

include non-VMware written device drivers, CIM

modules, and other third party software. Host

customization using custom VIBs is not allowed.

Host customization using custom VIBs is not allowed.


56/64

http://pubs.vmware.com/vsphere-55/topic/com.vmware.vcli.examples.doc/cli_manage_

hosts.4.4.html

This will prevent a dvfilter-based network security

appliance from functioning


57/64

Reference Able to set using Host Profile?


55/topic/com.vmware.vsphere.update_manager.doc/GUI

D-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.html NO


55/topic/com.vmware.vsphere.security.doc/GUID-

DD4322FF-3DC4-4716-8819-6688938F99D7.html YES



2553C86E-7981-4F79-B9FC-A6CECA52F6CC.html YES

http: kb.vmware.com kb 1033696


55/topic/com.vmware.vsphere.security.doc/GUID- YES


55/topic/com.vmware.vsphere.monitoring.doc/GUID-

8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.html YES


55/topic/com.vmware.vsphere.hostclient.doc/GUID-670B9B8C-3810-4790-AC83-57142A9FE16F.html YES



6779F098-48FE-4E22-B116-A8353D19FF56.html YEShttp: kb.vmware.com kb 2004746


55/topic/com.vmware.vsphere.security.doc/GUID- YES



0EF83EA7-277C-400B-B697-04BDC9173EA3.html NO



12E27BF3-3769-4665-8769-DA76C2BC9FFE.html YES


58/64



28650C2C-93E3-4C00-B78A-7B785AA42D92.html YES

http://pubs.vmware.com/vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-

084B74BD-40A5-4A4B-A82C-0C9912D580DC.html YES


55/topic/com.vmware.vsphere.storage.doc/GUID-

AC65D747-728F-4109-96DD-49B433E2F266.html NO


55/topic/com.vmware.vsphere.hostprofiles.doc/GUID-

78BB234A-D735-4356-9CCF-19DD55DB8060.html NOhttp: pubs.vmware.com vsphere-


88B24613-E8F9-40D2-B838-225F5FF480FF.html

NO


55/topic/com.vmware.vsphere.install.doc/GUID-64213886-

7181-4767-9ED5-D8C989B9ECAE.html YES


55/topic/com.vmware.vsphere.install.doc/GUID-

9F67DB52-F469-451F-B6C8-DAE8D95976E7.html YEShttp: pubs.vmware.com vsphere-


AC7E6DD7-F984-4E0F-983A-463031BA5FE7.html

NOhttp: pubs.vmware.com vsphere-

55/topic/com.vmware.cimsdk.smashpg.doc/03_CIM_SMA

SH_PG_Use_Cases.5.1.html

NO

http: pubs.vmware.com vsphere-55/topic/com.vmware.vsphere.security.doc/GUID-

BFE9046A-2278-4026-809A-ED8F9D8FDACE.html

NO


59/64

http: pubs.vmware.com vsphere-


ED477079-1E7E-4EBA-AAFE-019FB335DABC.html

NO

http: pubs.vmware.com vsphere-


6779F098-48FE-4E22-B116-A8353D19FF56.html

YEShttp: pubs.vmware.com vsphere-


DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html



94F0C54F-05E3-4E16-8027-0280B9ED1009.html



94F0C54F-05E3-4E16-8027-0280B9ED1009.html



AC65D747-728F-4109-96DD-49B433E2F266.html



EC2E-4125-B1A0-065BDD16CF2D.html




NO

http: pubs.vmware.com vsphere-55/topic/com.vmware.vsphere.install.doc/GUID-56600593-


NO


60/64


55/topic/com.vmware.wssdk.apiref.doc/vim.host.Authenti

cationManager.html NOhttp: pubs.vmware.com vsphere-

55/topic/com.vmware.vsphere.hostprofiles.doc/GUID-78BB234A-D735-4356-9CCF-19DD55DB8060.html


55/topic/com.vmware.vsphere.ext_solutions.doc/GUID-

6013E15D-92CE-4970-953C-ACCB36ADA8AD.html

NO

http://kb.vmware.com/kb/1537 NOhttp: pubs.vmware.com vsphere-


E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html

http://kb.vmware.com/kb/2042473 NO



050C0FEE-2C75-4356-B9E0-CC802333FF41.html NO


61/64

Covered by VCM?

No

Yes

Yes

Yes

No

No

Yes

Yes

No

Yes


62/64

Yes

No

Yes

Yes

Yes

No

Yes

No

No

No


63/64

No

No

Yes

No

Yes

Yes

No

No

No

No


64/64

No

No

Yes

No

No

No

hardening esxi checklist

Documents