vSphere Security

Update 2
Modified on 30 AUG 2024
VMware vSphere 6.7
VMware ESXi 6.7
vCenter Server 6.7
vSphere Security

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2009-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc.
and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade
names, service marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

About vSphere Security 12

Updated Information 15

1 Security in the vSphere Environment 18

Securing the ESXi Hypervisor 18
Securing vCenter Server Systems and Associated Services 20
Securing Virtual Machines 21
Securing the Virtual Networking Layer 22
Passwords in Your vSphere Environment 24
Security Best Practices and Resources 25

2 vSphere Permissions and User Management Tasks 28

Understanding Authorization in vSphere 29
Hierarchical Inheritance of Permissions 32
Multiple Permission Settings 35
Example 1: Permission Inheritance from Multiple Groups 35
Example 2: Child Permissions Overriding Parent Permissions 36
Example 3: User Role Overriding Group Role 37
Managing Permissions for vCenter Components 37
Add a Permission to an Inventory Object 38
Change or Remove Permissions 38
Change User Validation Settings 39
Global Permissions 40
Add a Global Permission 40
Permissions on Tag Objects 41
Using Roles to Assign Privileges 43
Create a Custom Role 44
vCenter Server System Roles 45
Best Practices for Roles and Permissions 46
Required Privileges for Common Tasks 47

3 Securing ESXi Hosts 51

General ESXi Security Recommendations 52
Configure ESXi Hosts with Host Profiles 53
Use Scripts to Manage Host Configuration Settings 54
ESXi Passwords and Account Lockout 55
SSH Security 57

VMware by Broadcom 3
vSphere Security

ESXi SSH Keys 58

PCI and PCIe Devices and ESXi 60
Disable the Managed Object Browser 60
ESXi Networking Security Recommendations 61
Modifying ESXi Web Proxy Settings 62
vSphere Auto Deploy Security Considerations 62
Control Access for CIM-Based Hardware Monitoring Tools 63
Certificate Management for ESXi Hosts 64
Host Upgrades and Certificates 66
Certificate Mode Switch Workflows 67
ESXi Certificate Default Settings 69
Change Certificate Default Settings 70
View Certificate Expiration Information for Multiple ESXi Hosts 71
View Certificate Details for a Single ESXi Host 72
Renew or Refresh ESXi Certificates 73
Change the Certificate Mode 74
Replacing ESXi SSL Certificates and Keys 74
Requirements for ESXi Certificate Signing Requests 76
Replace the Default Certificate and Key from the ESXi Shell 76
Replace a Default Certificate and Key with the vifs Command 77
Replace a Default Certificate Using HTTPS PUT 78
Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates) 79
Use Custom Certificates with Auto Deploy 80
Restore ESXi Certificate and Key Files 82
Customizing Hosts with the Security Profile 83
ESXi Firewall Configuration 83
Manage ESXi Firewall Settings 84
Add Allowed IP Addresses for an ESXi Host 85
Incoming and Outgoing Firewall Ports for ESXi Hosts 86
NFS Client Firewall Behavior 86
ESXi ESXCLI Firewall Commands 87
Customizing ESXi Services from the Security Profile 88
Enable or Disable a Service 89
Lockdown Mode 90
Lockdown Mode Behavior 91
Enable Lockdown Mode 92
Disable Lockdown Mode 93
Enable or Disable Normal Lockdown Mode from the Direct Console User Interface 94
Specifying Accounts with Access Privileges in Lockdown Mode 94
Manage the Acceptance Levels of Hosts and VIBs 96
Assigning Privileges for ESXi Hosts 98

VMware by Broadcom 4
vSphere Security

Using Active Directory to Manage ESXi Users 100

Configure a Host to Use Active Directory 101
Add a Host to a Directory Service Domain 102
View Directory Service Settings 102
Using vSphere Authentication Proxy 103
Enable vSphere Authentication Proxy 104
Add a Domain to vSphere Authentication Proxy with the vSphere Web Client 105
Add a Domain to vSphere Authentication Proxy with the camconfig Command 105
Use vSphere Authentication Proxy to Add a Host to a Domain 106
Enable Client Authentication for vSphere Authentication Proxy 107
Import the vSphere Authentication Proxy Certificate to ESXi Host 108
Generate a New Certificate for vSphere Authentication Proxy 109
Set Up vSphere Authentication Proxy to Use Custom Certificates 109
Configuring Smart Card Authentication for ESXi 112
Enable Smart Card Authentication 112
Disable Smart Card Authentication 113
Authenticating With User Name and Password in Case of Connectivity Problems 113
Using Smart Card Authentication in Lockdown Mode 113
Using the ESXi Shell 114
Enable Access to the ESXi Shell 115
Create a Timeout for ESXi Shell Availability 116
Create a Timeout for Idle ESXi Shell Sessions 116
Use the Direct Console User Interface to Enable Access to the ESXi Shell 117
Set Availability Timeout or Idle Timeout for the ESXi Shell 117
Log in to the ESXi Shell for Troubleshooting 118
UEFI Secure Boot for ESXi Hosts 118
Run the Secure Boot Validation Script on an Upgraded ESXi Host 120
Securing ESXi Hosts with Trusted Platform Module 121
View ESXi Host Attestation Status 122
Troubleshoot ESXi Host Attestation Problems 123
ESXi Log Files 123
Configure Syslog on ESXi Hosts 124
ESXi Log File Locations 125
Securing Fault Tolerance Logging Traffic 126

4 Securing vCenter Server Systems 127

vCenter Server Security Best Practices 127
Best Practices for vCenter Server Access Control 127
Set the vCenter Server Password Policy 129
Removing Expired or Revoked Certificates and Logs from Failed Installations 129
Protecting the vCenter Server Windows Host 130

VMware by Broadcom 5
vSphere Security

Limiting vCenter Server Network Connectivity 130

Evaluate the Use of Linux Clients with CLIs and SDKs 131
Examine Client Plug-Ins 131
vCenter Server Appliance Security Best Practices 132
vCenter Password Requirements and Lockout Behavior 133
Verify Thumbprints for Legacy ESXi Hosts 134
Required Ports for vCenter Server and Platform Services Controller 134

5 Securing Virtual Machines 136

Enable or Disable UEFI Secure Boot for a Virtual Machine 136
Limit Informational Messages from Virtual Machines to VMX Files 138
Virtual Machine Security Best Practices 138
General Virtual Machine Protection 139
Use Templates to Deploy Virtual Machines 140
Minimize Use of the Virtual Machine Console 140
Prevent Virtual Machines from Taking Over Resources 141
Disable Unnecessary Functions Inside Virtual Machines 141
Remove Unnecessary Hardware Devices 142
Disable Unused Display Features 143
Disable Unexposed Features 143
Disable VMware Shared Folders Sharing Host Files to the Virtual Machine 144
Disable Copy and Paste Operations Between Guest Operating System and Remote
Console 145
Limiting Exposure of Sensitive Data Copied to the Clipboard 145
Restrict Users from Running Commands Within a Virtual Machine 146
Prevent a Virtual Machine User or Process from Disconnecting Devices 147
Prevent Guest Operating System Processes from Sending Configuration Messages to the
Host 147
Avoid Using Independent Nonpersistent Disks 148

6 Virtual Machine Encryption 149

How vSphere Virtual Machine Encryption Protects Your Environment 149
vSphere Virtual Machine Encryption Components 152
Encryption Process Flow 153
Virtual Disk Encryption 155
Prerequisites and Required Privileges for Encryption Tasks 156
Encrypted vSphere vMotion 157
Encryption Best Practices, Caveats, and Interoperability 159
Virtual Machine Encryption Best Practices 159
Virtual Machine Encryption Caveats 161
Virtual Machine Encryption Interoperability 163

VMware by Broadcom 6
vSphere Security

7 Use Encryption in Your vSphere Environment 166

Set up the Key Management Server Cluster 166
Add a KMS to vCenter Server in the vSphere Client 166
Add a KMS to vCenter Server in the vSphere Web Client 168
Establish a Trusted Connection by Exchanging Certificates 169
Use the Root CA Certificate Option to Establish a Trusted Connection 170
Use the Certificate Option to Establish a Trusted Connection 170
Use the New Certificate Signing Request Option to Establish a Trusted Connection 171
Use the Upload Certificate and Private Key Option to Establish a Trusted Connection
172
Set the Default KMS Cluster 172
Complete the Trust Setup 173
Set Up Separate KMS Clusters for Different Users 173
Create an Encryption Storage Policy 174
Enable Host Encryption Mode Explicitly 175
Disable Host Encryption Mode 176
Create an Encrypted Virtual Machine 176
Clone an Encrypted Virtual Machine 177
Encrypt an Existing Virtual Machine or Virtual Disk 178
Decrypt an Encrypted Virtual Machine or Virtual Disk 180
Change the Encryption Policy for Virtual Disks 181
Resolve Missing Key Issues 182
Unlock Locked Virtual Machines 184
Resolve ESXi Host Encryption Mode Issues 185
Re-Enable ESXi Host Encryption Mode 186
Set Key Management Server Certificate Expiration Threshold 186
vSphere Virtual Machine Encryption and Core Dumps 187
Collect a vm-support Package for an ESXi Host That Uses Encryption 188
Decrypt or Re-Encrypt an Encrypted Core Dump 189

8 Securing Virtual Machines with Virtual Trusted Platform Module 191

Virtual Trusted Platform Module Overview 191
Create a Virtual Machine with a Virtual Trusted Platform Module 193
Enable Virtual Trusted Platform Module for an Existing Virtual Machine 194
Remove Virtual Trusted Platform Module from a Virtual Machine 195
Identify Virtual Trusted Platform Module Enabled Virtual Machines 196
View Virtual Trusted Platform Module Device Certificates 196
Export and Replace Virtual Trusted Platform Module Device Certificates 197

9 Securing Windows Guest Operating Systems with Virtualization-based Security

199

VMware by Broadcom 7
vSphere Security

Virtualization-based Security Best Practices 200

Enable Virtualization-based Security on a Virtual Machine 201
Enable Virtualization-based Security on an Existing Virtual Machine 202
Enable Virtualization-based Security on the Guest Operating System 203
Disable Virtualization-based Security 203
Identify VBS-Enabled Virtual Machines 204

10 Securing vSphere Networking 205

Introduction to vSphere Network Security 205
Securing the Network With Firewalls 207
Firewalls for Configurations With vCenter Server 207
Connecting to vCenter Server Through a Firewall 208
Connecting ESXi Hosts Through Firewalls 209
Firewalls for Configurations Without vCenter Server 209
Connecting to the Virtual Machine Console Through a Firewall 209
Secure the Physical Switch 210
Securing Standard Switch Ports with Security Policies 211
Securing vSphere Standard Switches 211
MAC Address Changes 212
Forged Transmits 213
Promiscuous Mode Operation 213
Standard Switch Protection and VLANs 214
Secure vSphere Distributed Switches and Distributed Port Groups 215
Securing Virtual Machines with VLANs 216
Security Considerations for VLANs 218
Secure VLANs 218
Creating Multiple Networks Within a Single ESXi Host 218
Internet Protocol Security 221
List Available Security Associations 221
Add an IPsec Security Association 221
Remove an IPsec Security Association 222
List Available IPsec Security Policies 223
Create an IPSec Security Policy 223
Remove an IPsec Security Policy 224
Ensure Proper SNMP Configuration 225
vSphere Networking Security Best Practices 225
General Networking Security Recommendations 225
Labeling Networking Components 227
Document and Check the vSphere VLAN Environment 227
Adopting Network Isolation Practices 228
Use Virtual Switches with the vSphere Network Appliance API Only If Required 229

VMware by Broadcom 8
vSphere Security

11 Best Practices Involving Multiple vSphere Components 231

Synchronizing Clocks on the vSphere Network 231
Synchronize ESXi Clocks with a Network Time Server 232
Configuring Time Synchronization Settings in the vCenter Server Appliance 233
Use VMware Tools Time Synchronization 233
Add or Replace NTP Servers in the vCenter Server Appliance Configuration 234
Synchronize the Time in the vCenter Server Appliance with an NTP Server 234
Storage Security Best Practices 235
Securing iSCSI Storage 235
Securing iSCSI Devices 236
Protecting an iSCSI SAN 236
Masking and Zoning SAN Resources 237
Using Kerberos for NFS 4.1 237
Verify That Sending Host Performance Data to Guests Is Disabled 238
Setting Timeouts for the ESXi Shell and vSphere Web Client 239

12 Managing TLS Protocol Configuration with the TLS Configurator Utility 241
Ports That Support Disabling TLS Versions 241
Enabling or Disabling TLS Versions in vSphere 242
Perform an Optional Manual Backup 243
Enable or Disable TLS Versions on vCenter Server Systems 244
Enable or Disable TLS Versions on ESXi Hosts 245
Enable or Disable TLS Versions on External Platform Services Controller Systems 247
Scan vCenter Server for Enabled TLS Protocols 248
Revert TLS Configuration Changes 249
Enable or Disable TLS Versions on vSphere Update Manager on Windows 251
Disable Earlier TLS Versions for Update Manager Port 9087 251
Disable Earlier TLS Versions for Update Manager Port 8084 252
Reenable Disabled TLS Versions for Update Manager Port 9087 253
Reenable Disabled TLS Versions for Update Manager Port 8084 254

13 Defined Privileges 256

Alarms Privileges 257
Auto Deploy and Image Profile Privileges 258
Certificates Privileges 259
Content Library Privileges 259
Cryptographic Operations Privileges 261
Datacenter Privileges 263
Datastore Privileges 264
Datastore Cluster Privileges 265
Distributed Switch Privileges 265

VMware by Broadcom 9
vSphere Security

ESX Agent Manager Privileges 266

Extension Privileges 266
External Stats Provider Privileges 267
Folder Privileges 267
Global Privileges 267
Health Update Provider Privileges 268
Host CIM Privileges 268
Host Configuration Privileges 269
Host Inventory 270
Host Local Operations Privileges 271
Host vSphere Replication Privileges 271
Host Profile Privileges 272
Network Privileges 272
Performance Privileges 273
Permissions Privileges 273
Profile-driven Storage Privileges 274
Resource Privileges 274
Scheduled Task Privileges 275
Sessions Privileges 276
Storage Views Privileges 276
Tasks Privileges 276
Transfer Service Privileges 277
Virtual Machine Configuration Privileges 277
Virtual Machine Guest Operations Privileges 279
Virtual Machine Interaction Privileges 280
Virtual Machine Inventory Privileges 283
Virtual Machine Provisioning Privileges 284
Virtual Machine Service Configuration Privileges 285
Virtual Machine Snapshot Management Privileges 286
Virtual Machine vSphere Replication Privileges 286
dvPort Group Privileges 287
vApp Privileges 287
vServices Privileges 289
vSphere Tagging Privileges 289

14 Understanding vSphere Hardening and Compliance 291

Security Versus Compliance in the vSphere Environment 291
Understanding the vSphere Security Configuration Guide 294
About the National Institute of Standards and Technology 296
About DISA STIGs 297
About VMware Security Development Lifecycle 297

VMware by Broadcom 10
vSphere Security

Audit Logging 298

Single Sign-On Audit Events 298
Understanding Security and Compliance Next Steps 299

VMware by Broadcom 11
About vSphere Security
®
vSphere Security provides information about securing your vSphere environment for
® ®
VMware vCenter Server and VMware ESXi.

To help you protect your vSphere environment, this documentation describes available security
features and the measures that you can take to safeguard your environment from attack.

Table 1-1. vSphere Security Highlights

Topics Content Highlights

Permissions and User Management n Permissions model (roles, groups, objects).

n Creating custom roles.
n Setting permissions.
n Managing global permissions.

Host Security Features n Lockdown mode and other security profile features.
n Host smart card authentication.
n vSphere Authentication Proxy.
n UEFI Secure Boot.
n Trusted Platform Module (TPM).

Virtual Machine Encryption n How does VM encryption work?

n KMS setup.
n Encrypting and decrypting VMs.
n Troubleshooting and best practices.

Guest OS Security n Virtual Trusted Platform Module (vTPM).

n Virtualization Based Security (VBS).

Managing TLS Protocol Configuration Changing TLS protocol configuration using a command-
line utility.

Security Best Practices and Hardening
Best practices and advice from VMware security experts.
n vCenter Server security
n Host security
n Virtual machine security
n Networking security

vSphere Privileges Complete listing of all vSphere privileges supported in this

release.

VMware by Broadcom 12
vSphere Security

Related Documentation
A companion document, Platform Services Controller Administration, explains how you can use
the Platform Services Controller services, for example, to manage authentication with vCenter
Single Sign-On and to manage certificates in your vSphere environment.

In addition to these documents, VMware publishes the vSphere Security Configuration Guide
(formerly known as the Hardening Guide) for each release of vSphere, accessible at http://
www.vmware.com/security/hardening-guides.html. The vSphere Security Configuration Guide
contains guidelines on security settings that can or should be set by the customer, and security
settings delivered by VMware that should be audited by the customer to ensure that they are still
set to default.

Intended Audience
This information is for experienced Windows or Linux system administrators who are familiar with
virtual machine technology and data center operations.

vSphere Client and vSphere Web Client

Instructions in this guide reflect the vSphere Client (an HTML5-based GUI). You can also use the
instructions to perform the tasks by using the vSphere Web Client (a Flex-based GUI).

Tasks for which the workflow differs significantly between the vSphere Client and the vSphere
Web Client have duplicate procedures that provide steps according to the respective client
interface. The procedures that relate to the vSphere Web Client, contain vSphere Web Client in
the title.

Note In vSphere 6.7 Update 1, almost all of the vSphere Web Client functionality is implemented
in the vSphere Client. For an up-to-date list of any remaining unsupported functionality, see
Functionality Updates for the vSphere Client.

Certifications
VMware publishes a public list of VMware products that have completed Common Criteria
certifications. To check if a particular VMware product version has been certified, see the
Common Criteria Evaluation and Validation webpage at https://www.vmware.com/security/
certifications/common-criteria.html.

Support for Federal Information Processing Standard 140-2

Starting with version 6.7, vCenter Server supports the Federal Information Processing Standard
(FIPS) 140-2.

VMware by Broadcom 13
vSphere Security

FIPS 140-2 is a U.S. and Canadian government standard that specifies security requirements for
cryptographic modules. By default, FIPS 140-2 is always enabled after installation or upgrade of
vCenter Server 6.7 or greater, and ESXi 6.7 or greater.

To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/
security/certifications/fips.html.

VMware by Broadcom 14
Updated Information

This vSphere Security document is updated with each release of the product or when necessary.

This table provides the update history of the vSphere Security documentation.

Revision Description

30 AUG 2024 n Updated video links.

04 JUN 2024 n Minor update to How vSphere Virtual Machine Encryption Protects Your Environment.
n Minor update to Create a Virtual Machine with a Virtual Trusted Platform Module.

15 FEB 2023 n Minor update to Virtual Machine Encryption Interoperability.

30 JAN 2023 n Updated How vSphere Virtual Machine Encryption Protects Your Environment and Prerequisites and
Required Privileges for Encryption Tasks to state that ESXi Shell users also have cryptographic
operation privileges.
n Updated Enable Virtual Trusted Platform Module for an Existing Virtual Machine to state that the
Virtual machine.Configuration.Add or remove device privilege is required.

21 DEC 2022 n Minor update to Collect a vm-support Package for an ESXi Host That Uses Encryption.
n Minor update to Remove Virtual Trusted Platform Module from a Virtual Machine.

13 OCT 2022 n Minor updates to Virtualization-based Security Best Practices, Enable Virtualization-based Security on
a Virtual Machine, and Enable Virtualization-based Security on an Existing Virtual Machine.

28 SEP 2022 n Minor update to Renew or Refresh ESXi Certificates.

14 JUN 2022 n Fixed the steps to add NTP servers in Add or Replace NTP Servers in the vCenter Server Appliance
Configuration.

28 APR 2022 n Minor update to Storage Views Privileges.

21 MAR 2022 n Fixed a typo in Upload an SSH Key Using a vifs Command.
n Minor update to Host Upgrades and Certificates.
n Fixed incorrect commands in step 4 in Use Custom Certificates with Auto Deploy.
n Minor update to Restore ESXi Certificate and Key Files.
n Removed the tabular information from Incoming and Outgoing Firewall Ports for ESXi Hosts, Required
Ports for vCenter Server and Platform Services Controller, and Ports That Support Disabling TLS
Versions. Going forward, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.
As part of transitioning all the ports information to the Ports and Protocols Tool, the "Additional
vCenter Server TCP and UDP Ports" topic has also been removed.
n Added information to Virtual Machine Encryption Interoperability.
n Minor update to Resolve ESXi Host Encryption Mode Issues.
n Added required privileges to Create a Virtual Machine with a Virtual Trusted Platform Module, Enable
Virtual Trusted Platform Module for an Existing Virtual Machine, and Remove Virtual Trusted Platform
Module from a Virtual Machine.
n For a standalone ESXi host, clarified that you must run the reconfigureEsx ESXiHost command from
a vCenter Server system in Enable or Disable TLS Versions on ESXi Hosts.

VMware by Broadcom 15
vSphere Security

Revision Description

22 OCT 2021 n Updated Replace a Default Certificate and Key with the vifs Command and Replace a Default
Certificate Using HTTPS PUT with an alternative to restart the management agents after replacing
the certificate.
n Minor update to Use vSphere Authentication Proxy to Add a Host to a Domain.
n Corrected a typo in Change the Encryption Policy for Virtual Disks.
n Corrected a command in Ensure Proper SNMP Configuration.
n Minor update to Revert TLS Configuration Changes.
n Minor update to About DISA STIGs.
n Minor update to Single Sign-On Audit Events.

31 MAR 2021 n Minor update to Security Best Practices and Resources.

n Updated multiple topics in Chapter 2 vSphere Permissions and User Management Tasks.
n Minor update to Chapter 3 Securing ESXi Hosts.
n Updated ESXi Passwords and Account Lockout to include more information about password options.
n Minor update to SSH Security.
n Minor update to ESXi Networking Security Recommendations.
n Minor update to View Certificate Expiration Information for Multiple ESXi Hosts.
n Updated Renew or Refresh ESXi Certificates to include verification steps.
n Updated Requirements for ESXi Certificate Signing Requests with more information about generating
CSRs.
n Updated Manage the Acceptance Levels of Hosts and VIBs to correct the syntax of the CLI command
and to clarify where to go for support for VMwareAccepted and PartnerSupported VIBs.
n Updated Create a Timeout for Idle ESXi Shell Sessions to show that a value of zero (0) disables the
idle time.
n Minor update to Use the Direct Console User Interface to Enable Access to the ESXi Shell.
n Minor update to Securing ESXi Hosts with Trusted Platform Module.
n Updated Troubleshoot ESXi Host Attestation Problems to add more information about checking the
vpxd.log file.
n Minor update to Chapter 5 Securing Virtual Machines.
n Minor update to Minimize Use of the Virtual Machine Console.
n Minor update to Prevent Virtual Machines from Taking Over Resources.
n Minor update to Disable Unnecessary Functions Inside Virtual Machines.
n Updated Disable Unused Display Features to show that you need to power off the virtual machine.
n Updated multiple topics in Chapter 8 Securing Virtual Machines with Virtual Trusted Platform Module.
n Updated General Networking Security Recommendations with more information on the Spanning
Tree Protocol (STP).
n Updated Adopting Network Isolation Practices with information about isolating vSAN traffic.
n Updated multiple topics in Chapter 14 Understanding vSphere Hardening and Compliance.

13 AUG 2020 At VMware, we value inclusion. To foster this principle within our customer, partner, and internal
community, we are replacing some of the terminology in our content. We have updated this guide to
remove instances of non-inclusive language.

VMware by Broadcom 16
vSphere Security

Revision Description

18 JUN 2020 n Updated Required Privileges for Common Tasks to show required privileges for adding a single host
to a data center and adding multiple hosts to cluster.
n Updated Replacing ESXi SSL Certificates and Keys with a link to the VMware knowledge base
article at https://kb.vmware.com/s/article/56441 (Configuring Custom Certificates on ESXi hosts to
authenticate vSAN hosts).
n Added port 15080 (Analytics service internal port) to ports information.
n Minor update to Remove Virtual Trusted Platform Module from a Virtual Machine.

28 APR 2020 n Updated Replacing ESXi SSL Certificates and Keys to refer to the correct information about using
custom certificates.
n Minor update to Prevent a Virtual Machine User or Process from Disconnecting Devices.
n Updated required privileges for moving hosts into a cluster in Required Privileges for Common Tasks.
n Added information about VMware Remote Console version 11.0 to Connecting to the Virtual Machine
Console Through a Firewall.
n Removed the cross reference to "Enable or Disable a Service" from Enable vSphere Authentication
Proxy, as it does not apply to vCenter Server.
n Minor update to Use the Direct Console User Interface to Enable Access to the ESXi Shell.
n Updated videos in Add Allowed IP Addresses for an ESXi Host and ESXi Firewall Configuration to
show the vSphere Client.
n Added a reference to the vSphere Networking documentation about configuring virtual machine
adapters for promiscuous mode in Promiscuous Mode Operation.
n ESXi Certificate Default Settings now shows the correct parameter for "Number of days the
certificate is valid" (vpxd.certmgmt.certs.daysValid).

23 DEC 2019 n Corrected the information about Port 80 and Port 9000 to show that they are outgoing firewall
connections in Incoming and Outgoing Firewall Ports for ESXi Hosts.
n Corrected a link in About DISA STIGs.

14 NOV 2019 n Added information about vSphere support for the Federal Information Processing Standard 140-2 in
About vSphere Security.
n Added log filename and location for Quick Boot to ESXi Log File Locations.
n Corrected the information about Port 9080 to show that it is an incoming firewall connection in
Incoming and Outgoing Firewall Ports for ESXi Hosts.

27 AUG 2019 n Corrected steps in Synchronize ESXi Clocks with a Network Time Server.
n Made minor update to Virtual Machine Service Configuration Privileges.

10 JUL 2019 n Updated Virtualization-based Security Best Practices, Enable Virtualization-based Security on a
Virtual Machine, and Enable Virtualization-based Security on an Existing Virtual Machine, to reflect
that virtualization-based security (VBS) is now supported on Microsoft Server 2019.
n Made minor updates to Virtual Machine Encryption Interoperability and Encrypted vSphere vMotion.

11 APR 2019 Initial release.

VMware by Broadcom 17
Security in the vSphere
Environment 1
The components of a vSphere environment are secured out of the box by several features such
as authentication, authorization, a firewall on each ESXi host, and so on. You can modify the
default setup in many ways. For example, you can set permissions on vCenter objects, open
firewall ports, or change the default certificates. You can take security measures for different
objects in the vCenter object hierarchy, for example, vCenter Server systems, ESXi hosts, virtual
machines, and network and storage objects.

A high-level overview of different areas of vSphere that require attention helps you plan your
security strategy. You also benefit from other vSphere Security resources on the VMware Web
site.

Read the following topics next:

n Securing the ESXi Hypervisor

n Securing vCenter Server Systems and Associated Services

n Securing Virtual Machines

n Securing the Virtual Networking Layer

n Passwords in Your vSphere Environment

n Security Best Practices and Resources

Securing the ESXi Hypervisor

The ESXi hypervisor is secured out of the box. You can further protect ESXi hosts by using
lockdown mode and other built-in features. For consistency, you can set up a reference host
and keep all hosts in sync with the host profile of the reference host. You can also protect your
environment by performing scripted management, which ensures that changes apply to all hosts.

You can enhance protection of ESXi hosts that are managed by vCenter Server with the following
actions. See the Security of the VMware vSphere Hypervisor white paper for background and
details.

Limit ESXi access

VMware by Broadcom 18
vSphere Security

By default, the ESXi Shell and SSH services are not running and only the root user can log in
to the Direct Console User Interface (DCUI). If you decide to enable ESXi or SSH access, you
can set timeouts to limit the risk of unauthorized access.
Users who can access the ESXi host must have permissions to manage the host. You set
permissions on the host object from the vCenter Server system that manages the host.

Use named users and least privilege

By default, the root user can perform many tasks. Do not allow administrators to log in to
the ESXi host using the root user account. Instead, create named administrator users from
vCenter Server and assign those users the Administrator role. You can also assign those
users a custom role. See Create a Custom Role.

If you manage users directly on the host, role management options are limited. See the
vSphere Single Host Management - VMware Host Client documentation.

Minimize the number of open ESXi firewall ports

By default, firewall ports on your ESXi host are opened only when you start a corresponding
service. You can use the vSphere Client or ESXCLI or PowerCLI commands to check and
manage firewall port status.

See ESXi Firewall Configuration.

Automate ESXi host management

Because it is often important that different hosts in the same data center are in sync, use
scripted installation or vSphere Auto Deploy to provision hosts. You can manage the hosts
using scripts. Host profiles are an alternative to scripted management. You set up a reference
host, export the host profile, and apply the host profile to all hosts. You can apply the host
profile directly or as part of provisioning with Auto Deploy.

See Use Scripts to Manage Host Configuration Settings and see the vCenter Server
Installation and Setup documentation for information about vSphere Auto Deploy.

Take advantage of lockdown mode

In lockdown mode, ESXi hosts can be accessed only through vCenter Server by default.
Starting with vSphere 6.0, you can select strict lockdown mode or normal lockdown mode.
You can define Exception Users to allow direct access to service accounts such as backup
agents.
See Lockdown Mode.

Check VIB package integrity

Each VIB package has an associated acceptance level. You can add a VIB to an ESXi host
only if the VIB acceptance level is the same or better than the acceptance level of the
host. You cannot add a CommunitySupported or PartnerSupported VIB to a host unless you
explicitly change the host's acceptance level.

See Manage the Acceptance Levels of Hosts and VIBs.

VMware by Broadcom 19
vSphere Security

Manage ESXi certificates

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host
with a signed certificate that has VMCA as the root certificate authority by default. If your
company policy requires it, you can replace the existing certificates with certificates that are
signed by a third-party or an enterprise CA.

See Certificate Management for ESXi Hosts.

Consider Smart card authentication

Starting with vSphere 6.0, ESXi supports the use of smart card authentication instead of
user name and password authentication. For additional security, you can configure smart
card authentication. Two-factor authentication is also supported for vCenter Server. You can
configure user name and password authentication and smart card authentication at the same
time.

See Configuring Smart Card Authentication for ESXi.

Consider ESXi account lockout

Starting with vSphere 6.0, account locking is supported for access through SSH and through
the vSphere Web Services SDK. By default, a maximum of 10 failed attempts is allowed
before the account is locked. The account is unlocked after two minutes by default.

Note The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout.

See ESXi Passwords and Account Lockout.

Security considerations for standalone hosts are similar, though the management tasks might
differ. See the vSphere Single Host Management - VMware Host Client documentation.

Securing vCenter Server Systems and Associated Services

Your vCenter Server system and associated services are protected by authentication through
vCenter Single Sign-On and by authorization through the vCenter Server permissions model.
You can modify the default behavior, and you can take additional steps to limit access to your
environment.

As you protect your vSphere environment, consider that all services that are associated with the
vCenter Server instances must be protected. In some environments, you might protect several
vCenter Server instances and one or more Platform Services Controller instances.

Harden all vCenter host machines

The first step in protecting your vCenter environment is hardening each machine on which
vCenter Server or an associated service runs. Similar considerations apply to a physical
machine or a virtual machine. Always install the latest security patches for your operating
system and follow industry standard best practices to protect the host machine.

Learn about the vCenter certificate model

VMware by Broadcom 20
vSphere Security

By default, the VMware Certificate Authority provisions each ESXi host, each machine in the
environment, and each solution user with a certificate signed by VMCA. The environment
works out of the box, but if company policy requires it, you can change the default behavior.
See the Platform Services Controller Administration documentation for details.
For additional protection, explicitly remove expired or revoked certificates and failed
installations.

Configure vCenter Single Sign-On

vCenter Server and associated services are protected by the vCenter Single Sign-On
authentication framework. When you first install the software, you specify a password for the
administrator of the vCenter Single Sign-On domain, [email protected] by default.
Only that domain is initially available as an identity source. You can add other identity
sources, either Active Directory or LDAP, and set a default identity source. Going forward,
users who can authenticate to one of those identity sources can view objects and perform
tasks if they are authorized to do so. See the Platform Services Controller Administration
documentation for details.

Assign roles to named users or groups

For better logging, associate each permission that you give on an object with a named user
or group and a predefined role or custom role. The vSphere 6.0 permissions model allows
great flexibility through multiple ways of authorizing users or groups. See Understanding
Authorization in vSphere and Required Privileges for Common Tasks.

Restrict administrator privileges and the use of the administrator role. If possible, do not use
the anonymous Administrator user.

Set up NTP

Set up NTP for each node in your environment. The certificate infrastructure requires an
accurate time stamp and does not work correctly if the nodes are out of sync.

See Synchronizing Clocks on the vSphere Network.

Securing Virtual Machines

To secure your virtual machines, keep the guest operating systems patched and protect
your environment just as you protect your physical machine. Consider disabling unnecessary
functionality, minimize the use of the virtual machine console, and follow other best practices.

Protect the guest operating system

To protect your guest operating system, make sure that it uses the most recent patches and,
if appropriate, anti-spyware and anti-malware applications. See the documentation from your
guest operating system vendor and, potentially, other information available in books or on
the Internet for that operating system.

Disable unnecessary functionality

VMware by Broadcom 21
vSphere Security

Check that unnecessary functionality is disabled to minimize potential points of attack. Many
of the features that are used infrequently are disabled by default. Remove unnecessary
hardware and disable certain features such as host-guest filesystem (HGFS) or copy and
paste between the virtual machine and a remote console.
See Disable Unnecessary Functions Inside Virtual Machines.

Use templates and scripted management

Virtual machine templates enable you to set up the operating system so that it meets your
requirements, and to create other VMs with the same settings.

If you want to change virtual machine settings after initial deployment, consider using scripts,
for example, PowerCLI. This documentation explains how to perform tasks using the GUI.
Consider using scripts instead of the GUI to keep your environment consistent. In large
environments, you can group virtual machines into folders to optimize scripting.

For information on templates, see Use Templates to Deploy Virtual Machines and the
vSphere Virtual Machine Administration. For information on PowerCLI, see the VMware
PowerCLI documentation.

Minimize use of the virtual machine console

The virtual machine console provides the same function for a virtual machine that a monitor
on a physical server provides. Users with access to a virtual machine console have access
to virtual machine power management and to removable device connectivity controls. As a
result, virtual machine console access might allow a malicious attack on a virtual machine.

Consider UEFI secure boot

Starting with vSphere 6.5, you can configure your virtual machine to use UEFI boot. If the
operating system supports secure UEFI boot, you can select that option for your VMs for
additional security. See Enable or Disable UEFI Secure Boot for a Virtual Machine.

Consider VMware AppDefense

Starting with vSphere 6.7 Update 1, you can install and use the VMware AppDefense plug-in
to protect your applications and ensure endpoint security. The AppDefense plug-in becomes
available with the vSphere Platinum license. If you have the Platinum license, the AppDefense
panel appears on the Summary tab for any virtual machine in your inventory. From that
panel, you can install, upgrade, or view details about the AppDefense plug-in. For more
information about VMware AppDefense, see the AppDefense documentation.

Securing the Virtual Networking Layer

The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual
switches, and ports and port groups. ESXi relies on the virtual networking layer to support
communications between VMs and their users. In addition, ESXi uses the virtual networking layer
to communicate with iSCSI SANs, NAS storage, and so on.

VMware by Broadcom 22
vSphere Security

vSphere includes the full array of features necessary for a secure networking infrastructure.
You can secure each element of the infrastructure, such as virtual switches, distributed virtual
switches, and virtual network adapters, separately. In addition, consider the following guidelines,
discussed in more detail in Chapter 10 Securing vSphere Networking.

Isolate network traffic

Isolation of network traffic is essential to a secure ESXi environment. Different networks

require different access and level of isolation. A management network isolates client traffic,
command-line interface (CLI) or API traffic, and third-party software traffic from normal traffic.
Ensure that the management network is accessible only by system, network, and security
administrators.

See ESXi Networking Security Recommendations.

Use firewalls to secure virtual network elements

You can open and close firewall ports and secure each element in the virtual network
separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and
can open and close the firewall according to the status of the service.

You can also open ports on Platform Services Controller and vCenter Server instances
explicitly.

For the list of all supported ports and protocols in VMware products, including vSphere and
vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can
search ports by VMware product, create a customized list of ports, and print or save port
lists.

Consider network security policies

Network security policies provide protection of traffic against MAC address impersonation
and unwanted port scanning. The security policy of a standard or distributed switch is
implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements
of the security policy are promiscuous mode, MAC address changes, and forged transmits.

See the vSphere Networking documentation for instructions.

Secure VM networking

The methods that you use to secure VM networking depend on several factors, including:

n The guest operating system that is installed.

n Whether the VMs operate in a trusted environment

Virtual switches and distributed virtual switches provide significant protection when used with
other common security practices, such as installing firewalls.

See Chapter 10 Securing vSphere Networking.

Consider VLANs to protect your environment

VMware by Broadcom 23
vSphere Security

ESXi supports IEEE 802.1q VLANs. VLANs let you segment a physical network. You can use
VLANs to further protect the VM network or storage configuration. When you use VLANS,
two VMs on the same physical network cannot send packets to or receive packets from each
other unless they are on the same VLAN.
See Securing Virtual Machines with VLANs.

Secure connections to virtualized storage

A VM stores operating system files, program files, and other data on a virtual disk. Each
virtual disk appears to the VM as a SCSI drive that is connected to a SCSI controller. A VM
is isolated from storage details and cannot access the information about the LUN where its
virtual disk resides.

The Virtual Machine File System (VMFS) is a distributed file system and volume manager that
presents virtual volumes to the ESXi host. You are responsible for securing the connection to
storage. For example, if you are using iSCSI storage, you can set up your environment to use
CHAP. If required by company policy, you can set up mutual CHAP. Use the vSphere Client or
CLIs to set up CHAP.

See Storage Security Best Practices.

Evaluate the use of IPSec

ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4.

See Internet Protocol Security.

Passwords in Your vSphere Environment

Password restrictions, password expiration, and account lockout in your vSphere environment
depend on the system that the user targets, who the user is, and how policies are set.

ESXi Passwords
ESXi password restrictions are determined by the Linux PAM module pam_passwdqc. See the
Linux manpage for pam_passwdqc and see ESXi Passwords and Account Lockout.

Passwords for vCenter Server and Other vCenter Services

vCenter Single Sign-On manages authentication for all users who log in to vCenter Server and
other vCenter services. The password restrictions, password expiration, and account lockout
depend on the user's domain and on who the user is.

vCenter Single Sign-On Administrator

The password for [email protected] user, or the administrator@mydomain user if

you selected a different domain during installation, does not expire and is not subject to the
lockout policy. In all other regards, the password must follow the restrictions that are set in
the vCenter Single Sign-On password policy. See Platform Services Controller Administration
for details.

VMware by Broadcom 24
vSphere Security

If you forget the password for this user, search the VMware Knowledge Base system for
information on resetting this password. The reset requires additional privileges such as root
access to the vCenter Server system.

Other Users of the vCenter Single Sign-On Domain

Passwords for other vsphere.local users, or users of the domain that you specified during
installation, must follow the restrictions that are set by the vCenter Single Sign-On password
policy and lockout policy. See Platform Services Controller Administration for details. These
passwords expire after 90 days by default. Administrators can change the expiration as part
of the password policy.

If you forget your vsphere.local password, an administrator user can reset the password
using the dir-cli command.

Other Users

Password restrictions, password expiration, and account lockout for all other users are
determined by the domain (identity source) to which the user can authenticate.
vCenter Single Sign-On supports one default identity source. Users can log in to the
corresponding domain with the vSphere Client with just their user names. If users want to log
in to a non-default domain, they can include the domain name, that is, specify user@domain
or domain\user. The domain password parameters apply to each domain.

Passwords for vCenter Server Appliance Direct Console User

Interface Users
The vCenter Server Appliance is a preconfigured Linux-based virtual machine that is optimized
for running vCenter Server and the associated services on Linux.

When you deploy the vCenter Server Appliance, you specify these passwords.

n Password for the root user of the appliance Linux operating system.

n Password for the administrator of the vCenter Single Sign-On domain,

[email protected] by default.

You can change the root user password and perform other vCenter Server Appliance local user
management tasks from the appliance console. See vCenter Server Configuration.

Security Best Practices and Resources

If you follow best practices, your ESXi and vCenter Server can be as secure as or even more
secure than an environment that does not include virtualization.

This manual includes best practices for the different components of your vSphere infrastructure.

VMware by Broadcom 25
vSphere Security

Table 1-1. Security Best Practices

vSphere component Resource

ESXi host Chapter 3 Securing ESXi Hosts

vCenter Server system vCenter Server Security Best Practices

Virtual machine Virtual Machine Security Best Practices

vSphere Networking vSphere Networking Security Best Practices

This manual is only one of the sources you must use to ensure a secure environment.

VMware security resources, including security alerts and downloads, are available on the Web.

Table 1-2. VMware Security Resources on the Web

Topic Resource

Information on ESXi and vCenter Server https://core.vmware.com/security

security and operations, including secure
configuration and hypervisor security.

VMware security policy, up-to-date security http://www.vmware.com/go/security

alerts, security downloads, and focus
discussions of security topics.

Corporate security response policy http://www.vmware.com/support/policies/security_response.html

VMware is committed to helping you maintain a secure environment.
Security issues are corrected in a timely manner. The VMware
Security Response Policy states our commitment to resolve possible
vulnerabilities in our products.

Third-party software support policy http://www.vmware.com/support/policies/

VMware supports a variety of storage systems, software agents
such as backup agents, system management agents, and so forth.
You can find lists of agents, tools, and other software that supports
ESXi by searching http://www.vmware.com/vmtn/resources/ for ESXi
compatibility guides.
The industry offers more products and configurations than VMware
can test. If VMware does not list a product or configuration in a
compatibility guide, Technical Support attempts to help you with any
problems, but cannot guarantee that the product or configuration can
be used. Always evaluate security risks for unsupported products or
configurations carefully.

Compliance and security standards, and https://core.vmware.com/compliance

partner solutions and in-depth content about
virtualization and compliance

Information on security certifications and https://www.vmware.com/support/support-resources/

validations such as CCEVS and FIPS for certifications.html
different versions of the components of
vSphere.

VMware by Broadcom 26
vSphere Security

Table 1-2. VMware Security Resources on the Web (continued)

Topic Resource

Security configuration guides (formerly known https://www.vmware.com/support/support-resources/hardening-

as hardening guides) for different versions of guides.html
vSphere and other VMware products.

Security of the VMware vSphere Hypervisor http://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-

white paper hyprvsr-uslet-101.pdf

VMware by Broadcom 27
vSphere Permissions and User
Management Tasks 2
Authentication and authorization govern access. vCenter Single Sign-On supports authentication,
which means it determines whether a user can log in to vSphere components at all. Each user
must also be authorized to view or manipulate vSphere objects.

vSphere supports several different authorization mechanisms, discussed in Understanding

Authorization in vSphere. This section focuses on how the vCenter Server permission model
works and how to perform user management tasks.

vCenter Server allows fine-grained control over authorization with permissions and roles. When
you assign a permission to an object in the vCenter Server object hierarchy, you specify which
user or group has which privileges on that object. To specify the privileges, you use roles, which
are sets of privileges.

Initially, only the administrator user for the vCenter Single Sign-On domain is authorized to log in
to the vCenter Server system. The default domain is vsphere.local and the default administrator is
[email protected]. You can change the default domain during installation of vSphere.

The administrator user can proceed as follows:

1 Add an identity source in which users and groups are defined to vCenter Single Sign-On. See
the Platform Services Controller Administration documentation.

2 Give privileges to a user or group by selecting an object such as a virtual machine or a

vCenter Server system and assigning a role on that object for the user or group.

(Assigning Roles and Permissions Using the vSphere Client )

Read the following topics next:

n Understanding Authorization in vSphere

n Managing Permissions for vCenter Components

n Global Permissions

n Using Roles to Assign Privileges

n Best Practices for Roles and Permissions

n Required Privileges for Common Tasks

VMware by Broadcom 28
vSphere Security

Understanding Authorization in vSphere

vSphere supports several models for determining whether a user is allowed to perform a task.
Group membership in a vCenter Single Sign-On group decides what you are allowed to do. Your
role on an object or your global permission determines whether you are allowed to perform
other tasks.

Authorization Overview
vSphere allows privileged users to give other users permissions to perform tasks. You can use
global permissions, or you can use local vCenter Server permissions to authorize other users for
individual vCenter Server instances.

The following figure illustrates how global and local permissions work.

Figure 2-1. Global Permissions and Local Permissions

Global Permission
1
Root Object

vCenter Server 1 vCenter Server 2

3
Root Folder Root Folder

In this figure:

1 You assign a global permission at the root object level with "Propagate to children" selected.

2 vCenter Server propagates the permissions to the vCenter Server 1 and vCenter Server 2
object hierarchies in the environment.

3 A local permission on the root folder on vCenter Server 2 overrides the global permission.

vCenter Server Permissions

The permission model for vCenter Server systems relies on assigning permissions to objects
in the object hierarchy. Users get permissions in the following ways.

n From a specific permission for the user or from the groups that the user is a member of

n From a permission on the object or through the permission inheritance from a parent
object

VMware by Broadcom 29
vSphere Security

Each permission gives one user or group a set of privileges, that is, a role for a selected
object. You can use the vSphere Client to add permissions. For example, you can right-click
a virtual machine, select Add Permission, and complete the dialog box to assign a role to
a group of users. That role gives those users the corresponding privileges on the virtual
machine.

Global Permissions

Global permissions give a user or group privileges to view or manage all objects in each of
the inventory hierarchies of the solutions in the deployment. That is, global permissions are
applied to a global root object that spans solution inventory hierarchies. (Solutions include
vCenter Server, vRealize Orchestrator, and so on.) Global permissions also apply to global
objects such as tags and content libraries. For example, consider a deployment that consists
of two solutions, vCenter Server and vRealize Orchestrator. You can use global permissions
to assign a role to a group of users that has read-only privileges to all objects in both the
vCenter Server and vRealize Orchestrator object hierarchies.

Global permissions are replicated across the vCenter Single Sign-On domain (vsphere.local by
default). Global permissions do not provide authorization for services managed through the
vCenter Single Sign-On domain groups. See Global Permissions.

Group Membership in vCenter Single Sign-On Groups

Members of a vsphere.local group can perform certain tasks. For example, you can perform
license management if you are a member of the LicenseService.Administrators group. See
the Platform Services Controller Administration documentation.

ESXi Local Host Permissions

If you are managing a standalone ESXi host that is not managed by a vCenter Server
system, you can assign one of the predefined roles to users. See the vSphere Single Host
Management - VMware Host Client documentation.
For managed hosts, assign roles to the ESXi host object in the vCenter Server inventory.

Understanding the Object-Level Permission Model

You authorize a user or group to perform tasks on vCenter Server objects by using permissions
on the object. From a programmatic standpoint, when a user tries to perform an operation, an
API method is executed. vCenter Server checks the permissions for that method to see if the
user is authorized to perform the operation. For example, when a user tries to add a host, the
AddStandaloneHost_Task(addStandaloneHost) method is invoked. This method requires that
the role for the user has the Host.Inventory.Add standalone host privilege. If the check does not
find this privilege, the user is denied permission to add the host.

The following concepts are important.

Permissions

VMware by Broadcom 30
vSphere Security

Each object in the vCenter Server object hierarchy has associated permissions. Each
permission specifies for one group or user which privileges that group or user has on the
object.

Users and Groups

On vCenter Server systems, you can assign privileges only to authenticated users or groups
of authenticated users. Users are authenticated through vCenter Single Sign-On. Users
and groups must be defined in the identity source that vCenter Single Sign-On uses to
authenticate. Define users and groups using the tools in your identity source, for example,
Active Directory.

Privileges

Privileges are fine-grained access controls. You can group those privileges into roles, which
you can then map to users or groups.

Roles

Roles are sets of privileges. Roles allow you to assign permissions on an object based on a
typical set of tasks that users perform. Default roles, such as Administrator, are predefined
on vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator,
are predefined sample roles. You can create custom roles either from scratch or by cloning
and modifying sample roles. See Create a Custom Role.

The following figure illustrates how a permission is constructed from privileges and roles, and
assigned to a user or group for a vSphere object.

Figure 2-2. vSphere Permissions

Permission

Privilege

Privilege Role vSphere object

Privilege

Privilege User or group

VMware by Broadcom 31
vSphere Security

To assign permissions to an object, you follow these steps:

1 Select the object to which you want to apply the permission in the vCenter Server object
hierarchy.

2 Select the group or user that should have privileges on the object.

3 Select individual privileges or a role, that is a set of privileges, that the group or user should
have on the object.

By default, Propagate to children is not selected. You must select the checkbox for the group
or user to have the selected role on the selected object and its child objects.

vCenter Server offers predefined roles, which combine frequently used privilege sets. You can
also create custom roles by combining a set of roles.

Permissions must often be defined on both a source object and a destination object. For
example, if you move a virtual machine, you need privileges on that virtual machine, but also
privileges on the destination data center.

See the following information.

To find out about... See...

Creating custom roles. Create a Custom Role

All privileges and the objects to which you can apply the Chapter 13 Defined Privileges
privileges

Sets of privileges that are required on different objects for Required Privileges for Common Tasks
different tasks.

The permissions model for standalone ESXi hosts is simpler. See Assigning Privileges for ESXi
Hosts.

vCenter Server User Validation

vCenter Server systems that use a directory service regularly validate users and groups against
the user directory domain. Validation occurs at regular intervals specified in the vCenter Server
settings. For example, assume that user Smith is assigned a role on several objects. The domain
administrator changes the name to Smith2. The host concludes that Smith no longer exists
and removes permissions associated with that user from the vSphere objects when the next
validation occurs.

Similarly, if user Smith is removed from the domain, all permissions associated with that user are
removed when the next validation occurs. If a new user Smith is added to the domain before
the next validation occurs, the new user Smith replaces the old user Smith in permissions on any
object.

Hierarchical Inheritance of Permissions

When you assign a permission to an object, you can choose whether the permission propagates
down the object hierarchy. You set propagation for each permission. Propagation is not

VMware by Broadcom 32
vSphere Security

universally applied. Permissions defined for a child object always override the permissions that
are propagated from parent objects.

The following figure illustrates the inventory hierarchy and the paths by which permissions can
propagate.

Note Global permissions support assigning privileges across solutions from a global root object.
See Global Permissions.

Figure 2-3. vSphere Inventory Hierarchy

top level object

(global permission level)

vCenter Server
content library
(vCenter Server instance level)

data center
folder

data center

network storage
VM folder host folder folder folder

standard
template host VDS datastore
switch

resource distributed datastore

pool cluster port group cluster

virtual virtual resource

machine vApp machine pool

vApp

vApp
virtual
machine

resource
pool

virtual
machine

VMware by Broadcom 33
vSphere Security

About this figure:

n You cannot set direct permissions on the VM, host, network, and storage folders. That is,
these folders act as containers, and as such are not visible to users.

n You cannot set permissions on standard switches.

Most inventory objects inherit permissions from a single parent object in the hierarchy. For
example, a datastore inherits permissions from either its parent datastore folder or parent data
center. Virtual machines inherit permissions from both the parent virtual machine folder and the
parent host, cluster, or resource pool simultaneously.

For example, you can set permissions for a distributed switch and its associated distributed port
groups, by setting permissions on a parent object, such as a folder or data center. You must also
select the option to propagate these permissions to child objects.

Permissions take several forms in the hierarchy:

Managed entities

Managed entities refer to the following vSphere objects. Managed entities offer specific
operations that vary depending on the entity type. Privileged users can define permissions on
managed entities. See the vSphere API documentation for more information about vSphere
objects, properties, and methods.

n Clusters

n Data centers

n Datastores

n Datastore clusters

n Folders

n Hosts

n Networks (except vSphere Distributed Switches)

n Distributed port groups

n Resource pools

n Templates

n Virtual machines

n vSphere vApps

Global entities

You cannot modify permissions on entities that derive permissions from the root vCenter
Server system.

n Custom fields

n Licenses

VMware by Broadcom 34
vSphere Security

n Roles

n Statistics intervals

n Sessions

Multiple Permission Settings

Objects might have multiple permissions, but only one permission for each user or group. For
example, one permission might specify that GroupAdmin has the Administrator role on an object.
Another permission might specify that the GroupVMAdmin has the Virtual Machine Administrator
role on the same object. However, the GroupVMAdmin group cannot have another permission
for the same GroupVMAdmin on this object.

A child object inherits the permissions of its parent if the parent’s propagate property is set to
true. A permission that is set directly on a child object overrides the permission in the parent
object. See Example 2: Child Permissions Overriding Parent Permissions.

If multiple group roles are defined on the same object, and a user belongs to two or more of
those groups, two situations are possible:

n No permission for the user is defined directly on the object. In that case, the user gets the
union of the permissions that the groups have on the object.

n A permission for the user is defined directly on the object. In that case, the permissions for
the user take precedence over all group permissions.

Example 1: Permission Inheritance from Multiple Groups

This example illustrates how an object can inherit multiple permissions from groups that are
granted permission on a parent object.

In this example, two permissions are assigned on the same object for two different groups.

n PowerOnVMRole can power on virtual machines.

n SnapShotRole can take snapshots of virtual machines.

n PowerOnVMGroup is granted the PowerOnVMRole on VM Folder, with the permission set to

propagate to child objects.

n SnapShotGroup is granted the SnapShotRole on VM Folder, with the permission set to

propagate to child objects.

n User 1 is not assigned specific privileges.

User 1, who belongs to both the PowerOnVMGroup and the SnapShotGroup, logs in. User 1 can
both power on and take snapshots of both VM A and VM B.

VMware by Broadcom 35
vSphere Security

Figure 2-4. Example 1: Permission Inheritance from Multiple Groups

PowerOnVMGroup + PowerOnVMRole
VM Folder
SnapShotGroup + SnapShotRole

User 1 has privileges

VM A of PowerOnVMRole
and SnapShotRole

VM B

Example 2: Child Permissions Overriding Parent Permissions

This example illustrates how permissions that are assigned on a child object can override
permissions that are assigned on a parent object. You can use this overriding behavior to restrict
user access to particular areas of the inventory.

In this example, permissions are defined on two different objects for two different groups.

n PowerOnVMRole can power on virtual machines.

n SnapShotRole can take snapshots of virtual machines.

n PowerOnVMGroup is granted the PowerOnVMRole on VM Folder, with the permission set to

propagate to child objects.

n SnapShotGroup is granted the SnapShotRole on VM B.

User 1, who belongs to both the PowerOnVMGroup and the SnapShotGroup, logs in. Because the
SnapShotRole is assigned at a lower point in the hierarchy than the PowerOnVMRole, it overrides
PowerOnVMRole on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take
snapshots of VM B, but not power it on.

Figure 2-5. Example 2: Child Permissions Overriding Parent Permissions

PowerOnVMGroup + PowerOnVMRole VM Folder

User 1 has privileges

VM A
of PowerOnVMRole only

User 1 has privileges

SnapShotGroup + SnapShotRole VM B
of SnapShotRole only

VMware by Broadcom 36
vSphere Security

Example 3: User Role Overriding Group Role

This example illustrates how the role assigned directly to an individual user overrides the
privileges associated with a role assigned to a group.

In this example, permissions are defined on the same object. One permission associates a group
with a role, the other permission associates an individual user with a role. The user is a member
of the group.

n PowerOnVMRole can power on virtual machines.

n PowerOnVMGroup is granted the PowerOnVMRole on VM Folder.

n User 1 is granted the NoAccess role on VM Folder.

User 1, who belongs to PowerOnVMGroup, logs in. The NoAccess role granted to User 1 on VM
Folder overrides the role assigned to the group. User 1 has no access to VM Folder or VMs A and
B. VMs A and B are not visible in the hierarchy to User 1.

Figure 2-6. Example 3: User Permissions Overriding Group Permissions

PowerOnVMGroup + PowerOnVMRole
VM Folder
User 1 + no access

User 1 has no access

VM A to the folder
or the virtual machines

VM B

Managing Permissions for vCenter Components

A permission is set on an object in the vCenter object hierarchy. Each permission associates the
object with a group or user and the group's or user's access roles. For example, you can select
a virtual machine object, add one permission that gives the ReadOnly role to Group 1, and add a
second permission that gives the Administrator role to User 2.

By assigning a different role to a group of users on different objects, you control the tasks
that those users can perform in your vSphere environment. For example, to allow a group to
configure memory for the host, select that host and add a permission that grants a role to that
group that includes the Host.Configuration.Memory Configuration privilege.

For conceptual information about permissions, see the discussion in Understanding the Object-
Level Permission Model.

VMware by Broadcom 37
vSphere Security

You can assign permissions to objects at different levels of the hierarchy, for example, you
can assign permissions to a host object or to a folder object that includes all host objects. See
Hierarchical Inheritance of Permissions. You can also assign permissions to a global root object to
apply the permissions to all object in all solutions. See Global Permissions.

Add a Permission to an Inventory Object

After you create users and groups and define roles, you must assign the users and groups and
their roles to the relevant inventory objects. You can assign the same propagating permissions to
multiple objects simultaneously by moving the objects into a folder and setting the permissions
on the folder.

When you assign permissions, user and group names must match Active Directory precisely,
including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if
you experience problems with groups.

Prerequisites

On the object whose permissions you want to modify, you must have a role that includes the
Permissions.Modify permission privilege.

Procedure

1 Browse to the object for which you want to assign permissions in the vSphere Client object
navigator.

2 Click the Permissions tab.

3 Click the Add Permission icon.

4 Select the user or group that will have the privileges defined by the selected role.

a From the User drop-down menu, select the domain for the user or group.

b Type a name in the Search box.

The system searches user names and group names.

c Select the user or group.

5 Select a role from the Role drop-down menu.

6 (Optional) To propagate the permissions, select the Propagate to children check box.

The role is applied to the selected object and propagates to the child objects.

7 Click OK .

Change or Remove Permissions

After a user or group and role pair is set for an inventory object, you can change the role paired
with the user or group or change the setting of the Propagate to children check box. You can
also remove the permission setting.

VMware by Broadcom 38
vSphere Security

Procedure

1 Browse to the object in the vSphere Client object navigator.

2 Click the Permissions tab.

3 Click a row to select a permission.

Task Steps

Change permissions a Click the Change Role icon.

b Select a role for the user or group from the Role drop-down menu.
c Toggle the Propagate to children check box to change permission
inheritance.
d Click OK.

Remove permissions Click the Remove Permission icon.

Change User Validation Settings

vCenter Server periodically validates its user and group lists against the users and groups in
the user directory. It then removes users or groups that no longer exist in the domain. You can
disable validation or change the interval between validations. If you have domains with thousands
of users or groups, or if searches take a long time to complete, consider adjusting the search
settings.

For vCenter Server versions before vCenter Server 5.0, these settings apply to an Active
Directory associated with vCenter Server. For vCenter Server 5.0 and later, these settings apply
to vCenter Single Sign-On identity sources.

Note This procedure applies only to vCenter Server user lists. You cannot search ESXi user lists
in the same way.

Procedure

1 Browse to the vCenter Server system in the vSphere Client object navigator.

2 Select Configure and click Settings > General.

3 Click Edit and select User directory.

4 Change the values as needed and click Save.

Option Description

User directory timeout Timeout interval, in seconds, for connecting to the Active Directory server.
This value specifies the maximum amount of time vCenter Server allows a
search to run on the selected domain. Searching large domains can take a
long time.

Query limit Toggle on to set a maximum number of users and groups that vCenter
Server displays.

VMware by Broadcom 39
vSphere Security

Option Description

Query limit size Maximum number of users and groups from the selected domain that
vCenter Server displays in the Select Users or Groups dialog box. If you
enter 0 (zero), all users and groups appear.

Validation Toggle off to disable validation.

Validation Period Specifies how often vCenter Server validates permissions, in minutes.

Global Permissions
Global permissions are applied to a global root object that spans solutions. In an on-premises
SDDC, global permissions might span both vCenter Server and vRealize Orchestrator. But for any
vSphere SDDC, global permissions apply to global objects such as tags and content libraries.

You can assign global permissions to users or groups, and decide on the role for each user or
group. The role determines the set of privileges that the user or group has for all objects in the
hierarchy. You can assign a predefined role or create custom roles. See Using Roles to Assign
Privileges.

It is important to distinguish between vCenter Server permissions and global permissions.

vCenter Server permissions

You usually apply a permission to a vCenter Server inventory object such as a virtual
machine. When you do, you specify that a user or group has a role (set of privileges) on
the object.

Global permissions

Global permissions give a user or group privileges to view or manage all objects in each of
the inventory hierarchies in your deployment. Global permissions also apply to global objects
such as tags and content libraries. See Permissions on Tag Objects.

If you assign a global permission and do not select Propagate, the users or groups associated
with this permission do not have access to the objects in the hierarchy. They only have
access to some global functionality such as creating roles.

Important Use global permissions with care. Verify that you really want to assign permissions to
all objects in all inventory hierarchies.

Add a Global Permission

You can use global permissions to give a user or group privileges for all objects in all inventory
hierarchies in your deployment.

Important Use global permissions with care. Verify that you really want to assign permissions to
all objects in all inventory hierarchies.

VMware by Broadcom 40
vSphere Security

Prerequisites

To perform this task, you must have Permissions.Modify permission privileges on the root object
for all inventory hierarchies.

Procedure

1 Log in to the vCenter Server by using the vSphere Client.

2 Select Administration and click Global Permissions in the Access Control area.

3 Click the Add Permission icon.

4 Select the user or group that will have the privileges defined by the selected role.

a From the User drop-down menu, select the domain for the user or group.

b Type a name in the Search box.

The system searches user names and group names.

c Select the user or group.

5 Select a role from the Role drop-down menu.

6 Decide whether to propagate the permissions by selecting the Propagate to children check
box.

If you assign a global permission and do not select Propagate to children, the users or
groups associated with this permission do not have access to the objects in the hierarchy.
They only have access to some global functionality such as creating roles.

7 Click OK.

Permissions on Tag Objects

In the vCenter Server object hierarchy, tag objects are not children of vCenter Server but are
created at the vCenter Server top level. In environments with multiple vCenter Server instances,
tag objects are shared across vCenter Server instances. Permissions for tag objects work
differently than permissions for other objects in the vCenter Server object hierarchy.

Only Global Permissions or Permissions Assigned to the Tag Object Apply

If you grant permissions to a user on a vCenter Server inventory object, such as a virtual
machine, that user can perform the tasks associated with the permission. However, the user
cannot perform tag operations on the object.

For example, if you grant the Assign vSphere Tag privilege to user Dana on host TPA, that
permission does not affect whether Dana can assign tags on host TPA. Dana must have the
Assign vSphere Tag privilege at the top level, that is, a global permission, or must have the
privilege for the tag object.

VMware by Broadcom 41
vSphere Security

Table 2-1. How Global Permissions and Tag Object Permissions Affect What Users Can Do
vCenter Server Object-
Global Permission Tag-Level Permission Level Permission Effective Permission

No tagging privileges Dana has Assign or Dana has Delete vSphere Dana has Assign or
assigned. Unassign vSphere Tag Tag privileges on ESXi host Unassign vSphere Tag
privileges for the tag. TPA. privileges for the tag.

Dana has Assign or No privileges assigned for Dana has Delete vSphere Dana has Assign or
Unassign vSphere Tag the tag. Tag privileges on ESXi host Unassign vSphere Tag
privileges. TPA. global privileges. That
includes privileges at the
tag level.

No tagging privileges No privileges assigned for Dana has Assign or Dana does not have
assigned. the tag. Unassign vSphere Tag tagging privileges on any
privileges on ESXi host object, including host TPA.
TPA.

Global Permissions Complement Tag Object Permissions

Global permissions, that is, permissions that are assigned on the top-level object, complement
permissions on tag objects when the permissions on the tag objects are more restrictive. The
vCenter Server permissions do not affect the tag objects.

For example, assume that you assign the Delete vSphere Tag privilege to user Robin at the top
level by using global permissions. For the tag Production, you do not assign the Delete vSphere
Tag privilege to Robin. In that case, Robin has the privilege for the tag Production because Robin
has the global permission, which propagates from the top level. You cannot restrict privileges
unless you modify the global permission.

Table 2-2. Global Permissions Complement Tag-Level Permissions

Global Permission Tag-Level Permission Effective Permission

Robin has Delete vSphere Tag Robin does not have Delete Robin has Delete vSphere Tag privileges.
privileges vSphere Tag privileges for the
tag.

No tagging privileges assigned Robin does not have Robin does not have Delete vSphere Tag
Delete vSphere Tag privileges privileges
assigned for the tag.

Tag-Level Permissions Can Extend Global Permissions

You can use tag-level permissions to extend global permissions. That means users can have both
a global permission and a tag-level permission on a tag.

Note This behavior is different from how vCenter Server privileges are inherited. In vCenter
Server, permissions defined for a child object always override the permissions that are
propagated from parent objects.

VMware by Broadcom 42
vSphere Security

Table 2-3. Global Permissions Extend Tag-Level Permissions

Global Permission Tag-Level Permission Effective Permission

Lee has Assign or Unassign Lee has Delete vSphere Tag Lee has the Assign vSphere Tag privilege and
vSphere Tag privilege. privilege. the Delete vSphere Tag privilege for the tag.

No tagging privileges assigned. Lee has Delete vSphere Tag Lee has the Delete vSphere Tag privilege for the
privilege assigned for the tag. tag.

Using Roles to Assign Privileges

A role is a predefined set of privileges. Privileges define rights to perform actions and read
properties. For example, the Virtual Machine Administrator role allows a user to read and change
virtual machine attributes.

When you assign permissions, you pair a user or group with a role and associate that pairing with
an inventory object. A single user or group can have different roles for different objects in the
inventory.

For example, assume that you have two resource pools in your inventory, Pool A and Pool B. You
can assign group Sales the Virtual Machine User role on Pool A, and the Read Only role on Pool
B. With these assignments, the users in group Sales can turn on virtual machines in Pool A, but
can only view virtual machines in Pool B.

vCenter Server provides system roles and sample roles by default.

System roles

System roles are permanent. You cannot edit the privileges associated with these roles.

Sample roles

VMware provides sample roles for certain frequently performed combination of tasks. You
can clone, modify, or remove these roles.

Note To avoid losing the predefined settings in a sample role, clone the role first and make
modifications to the clone. You cannot reset the sample to its default settings.

Users can schedule tasks only if they have a role that includes privileges to perform that task at
the time the task is created.

Note Changes to roles and privileges take effect immediately, even if the users involved are
logged in. The exception is searches, where changes take effect after the user has logged out
and logged back in.

VMware by Broadcom 43
vSphere Security

Custom Roles in vCenter Server and ESXi

You can create custom roles for vCenter Server and all objects that it manages, or for individual
hosts.

vCenter Server Custom Roles (Recommended)

Create custom roles by using the role-editing facilities in the vSphere Client to create privilege
sets that match your needs.

ESXi Custom Roles

You can create custom roles for individual hosts by using a CLI or the VMware Host Client.
See the vSphere Single Host Management - VMware Host Client documentation. Custom host
roles are not accessible from vCenter Server.

If you manage ESXi hosts through vCenter Server, do not maintain custom roles in both the
host and vCenter Server. Define roles at the vCenter Server level.

When you manage a host using vCenter Server, the permissions associated with that host are
created through vCenter Server and stored on vCenter Server. If you connect directly to a host,
only the roles that are created directly on the host are available.

Note When you add a custom role and do not assign any privileges to it, the role is created
as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and
System.Read. These privileges are not visible in the vSphere Client but are used to read certain
properties of some managed objects. All the predefined roles in vCenter Server contain these
three system-defined privileges. See the vSphere Web Services API documentation for more
information.

Create a Custom Role

You can create vCenter Server custom roles to suit the access control needs of your
environment. You can create a role or clone an existing role.

You can create or edit a role on a vCenter Server system that is part of the same vCenter
Single Sign-On domain as other vCenter Server systems. The VMware Directory Service (vmdir)
propagates the role changes that you make to all other vCenter Server systems in the group.
Assignments of roles to specific users and objects are not shared across vCenter Server systems.

Prerequisites

Verify that you are logged in as a user with Administrator privileges.

Procedure

1 Log in to the vCenter Server by using the vSphere Client.

2 Select Administration and click Roles in the Access Control area.

VMware by Broadcom 44
vSphere Security

3 Create the role:

Option Description

To create a role Click the Create role action icon.

To create the role by cloning Select a role, and click the Clone role action icon.

See vCenter Server System Roles for more information.

4 Select and deselect privileges for the role.

See Chapter 13 Defined Privileges for more information.

Note When creating a cloned role, you cannot change privileges. To change privileges,
select the cloned role after it is created and click the Edit role action icon.

5 Enter a name for the new role.

6 Click Finish.

What to do next

You can now create permissions by selecting an object and assigning the role to a user or group
for that object.

vCenter Server System Roles

A role is a predefined set of privileges. When you add permissions to an object, you pair a user
or group with a role. vCenter Server includes several system roles, which you cannot change.

vCenter Server provides a few default roles. You cannot change the privileges associated with
the default roles. The default roles are organized as a hierarchy. Each role inherits the privileges
of the previous role. For example, the Administrator role inherits the privileges of the Read Only
role.

The vCenter Server role hierarchy also includes several sample roles. You can clone a sample role
to create a similar role.

If you create a role, it does not inherit privileges from any of the system roles.

Administrator Role

Users with the Administrator role for an object are allowed to view and perform all actions
on the object. This role also includes all privileges of the Read Only role. If you have the
Administrator role on an object, you can assign privileges to individual users and groups.

If you are acting in the Administrator role in vCenter Server, you can assign privileges to users
and groups in the default vCenter Single Sign-On identity source. See the Platform Services
Controller Administration documentation for supported identity services.

VMware by Broadcom 45
vSphere Security

By default, the [email protected] user has the Administrator role on both vCenter
Single Sign-On and vCenter Server after installation. That user can then associate other users
with the Administrator role on vCenter Server.

Read Only Role

Users with the Read Only role for an object are allowed to view the state of the object and
details about the object. For example, users with this role can view virtual machine, host, and
resource pool attributes, but cannot view the remote console for a host. All actions through
the menus and toolbars are disallowed.

No Access Role

Users with the No Access role for an object cannot view or change the object in any way.
New users and groups are assigned this role by default. You can change the role on an
object-by-object basis.

The administrator of the vCenter Single Sign-On domain, [email protected] by

default, the root user, and vpxuser are assigned the Administrator role by default. Other
users are assigned the No Access role by default.

Best practice is to create a user at the root level and assign the Administrator role to that user.
After creating a named user with Administrator privileges, you can remove the root user from
any permissions or change its role to No Access.

Best Practices for Roles and Permissions

Follow best practices for roles and permissions to maximize the security and manageability of
your vCenter Server environment.

Follow these best practices when configuring roles and permissions in your vCenter Server
environment:

n Where possible, assign a role to a group rather than individual users.

n Grant permissions only on the objects where they are needed, and assign privileges only to
users or groups that must have them. Use the minimum number of permissions to make it
easier to understand and manage your permissions structure.

n If you assign a restrictive role to a group, check that the group does not contain the
Administrator user or other users with administrative privileges. Otherwise, you might
unintentionally restrict administrators' privileges in the parts of the inventory hierarchy where
you have assigned that group the restrictive role.

n Use folders to group objects. For example, to grant modify permission on one set of hosts
and view permission on another set of hosts, place each set of hosts in a folder.

n Use caution when adding a permission to the root vCenter Server objects. Users with
privileges at the root level have access to global data on vCenter Server, such as roles,
custom attributes, vCenter Server settings.

VMware by Broadcom 46
vSphere Security

n Consider enabling propagation when you assign permissions to an object. Propagation

ensures that new objects in the object hierarchy inherit permissions. For example, you can
assign a permission to a virtual machine folder and enable propagation to ensure that the
permission applies to all VMs in the folder.

n Use the No Access role to mask specific areas of the hierarchy. The No Access role restricts
access for the users or groups with that role.

n Changes to licenses propagate as follows:

n To all vCenter Server systems that are linked to the same Platform Services Controller.

n To Platform Services Controller instances in the same vCenter Single Sign-On domain.

n License propagation happens even if the user does not have privileges on all vCenter Server
systems.

Required Privileges for Common Tasks

Many tasks require permissions on multiple objects in the inventory. If the user who attempts to
perform the task only has privileges on one object, the task cannot complete successfully.

The following table lists common tasks that require more than one privilege. You can add
permissions to inventory objects by pairing a user with one of the predefined roles or with
multiple privileges. If you expect that you assign a set of privileges multiple times, create custom
roles.

Refer to the vSphere Web Services API Reference documentation to learn how operations in
the vSphere Client user interface map to API calls, and what privileges are required to perform
operations. For example, the API documentation for the AddHost_Task(addHost) method
specifies that the Host.Inventory.AddHostToCluster privilege is required to add a host to a
cluster.

If the task that you want to perform is not in this table, the following rules explain where you
must assign permissions to allow particular operations:

n Any operation that consumes storage space requires the Datastore.Allocate Space privilege
on the target datastore, and the privilege to perform the operation itself. You must have
these privileges, for example, when creating a virtual disk or taking a snapshot.

n Moving an object in the inventory hierarchy requires appropriate privileges on the object
itself, the source parent object (such as a folder or cluster), and the destination parent object.

n Each host and cluster has its own implicit resource pool that contains all the resources of
that host or cluster. Deploying a virtual machine directly to a host or cluster requires the
Resource.Assign Virtual Machine to Resource Pool privilege.

VMware by Broadcom 47
vSphere Security
Table 2-4. Required Privileges for Common Tasks
Task
Create a virtual machine
Power on a virtual machine
Deploy a virtual machine
from a template
Take a virtual machine
snapshot
Move a virtual machine into
a resource pool
VMware by Broadcom
Applicable
Required Privileges Role
On the destination folder or data center: Administrator
n Virtual machine .Inventory.Create new
n Virtual machine.Configuration.Add new disk (if creating a new
virtual disk)
n Virtual machine.Configuration.Add existing disk (if using an
existing virtual disk)
n Virtual machine.Configuration.Configure Raw device (if using an
RDM or SCSI pass-through device)
On the destination host, cluster, or resource pool: Resource pool
Resource.Assign virtual machine to resource pool administrator
or
Administrator
On the destination datastore or the folder that contains the datastore: Datastore
Datastore.Allocate space Consumer or
Administrator
On the network that the virtual machine will be assigned to: Network
Network.Assign network Consumer or
Administrator
On the data center in which the virtual machine is deployed: Virtual Machine
Virtual machine .Interaction .Power On Power User or
Administrator
On the virtual machine or folder of virtual machines:
Virtual machine .Interaction .Power On
On the destination folder or data center: Administrator
n Virtual machine .Inventory.Create from existing
n Virtual machine.Configuration.Add new disk
On a template or folder of templates: Administrator
Virtual machine .Provisioning.Deploy template
On the destination host, cluster or resource pool: Administrator
Resource.Assign virtual machine to resource pool
On the destination datastore or folder of datastores: Datastore
Datastore.Allocate space Consumer or
Administrator
On the network that the virtual machine will be assigned to: Network
Network.Assign network Consumer or
Administrator
On the virtual machine or a folder of virtual machines: Virtual Machine
Virtual machine .Snapshot management. Create snapshot Power User or
Administrator
On the virtual machine or folder of virtual machines: Administrator
n Resource.Assign virtual machine to resource pool
n Virtual machine .Inventory.Move
48
vSphere Security
Table 2-4. Required Privileges for Common Tasks (continued)
Task
Install a guest operating
system on a virtual machine
Migrate a virtual machine
with vMotion
Cold migrate (relocate) a
virtual machine
Migrate a virtual machine
with Storage vMotion
VMware by Broadcom
Applicable
Required Privileges Role
On the destination resource pool: Administrator
Resource.Assign virtual machine to resource pool
On the virtual machine or folder of virtual machines: Virtual Machine
n Virtual machine.Interaction .Answer question Power User or
Administrator
n Virtual machine .Interaction .Console interaction
n Virtual machine .Interaction .Device connection
n Virtual machine .Interaction .Power Off
n Virtual machine .Interaction .Power On
n Virtual machine .Interaction .Reset
n Virtual machine .Interaction .Configure CD media (if installing
from a CD)
n Virtual machine .Interaction .Configure floppy media (if installing
from a floppy disk)
n Virtual machine .Interaction .VMware Tools install
On a datastore that contains the installation media ISO image: Virtual Machine
Datastore.Browse datastore (if installing from an ISO image on a Power User or
datastore) Administrator
On the datastore to which you upload the installation media ISO
image:
n Datastore.Browse datastore
n Datastore.Low level file operations
On the virtual machine or folder of virtual machines: Resource Pool
n Resource.Migrate powered on virtual machine Administrator
or
n Resource.Assign Virtual Machine to Resource Pool (if destination
Administrator
is a different resource pool from the source)
On the destination host, cluster, or resource pool (if different from the Resource Pool
source): Administrator
Resource.Assign virtual machine to resource pool or
Administrator
On the virtual machine or folder of virtual machines: Resource Pool
n Resource.Migrate powered off virtual machine Administrator
or
n Resource.Assign virtual machine to resource pool (if destination
Administrator
is a different resource pool from the source)
On the destination host, cluster, or resource pool (if different from the Resource Pool
source): Administrator
Resource.Assign virtual machine to resource pool or
Administrator
On the destination datastore (if different from the source): Datastore
Datastore.Allocate space Consumer or
Administrator
On the virtual machine or folder of virtual machines: Resource Pool
Resource.Migrate powered on virtual machine Administrator
or
Administrator
49
vSphere Security
Table 2-4. Required Privileges for Common Tasks (continued)
Task
Move a host into a cluster
Add a single host to a
data center by using the
vSphere Client, or add a
single host to a cluster
by using PowerCLI or API
(leveraging the addHost
API)
Add multiple hosts to a
cluster (available starting
with vSphere 6.7 Update 1)
Encrypt a virtual machine
VMware by Broadcom
Applicable
Required Privileges Role
On the destination datastore: Datastore
Datastore.Allocate space Consumer or
Administrator
On the host: Administrator
Host.Inventory.Add host to cluster
On the destination cluster: Administrator
n Host.Inventory.Add host to cluster
n Host.Inventory.Modify cluster
On the host: Administrator
Host.Inventory.Add host to cluster
On the cluster: Administrator
n Host.Inventory.Modify cluster
n Host.Inventory.Add host to cluster
On the data center: Administrator
Host.Inventory.Add standalone host
On the cluster: Administrator
n Host.Inventory.Modify cluster
n Host.Inventory.Add host to cluster
On the parent data center of the cluster (with propagate): Administrator
n Host.Inventory.Add standalone host
n Host.Inventory.Move host
n Host.Inventory.Modify cluster
n Host.Configuration.Maintenance
Encryption tasks are possible only in environments that include Administrator
vCenter Server. In addition, the ESXi host must have encryption
mode enabled for most encryption tasks. The user who performs the
task must have the appropriate privileges. A set of Cryptographic
Operations privileges allows fine-grained control. See Prerequisites
and Required Privileges for Encryption Tasks.
50
Securing ESXi Hosts
3
The ESXi hypervisor architecture has many built-in security features such as CPU isolation,
memory isolation, and device isolation. You can configure additional features such as lockdown
mode, certificate replacement, and smart card authentication for enhanced security.

An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing
traffic as needed, but should restrict access to services and ports. Using the ESXi lockdown
mode and limiting access to the ESXi Shell can further contribute to a more secure environment.
ESXi hosts participate in the certificate infrastructure. Hosts are provisioned with certificates that
are signed by the VMware Certificate Authority (VMCA) by default.

See the VMware white paper Security of the VMware vSphere Hypervisor for additional
information on ESXi security.

Note ESXi is not built upon the Linux kernel or a commodity Linux distribution. It uses its own
VMware specialized and proprietary kernel and software tools, delivered as a self-contained unit,
and does not contain applications and components from Linux distributions.

Read the following topics next:

n General ESXi Security Recommendations

n Certificate Management for ESXi Hosts

n Customizing Hosts with the Security Profile

n Assigning Privileges for ESXi Hosts

n Using Active Directory to Manage ESXi Users

n Using vSphere Authentication Proxy

n Configuring Smart Card Authentication for ESXi

n Using the ESXi Shell

n UEFI Secure Boot for ESXi Hosts

n Securing ESXi Hosts with Trusted Platform Module

n ESXi Log Files

VMware by Broadcom 51
vSphere Security

General ESXi Security Recommendations

To protect an ESXi host against unauthorized intrusion and misuse, VMware imposes constraints
on several parameters, settings, and activities. You can loosen the constraints to meet your
configuration needs. If you do, make sure that you are working in a trusted environment and take
other security measures.

Built-In Security Features

Risks to the hosts are mitigated out of the box as follows:

n ESXi Shell and SSH are disabled by default.

n Only a limited number of firewall ports are open by default. You can explicitly open additional
firewall ports that are associated with specific services.

n ESXi runs only services that are essential to managing its functions. The distribution is limited
to the features required to run ESXi.

n By default, all ports that are not required for management access to the host are closed.
Open ports if you need additional services.

n By default, weak ciphers are disabled and communications from clients are secured by SSL.
The exact algorithms used for securing the channel depend on the SSL handshake. Default
certificates created on ESXi use PKCS#1 SHA-256 with RSA encryption as the signature
algorithm.

n A Tomcat Web service is used internally by ESXi to support access by Web clients. The
service has been modified to run only functions that a Web client requires for administration
and monitoring. As a result, ESXi is not vulnerable to the Tomcat security issues reported in
broader use.

n VMware monitors all security alerts that can affect ESXi security and issues a security patch if
needed.

n Insecure services such as FTP and Telnet are not installed, and the ports for these services
are closed by default. Because more secure services such as SSH and SFTP are easily
available, avoid using these insecure services and use their safer alternatives. For example,
use Telnet with SSL to access virtual serial ports if SSH is unavailable and you must use
Telnet.

If you must use insecure services and have implemented sufficient protection for the host,
you can explicitly open ports to support them.

n Consider using UEFI Secure Boot for your ESXi system. See UEFI Secure Boot for ESXi Hosts.

Additional Security Measures

Consider the following recommendations when evaluating host security and administration.

Limit access

VMware by Broadcom 52
vSphere Security

If you enable access to the Direct Console User Interface (DCUI) the ESXi Shell, or SSH,
enforce strict access security policies.
The ESXi Shell has privileged access to certain parts of the host. Provide only trusted users
with ESXi Shell login access.

Do not access managed hosts directly

Use the vSphere Client to administer ESXi hosts that are managed by a vCenter Server. Do
not access managed hosts directly with the VMware Host Client, and do not change managed
hosts from the DCUI.

If you manage hosts with a scripting interface or API, do not target the host directly. Instead,
target the vCenter Server system that manages the host and specify the host name.

Use DCUI only for troubleshooting

Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting.
Use one of the GUI clients, or one of the VMware CLIs or APIs to administer your ESXi hosts.
If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts.

Use only VMware sources to upgrade ESXi components

The host runs several third-party packages to support management interfaces or tasks that
you must perform. VMware only supports upgrades to these packages that come from a
VMware source. If you use a download or patch from another source, you might compromise
management interface security or functions. Check third-party vendor sites and the VMware
knowledge base for security alerts.

Note Follow the VMware security advisories at http://www.vmware.com/security/.

Configure ESXi Hosts with Host Profiles

Host profiles allow you to set up standard configurations for your ESXi hosts and automate
compliance to these configuration settings. Host profiles allow you to control many aspects of
host configuration including memory, storage, networking, and so on.

You can configure host profiles for a reference host from the vSphere Client and apply the
host profile to all hosts that share the characteristics of the reference host. You can also
use host profiles to monitor hosts for host configuration changes. See vSphere Host Profiles
documentation.

You can attach the host profile to a cluster to apply it to all hosts in the cluster.

Procedure

1 Set up the reference host to specification and create a host profile.

2 Attach the profile to a host or cluster.

3 Apply the host profile of the reference host to other hosts or clusters.

VMware by Broadcom 53
vSphere Security

Use Scripts to Manage Host Configuration Settings

In environments with many hosts, managing hosts with scripts is faster and less error prone than
managing the hosts from the vSphere Client.

vSphere includes several scripting languages for host management. See vSphere Command-
Line Documentation and vSphere API/SDK Documentation for reference information and
programming tips, and VMware Communities for additional tips about scripted management. The
vSphere Administrator documentation focuses on using the vSphere Client for management.

vSphere PowerCLI

VMware vSphere PowerCLI is a Windows PowerShell interface to the vSphere API. vSphere
PowerCLI includes PowerShell cmdlets for administering vSphere components.

vSphere PowerCLI includes more than 200 cmdlets, a set of sample scripts, and a function
library for management and automation. See vSphere PowerCLI Documentation.

vSphere Command-Line Interface (vCLI)

vCLI includes a set of commands for managing ESXi hosts and virtual machines. The installer,
which also installs the vSphere SDK for Perl, runs Windows or Linux systems and installs
ESXCLI commands, vicfg- commands, and a set of other vCLI commands. See vSphere
Command-Line Interface Documentation.
Starting with vSphere 6.0, you can also use one of the scripting interfaces to the vCloud Suite
SDK such as the vCloud Suite SDK for Python.

Procedure

1 Create a custom role that has limited privileges.

For example, consider creating a role that has a set of privileges for managing hosts but no
privileges for managing virtual machines, storage, or networking. If the script you want to use
only extracts information, you can create a role with read-only privileges for the host.

2 From the vSphere Client, create a service account and assign it the custom role.

You can create multiple custom roles with different levels of access if you want access to
certain hosts to be fairly limited.

VMware by Broadcom 54
vSphere Security

3 Write scripts to perform parameter checking or modification, and run them.

For example, you can check or set the shell interactive timeout of a host as follows:

Language Commands

vCLI (ESXCLI) esxcli <conn_options> system settings advanced get /

UserVars/ESXiShellTimeOut

esxcli --formatter=csv --format-param=fields="Path,Int

Value"
system settings advanced list | grep /UserVars/
ESXiShellTimeOut

PowerCLI #List UserVars.ESXiShellInteractiveTimeOut for each host

Get-VMHost | Select Name,
@{N="UserVars.ESXiShellInteractiveTimeOut";E={$_
| Get-AdvancedSetting -Name
UserVars.ESXiShellInteractiveTimeOut
| Select -ExpandProperty Value}}

# Set UserVars.ESXiShellTimeOut to 900 on all hosts

Get-VMHost
| Foreach { Get-AdvancedSetting -Entity $_
-Name UserVars.ESXiShellInteractiveTimeOut | Set-
AdvancedSetting -Value 900 }

4 In large environments, create roles with different access privileges and group hosts into
folders according to the tasks that you want to perform. You can then run scripts over
different folders from different service accounts.

5 Verify that the changes happened after you run the command.

ESXi Passwords and Account Lockout

For ESXi hosts, you have to use a password with predefined requirements. You can
change the required length and character class requirement or allow pass phrases using the
Security.PasswordQualityControl advanced option. You can also set the number of passwords
to remember for each user using the Security.PasswordHistory advanced option.

Note The default requirements for ESXi passwords can change from one release
to the next. You can check and change the default password restrictions using the
Security.PasswordQualityControl advanced option.

ESXi Passwords
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi
Shell, SSH, or the VMware Host Client.

n By default, you have to include a mix of characters from four character classes: lowercase
letters, uppercase letters, numbers, and special characters such as underscore or dash when
you create a password.

VMware by Broadcom 55
vSphere Security

n By default, password length is more than 7 and less than 40.

n Passwords cannot contain a dictionary word or part of a dictionary word.

Note An uppercase character that begins a password does not count toward the number of
character classes used. A number that ends a password does not count toward the number of
character classes used.

Example ESXi Passwords

The following password candidates illustrate potential passwords if the option is set as follows.

retry=3 min=disabled,disabled,disabled,7,7

With this setting, a user is prompted up to three times (retry=3) for a new password that is
not sufficiently strong or if the password was not entered correctly twice. Passwords with one
or two character classes and pass phrases are not allowed, because the first three items are
disabled. Passwords from three- and four-character classes require seven characters. See the
pam_passwdqc man page for details on other options, such as max, passphrase, and so on.

With these settings, the following passwords are allowed.

n xQaTEhb!: Contains eight characters from three character classes.

n xQaT3#A: Contains seven characters from four character classes.

The following password candidates do not meet requirements.

n Xqat3hi: Begins with an uppercase character, reducing the effective number of character
classes to two. The minimum number of required character classes is three.

n xQaTEh2: Ends with a number, reducing the effective number of character classes to two.
The minimum number of required character classes is three.

ESXi Pass Phrase

Instead of a password, you can also use a pass phrase. However, pass phrases
are disabled by default. You can change this default or other settings, by using the
Security.PasswordQualityControl advanced option from the vSphere Client.

For example, you can change the option to the following.

retry=3 min=disabled,disabled,16,7,7

This example allows pass phrases of at least 16 characters and at least three words, separated by
spaces.

For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file
is deprecated for future releases. Use the Security.PasswordQualityControl advanced option
instead.

VMware by Broadcom 56
vSphere Security

Changing Default Password Restrictions

You can change the default restriction on passwords or pass phrases by using the
Security.PasswordQualityControl advanced option for your ESXi host. See vCenter Server and
Host Management documentation for information on setting ESXi advanced options.
You can change the default, for example, to require a minimum of 15 characters and a minimum
number of four words (passphrase=4), as follows:

retry=3 min=disabled,disabled,15,7,7 passphrase=4

See the man page for pam_passwdqc for details.

Note Not all possible combinations of password options have been tested. Perform additional
testing after you change the default password settings.

ESXi Account Lockout Behavior

Account locking is supported for access through SSH and through the vSphere Web Services
SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By
default, a maximum of five failed attempts is allowed before the account is locked. The account is
unlocked after 15 minutes by default.

Configuring Login Behavior

You can configure the login behavior for your ESXi host with the following advanced options:

n Security.AccountLockFailures. Maximum number of failed login attempts before a user's

account is locked. Zero disables account locking.

n Security.AccountUnlockTime. Number of seconds that a user is locked out.

n Security.PasswordHistory. Number of passwords to remember for each user. Zero disables

password history.

See the vCenter Server and Host Management documentation for information on setting ESXi
advanced options.

SSH Security
ESXi Shell and SSH interfaces are disabled by default. Keep these interfaces disabled unless you
are performing troubleshooting or support activities. For day-to-day activities, use the vSphere
Client, where activity is subject to role-based access control and modern access control methods.

The SSH configuration in ESXi uses the following settings:

Version 1 SSH protocol disabled

VMware by Broadcom 57
vSphere Security

VMware does not support Version 1 SSH protocol and uses Version 2 protocol exclusively.
Version 2 eliminates certain security problems present in Version 1 and provides you with a
safe way to communicate with the management interface.

Improved cipher strength

SSH supports only 256-bit and 128-bit AES ciphers for your connections.

These settings are designed to provide solid protection for the data you transmit to the
management interface through SSH. You cannot change these settings.

ESXi SSH Keys

SSH keys can restrict, control, and secure access to an ESXi host. An SSH key can allow a trusted
user or script to log in to a host without specifying a password.

You can copy the SSH key to the host by using the vifs vSphere CLI command. See Getting
Started with vSphere Command-Line Interfaces for information on installing and using the
vSphere CLI command set. You can also use HTTPS PUT to copy the SSK key to the host.

Instead of generating the keys externally and uploading them, you can create the keys
on the ESXi host and download them. See the VMware knowledge base article at http://
kb.vmware.com/kb/1002866.

Enabling SSH and adding SSH keys to the host has inherent risks. Weigh the potential risk of
exposing a user name and password against the risk of intrusion by a user who has a trusted key.

Note For ESXi 5.0 and earlier, a user with an SSH key can access the host even when the host is
in lockdown mode. Starting with ESXi 5.1, a user with an SSH key can no longer access a host that
is in lockdown mode.

Upload an SSH Key Using a vifs Command

If you decide that you want to use authorized keys to log in to a host with SSH, you can upload
authorized keys with a vifs command.

Note Because authorized keys allow SSH access without requiring user authentication, consider
carefully whether you want to use SSH keys in your environment.

Authorized keys allow you to authenticate remote access to a host. When users or scripts try
to access a host with SSH, the key provides authentication without a password. With authorized
keys, you can automate authentication, which is useful when you write scripts to perform routine
tasks.

You can upload the following types of SSH keys to a host.

n Authorized keys file for the root user

n RSA key

n RSA public key

VMware by Broadcom 58
vSphere Security

Starting with the vSphere 6.0 Update 2 release, DSS/DSA keys are no longer supported.

Important Do not modify the /etc/ssh/sshd_config file. If you do, you make a change that
the host daemon (hostd) knows nothing about.

Procedure

u At the command line or an administration server, use the vifs command to upload the SSH
key to an appropriate location on the ESXi host.

vifs --server hostname --username username --put filename /host/ssh_host_dsa_key_pub

Type of key Location

Authorized key files for the root user /host/ssh_root_authorized_keys

You must have full administrator privileges to upload this file.

RSA keys /host/ssh_host_rsa_key

RSA public keys /host/ssh_host_rsa_key_pub

Upload an SSH Key Using HTTPS PUT

You can use authorized keys to log in to a host with SSH. You can upload authorized keys with
HTTPS PUT.

Authorized keys allow you to authenticate remote access to a host. When users or scripts try
to access a host with SSH, the key provides authentication without a password. With authorized
keys you can automate authentication, which is useful when you write scripts to perform routine
tasks.

You can upload the following types of SSH keys to a host using HTTPS PUT:

n Authorized keys file for root user

n DSA key

n DSA public key

n RSA key

n RSA public key

Important Do not modify the /etc/ssh/sshd_config file.

Procedure

1 In your upload application, open the key file.

VMware by Broadcom 59
vSphere Security

2 Publish the file to the following locations.

Type of key Location

Authorized key files for the root user https://hostname_or_IP_address/host/ssh_root_authorized_keys

You must have full administrator privileges on the host to upload this file.

DSA keys https://hostname_or_IP_address/host/ssh_host_dsa_key

DSA public keys https://hostname_or_IP_address/host/ssh_host_dsa_key_pub

RSA keys https://hostname_or_IP_address/host/ssh_host_rsa_key

RSA public keys https://hostname_or_IP_address/host/ssh_host_rsa_key_pub

PCI and PCIe Devices and ESXi

Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual
machine results in a potential security vulnerability. The vulnerability can be triggered when
buggy or malicious code, such as a device driver, is running in privileged mode in the guest
OS. Industry-standard hardware and firmware do not currently have sufficient error containment
support to protect ESXi hosts from the vulnerability.

Use PCI or PCIe passthrough to a virtual machine only if a trusted entity owns and administers
the virtual machine. You must be sure that this entity does not to attempt to crash or exploit the
host from the virtual machine.

Your host might be compromised in one of the following ways.

n The guest OS might generate an unrecoverable PCI or PCIe error. Such an error does not
corrupt data, but can crash the ESXi host. Such errors might occur because of bugs or
incompatibilities in the hardware devices that are being passed through. Other reasons for
errors include problems with drivers in the guest OS.

n The guest OS might generate a Direct Memory Access (DMA) operation that causes an
IOMMU page fault on the ESXi host. This operation might be the result of a DMA operation
that targets an address outside the virtual machine memory. On some machines, host
firmware configures IOMMU faults to report a fatal error through a non-maskable interrupt
(NMI). This fatal error causes the ESXi host to crash. This problem might occur because of
problems with the drivers in the guest OS.

n If the operating system on the ESXi host is not using interrupt remapping, the guest OS might
inject a spurious interrupt into the ESXi host on any vector. ESXi currently uses interrupt
remapping on Intel platforms where it is available. Interrupt mapping is part of the Intel VT-d
feature set. ESXi does not use interrupt mapping on AMD platforms. A false interrupt can
result in a crash of the ESXi host. Other ways to exploit these false interrupts might exist in
theory.

Disable the Managed Object Browser

The managed object browser (MOB) provides a way to explore the VMkernel object model.
However, attackers can use this interface to perform malicious configuration changes or actions

VMware by Broadcom 60
vSphere Security

because it is possible to change the host configuration by using the MOB. Use the MOB only for
debugging, and ensure that it is disabled in production systems.

Starting with vSphere 6.0, the MOB is disabled by default. However, for certain tasks, for
example when extracting the old certificate from a system, you have to use the MOB. You can
enable and disable the MOB as follows.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, click Advanced System Settings.

4 Check the value of Config.HostAgent.plugins.solo.enableMob, and click Edit to change it as

appropriate.

Do not use vim-cmd from the ESXi Shell.

ESXi Networking Security Recommendations

Isolation of network traffic is essential to a secure ESXi environment. Different networks require a
different access and level of isolation.

Your ESXi host uses several networks. Use appropriate security measures for each network, and
isolate traffic for specific applications and functions. For example, ensure that VMware vSphere®
vMotion® traffic does not travel over networks where virtual machines are located. Isolation
prevents snooping. Having separate networks is also recommended for performance reasons.

n vSphere infrastructure networks are used for features such as vSphere vMotion, VMware
vSphere Fault Tolerance, VMware vSAN, and storage. Isolate these networks for their specific
functions. It is often not necessary to route these networks outside a single physical server
rack.

n A management network isolates client traffic, command-line interface (CLI) or API traffic,
and third-party software traffic from other traffic. This network should be accessible only by
system, network, and security administrators. Use jump box or virtual private network (VPN)
to secure access to the management network. Strictly control access within this network.

n Virtual machine traffic can flow over one or many networks. You can enhance the isolation of
virtual machines by using virtual firewall solutions that set firewall rules at the virtual network
controller. These settings travel with a virtual machine as it migrates from host to host within
your vSphere environment.

VMware by Broadcom 61
vSphere Security

Modifying ESXi Web Proxy Settings

When you modify Web proxy settings, you have several encryption and user security guidelines
to consider.

Note Restart the host process after making any changes to host directories or authentication
mechanisms.

n Do not set up certificates that use a password or pass phrases. ESXi does not support Web
proxies that use passwords or pass phrases, also known as encrypted keys. If you set up a
Web proxy that requires a password or pass phrase, ESXi processes cannot start correctly.

n To support encryption for user names, passwords, and packets, SSL is enabled by default
for vSphere Web Services SDK connections. If you want to configure these connections so
that they do not encrypt transmissions, disable SSL for your vSphere Web Services SDK
connection by switching the connection from HTTPS to HTTP.

Consider disabling SSL only if you created a fully trusted environment for these clients, where
firewalls are in place and transmissions to and from the host are fully isolated. Disabling SSL
can improve performance, because you avoid the overhead required to perform encryption.

n To protect against misuse of ESXi services, most internal ESXi services are accessible only
through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for
ESXi. You can see a list of services on ESXi through an HTTP welcome page, but you cannot
directly access the Storage Adapters services without proper authorization.

You can change this configuration so that individual services are directly accessible through
HTTP connections. Do not make this change unless you are using ESXi in a fully trusted
environment.

n When you upgrade your environment, the certificate remains in place.

vSphere Auto Deploy Security Considerations

When you use vSphere Auto Deploy, pay careful attention to networking security, boot image
security, and potential password exposure through host profiles to protect your environment.

Networking Security
Secure your network just as you secure the network for any other PXE-based deployment
method. vSphere Auto Deploy transfers data over SSL to prevent casual interference and
snooping. However, the authenticity of the client or of the Auto Deploy server is not checked
during a PXE boot.

You can greatly reduce the security risk of Auto Deploy by completely isolating the network
where Auto Deploy is used.

VMware by Broadcom 62
vSphere Security

Boot Image and Host Profile Security

The boot image that the vSphere Auto Deploy server downloads to a machine can have the
following components.

n The VIB packages that the image profile consists of are always included in the boot image.

n The host profile and host customization are included in the boot image if Auto Deploy rules
are set up to provision the host with a host profile or host customization.

n The administrator (root) password and user passwords that are included with host profile
and host customization are hashed with SHA-512.

n Any other passwords associated with profiles are in the clear. If you set up Active
Directory by using host profiles, the passwords are not protected.

Use the vSphere Authentication Proxy to avoid exposing the Active Directory passwords.
If you set up Active Directory using host profiles, the passwords are not protected.

n The host's public and private SSL key and certificate are included in the boot image.

Control Access for CIM-Based Hardware Monitoring Tools

The Common Information Model (CIM) system provides an interface that enables hardware-level
management from remote applications using a set of standard APIs. To ensure that the CIM
interface is secure, provide only the minimum access necessary to these remote applications. If
you provision a remote application with a root or Administrator account, and if the application is
compromised, the virtual environment can be compromised.

CIM is an open standard that defines a framework for agent-less, standards-based monitoring
of hardware resources for ESXi hosts. This framework consists of a CIM object manager, often
called a CIM broker, and a set of CIM providers.

CIM providers support management access to device drivers and underlying hardware. Hardware
vendors, including server manufacturers and hardware device vendors, can write providers that
monitor and manage their devices. VMware writes providers that monitor server hardware, ESXi
storage infrastructure, and virtualization-specific resources. These providers run inside the ESXi
host and are lightweight and focused on specific management tasks. The CIM broker takes
information from all CIM providers and presents it to the outside world using standard APIs. The
most common API is WS-MAN.

Do not provide root credentials to remote applications that access the CIM interface. Instead,
create a less-privileged vSphere user account for these applications and use the VIM API ticket
function to issue a sessionId (called a "ticket") to this less-privileged user account to authenticate
to CIM. If the account has been granted permission to obtain CIM tickets, the VIM API can then
supply the ticket to CIM. These tickets are then supplied as both the user ID and password to any
CIM-XML API call. See the AcquireCimServicesTicket() method for more information.

The CIM service starts when you install a third-party CIM VIB, for example, when you run the
esxcli software vib install -n VIBname command.

VMware by Broadcom 63
vSphere Security

If you must enable the CIM service manually, run the following command:

esxcli system wbem set -e true

If necessary, you can disable wsman (WSManagement Service) so that only the CIM service is
running:

esxcli system wbem set -W false

To confirm that wsman is disabled, run the following command:

esxcli system wbem get

…
WSManagement PID: 0
WSManagement Service: false

For more information about ESXCLI commands, see vSphere Command-Line Interface
Documentation. For more information about enabling the CIM service, see the VMware
knowledge base article at https://kb.vmware.com/kb/1025757.

Procedure

1 Create a non-root vSphere user account for CIM applications.

See the topic on adding vCenter Single Sign-On users in Platform Services Controller
Administration Guide. The required vSphere privilege for the user account is
Host.CIM.Interaction.

2 Use the vSphere API SDK of your choice to authenticate the user account to vCenter Server.
Then call AcquireCimServicesTicket() to return a ticket to authenticate with ESXi as an
administrator-level account using CIM-XML port 5989 or WS-Man port 433 APIs.

See VMware vSphere API Reference documentation for more information.

3 Renew the ticket every two minutes as needed.

Certificate Management for ESXi Hosts

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each new ESXi
host with a signed certificate that has VMCA as the root certificate authority by default.
Provisioning happens when the host is added to vCenter Server explicitly or as part of installation
or upgrade to ESXi 6.0 or later.

You can view and manage ESXi certificates from the vSphere Client and by using the
vim.CertificateManager API in the vSphere Web Services SDK. You cannot view or manage
ESXi certificates by using certificate management CLIs that are available for managing vCenter
Server certificates.

VMware by Broadcom 64
vSphere Security

Certificates in vSphere 5.5 and in vSphere 6.x

When ESXi and vCenter Server communicate, they use TLS/SSL for almost all management
traffic.

In vSphere 5.5 and earlier, the TLS/SSL endpoints are secured only by a combination of user
name, password, and thumbprint. Users can replace the corresponding self-signed certificates
with their own certificates. See the vSphere 5.5 Documentation Center.

In vSphere 6.0 and later, vCenter Server supports the following certificate modes for ESXi hosts.

Table 3-1. Certificate Modes for ESXi Hosts

Certificate Mode Description

VMware Certificate Authority (default)
Use this mode if VMCA provisions all ESXi hosts, either as
the top-level CA or as an intermediate CA.
By default, VMCA provisions ESXi hosts with certificates.
In this mode, you can refresh and renew certificates from
the vSphere Client.

Custom Certificate Authority
Use this mode if you want to use only custom certificates
that are signed by a third-party or enterprise CA.
In this mode, you are responsible for managing the
certificates. You cannot refresh and renew certificates
from the vSphere Client.

Note Unless you change the certificate mode to

Custom Certificate Authority, VMCA might replace custom
certificates, for example, when you select Renew in the
vSphere Client.

Thumbprint Mode vSphere 5.5 used thumbprint mode, and this mode is
still available as a fallback option for vSphere 6.x. In
this mode, vCenter Server checks that the certificate is
formatted correctly, but does not check the validity of the
certificate. Even expired certificates are accepted.
Do not use this mode unless you encounter problems that
you cannot resolve with one of the other two modes.
Some vCenter 6.x and later services might not work
correctly in thumbprint mode.

Certificate Expiration
Starting with vSphere 6.0, you can view information about certificate expiration for certificates
that are signed by VMCA or a third-party CA in the vSphere Client. You can view the information
for all hosts that are managed by a vCenter Server or for individual hosts. A yellow alarm is raised
if the certificate is in the Expiring Shortly state (less than eight months). A red alarm is raised if
the certificate is in the Expiration Imminent state (less than two months).

VMware by Broadcom 65
vSphere Security

ESXi Provisioning and VMCA

When you boot an ESXi host from installation media, the host initially has an autogenerated
certificate. When the host is added to the vCenter Server system, it is provisioned with a
certificate that is signed by VMCA as the root CA.

The process is similar for hosts that are provisioned with Auto Deploy. However, because those
hosts do not store any state, the signed certificate is stored by the Auto Deploy server in its local
certificate store. The certificate is reused during subsequent boots of the ESXi hosts. An Auto
Deploy server is part of any embedded deployment or vCenter Server system.

If VMCA is not available when an Auto Deploy host boots the first time, the host first attempts to
connect. If the host cannot connect, it cycles through shutdown and reboot until VMCA becomes
available and the host can be provisioned with a signed certificate.

Required Privileges for ESXi Certificate Management

For certificate management for ESXi hosts, you must have the Certificates.Manage Certificates
privilege. You can set that privilege from the vSphere Client.

Host Name and IP Address Changes

In vSphere 6.0 and later, a host name or IP address change might affect whether vCenter Server
considers a host certificate valid. How you added the host to vCenter Server affects whether
manual intervention is necessary. Manual intervention means that you either reconnect the host,
or you remove the host from vCenter Server and add it back.

Table 3-2. When Host Name or IP Address Changes Require Manual Intervention
Host added to vCenter Server
using... Host name changes IP address changes

Host name vCenter Server connectivity problem. No intervention required.

Manual intervention required.

IP address No intervention required. vCenter Server connectivity problem.

Manual intervention required.

(ESXi Certificate Management )

Host Upgrades and Certificates

If you upgrade an ESXi host to ESXi 6.5 or later, the upgrade process replaces the self-signed
(thumbprint) certificates with VMCA-signed certificates. If the ESXi host uses custom certificates,
the upgrade process retains those certificates even if those certificates are expired or invalid.

The recommended upgrade workflow depends on the current certificates.

Host Provisioned with Thumbprint Certificates

VMware by Broadcom 66
vSphere Security

If your host is currently using thumbprint certificates, it is automatically assigned VMCA

certificates as part of the upgrade process.

Note You cannot provision legacy hosts with VMCA certificates. You must upgrade those
hosts to ESXi 6.5 or later.

Host Provisioned with Custom Certificates

If your host is provisioned with custom certificates, usually third-party CA-signed certificates,
those certificates remain in place during upgrade. Change the certificate mode to Custom to
ensure that the certificates are not replaced accidentally during a certificate refresh later.

Note If your environment is in VMCA mode, and you refresh the certificates from the
vSphere Client, any existing certificates are replaced with certificates that are signed by
VMCA.

Going forward, vCenter Server monitors the certificates and displays information, for
example, about certificate expiration, in the vSphere Client.

Hosts Provisioned with Auto Deploy

Hosts that are being provisioned by Auto Deploy are always assigned new certificates when
they are first booted with ESXi 6.5 or later software. When you upgrade a host that is
provisioned by Auto Deploy, the Auto Deploy server generates a certificate signing request
(CSR) for the host and submits it to VMCA. VMCA stores the signed certificate for the host.
When the Auto Deploy server provisions the host, it retrieves the certificate from VMCA and
includes it as part of the provisioning process.

You can use Auto Deploy with custom certificates.

See Use Custom Certificates with Auto Deploy.

Certificate Mode Switch Workflows

Starting with vSphere 6.0, ESXi hosts are provisioned with certificates by VMCA by default. You
can instead use custom certificate mode or, for debugging purposes, the legacy thumbprint
mode. In most cases, mode switches are disruptive and not necessary. If you do require a mode
switch, review the potential impact before you start.

In vSphere 6.0 and later, vCenter Server supports the following certificate modes for ESXi hosts.

VMware by Broadcom 67
vSphere Security

Certificate Mode Description

VMware Certificate By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA
Authority (default) is the root CA by default, but it can be set up as the intermediary CA to another CA. In this
mode, users can manage certificates from the vSphere Client. Also used if VMCA is a subordinate
certificate.

Custom Certificate Some customers might prefer to manage their own external certificate authority. In this mode,
Authority customers are responsible for managing the certificates and cannot manage them from the
vSphere Client.

Thumbprint Mode vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere
6.0. Do not use this mode unless you encounter problems with one of the other two modes that
you cannot resolve. Some vCenter 6.0 and later services might not work correctly in thumbprint
mode.

Using Custom ESXi Certificates

If your company policy requires that you use a different root CA than VMCA, you can switch the
certificate mode in your environment after careful planning. The workflow is as follows.

1 Obtain the certificates that you want to use.

2 Place the host or hosts into maintenance mode and disconnect them from vCenter Server.

3 Add the custom CA's root certificate to VECS.

4 Deploy the custom CA certificates to each host and restart services on that host.

5 Switch to Custom CA mode. See Change the Certificate Mode.

6 Connect the host or hosts to the vCenter Server system.

Switching from Custom CA Mode to VMCA Mode

If you are using custom CA mode and decide that using VMCA works better in your environment,
you can perform the mode switch after careful planning. The workflow is as follows.

1 Remove all hosts from the vCenter Server system.

2 On the vCenter Server system, remove the third-party CA's root certificate from VECS.

3 Switch to VMCA mode. See Change the Certificate Mode.

4 Add the hosts to the vCenter Server system.

Note Any other workflow for this mode switch might result in unpredictable behavior.

Retaining Thumbprint Mode Certificates During Upgrade

The switch from VMCA mode to thumbprint mode might be necessary if you encounter problems
with the VMCA certificates. In thumbprint mode, the vCenter Server system checks only whether
a certificate exists and is formatted correctly, and does not check whether the certificate is valid.
See Change the Certificate Mode for instructions.

VMware by Broadcom 68
vSphere Security

Switching from Thumbprint Mode to VMCA Mode

If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch
requires some planning. The workflow is as follows.

1 Remove all hosts from the vCenter Server system.

2 Switch to VMCA certificate mode. See Change the Certificate Mode.

3 Add the hosts to the vCenter Server system.

Note Any other workflow for this mode switch might result in unpredictable behavior.

Switching from Custom CA Mode to Thumbprint Mode

If you are encountering problems with your custom CA, consider switching to thumbprint mode
temporarily. The switch works seamlessly if you follow the instructions in Change the Certificate
Mode. After the mode switch, the vCenter Server system checks only the format of the certificate
and no longer checks the validity of the certificate itself.

Switching from Thumbprint Mode to Custom CA Mode

If you set your environment to thumbprint mode during troubleshooting, and you want to start
using custom CA mode, you must first generate the required certificates. The workflow is as
follows.

1 Remove all hosts from the vCenter Server system.

2 Add the custom CA root certificate to TRUSTED_ROOTS store on VECS on the vCenter
Server system. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).

3 For each ESXi host:

a Deploy the custom CA certificate and key.

b Restart services on the host.

4 Switch to custom mode. See Change the Certificate Mode.

5 Add the hosts to the vCenter Server system.

ESXi Certificate Default Settings

When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing
Request (CSR) for the host to VMCA. Most of the default values are well suited for many
situations, but company-specific information can be changed.

You can change many of the default settings using the vSphere Client. Consider changing the
organization, and location information. See Change Certificate Default Settings.

VMware by Broadcom 69
vSphere Security

Table 3-3. ESXi CSR Settings

Parameter Default Value Advanced Option

Key Size 2048 N.A.

Key Algorithm RSA N.A.

Certificate Signature Algorithm sha256WithRSAEncryption N.A.

Common Name Name of the host if the host N.A.

was added to vCenter Server
by host name.
IP address of the host if the
host was added to vCenter
Server by IP address.

Country USA vpxd.certmgmt.certs.cn.country

Email address [email protected] vpxd.certmgmt.certs.cn.email

Locality (City) Palo Alto vpxd.certmgmt.certs.cn.localityName

Organization Unit Name VMware Engineering vpxd.certmgmt.certs.cn.organizationalUnitName

Organization Name VMware vpxd.certmgmt.certs.cn.organizationName

State or province California vpxd.certmgmt.certs.cn.state

Number of days the certificate 1825 vpxd.certmgmt.certs.daysValid

is valid.

Hard threshold for the 30 days vpxd.certmgmt.certs.cn.hardThreshold

certificate expiration. vCenter
Server raises a red alarm when
this threshold is reached.

Poll interval for vCenter Server 5 days vpxd.certmgmt.certs.cn.pollIntervalDays

certificate validity checks.

Soft threshold for the certificate 240 days vpxd.certmgmt.certs.cn.softThreshold

expiration. vCenter Server
raises an event when this
threshold is reached.

Mode that vCenter Server users vmca vpxd.certmgmt.mode

to determine whether existing You can also specify thumbprint
certificates are replaced. or custom. See Change the
Change this mode to retain Certificate Mode.
custom certificates during
upgrade. See Host Upgrades
and Certificates.

Change Certificate Default Settings

When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing
Request (CSR) for the host to VMCA. You can change some of the default settings in the CSR
using the vCenter Server Advanced Settings in the vSphere Client.

VMware by Broadcom 70
vSphere Security

See ESXi Certificate Default Settings for a list of default settings. Some of the defaults cannot be
changed.

Procedure

1 In the vSphere Client, select the vCenter Server system that manages the hosts.

2 Click Configure, and click Advanced Settings.

3 Click Edit Settings.

4 Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt to
display only certificate management parameters.

5 Change the value of the existing parameters to follow your company policy and click Save.

The next time you add a host to vCenter Server, the new settings are used in the CSR that
vCenter Server sends to VMCA and in the certificate that is assigned to the host.

What to do next

Changes to certificate metadata only affect new certificates. If you want to change the
certificates of hosts that are already managed by the vCenter Server system, you can disconnect
and reconnect the hosts or renew the certificates.

View Certificate Expiration Information for Multiple ESXi Hosts

If you are using ESXi 6.0 and later, you can view the certificate status of all hosts that are
managed by your vCenter Server system. The display allows you to determine whether any of
the certificates expire soon.

You can view certificate status information for hosts that are using VMCA mode and for hosts
that are using custom mode in the vSphere Client. You cannot view certificate status information
for hosts in thumbprint mode.

Procedure

1 Log in to the vCenter Server by using the vSphere Client.

2 Browse the inventory list and select the vCenter Server instance.

3 Select Hosts & Clusters > Hosts.

By default, the Hosts display does not include the certificate status.

4 Click the down arrow in a column header to show/hide columns.

5 Select the Certificate Valid To check box, and scroll to the right if necessary.

The certificate information displays when the certificate expires.

VMware by Broadcom 71
vSphere Security

If a host is added to vCenter Server or reconnected after a disconnect, vCenter Server

renews the certificate if the status is Expired, Expiring, Expiring shortly, or Expiration
imminent. The status is Expiring if the certificate is valid for less than eight months, Expiring
shortly if the certificate is valid for less than two months, and Expiration imminent if the
certificate is valid for less than one month.

6 (Optional) Deselect other columns to make it easier to see what you are interested in.

What to do next

Renew the certificates that are about to expire. See Renew or Refresh ESXi Certificates.

View Certificate Details for a Single ESXi Host

For ESXi 6.0 and later hosts that are in VMCA mode or custom mode, you can view certificate
details from the vSphere Client. The information about the certificate can be helpful for
debugging.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, click Certificate.

You can examine the following information. This information is available only in the single-
host view.

Field Description

Subject The subject used during certificate generation.

Issuer The issuer of the certificate.

Valid From Date on which the certificate was generated.

VMware by Broadcom 72
vSphere Security

Field Description

Valid To Date on which the certificate expires.

Status Status of the certificate, one of the following.

Good

Normal operation.

Expiring

Certificate expires soon.

Expiring shortly

Certificate is eight months or less away from expiration (Default).

Expiration imminent

Certificate is two months or less away from expiration (Default).

Expired

Certificate is not valid because it expired.

Renew or Refresh ESXi Certificates

If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates
from the vSphere Client. You can also refresh all certificates from the TRUSTED_ROOTS store
associated with vCenter Server.

You can renew your certificates when they are about to expire, or if you want to provision the
host with a new certificate for other reasons. If you do not renew the certificate before it expires,
disconnecting the host and reconnecting it causes vCenter Server to renew the certificate. The
act of re-adding the host to vCenter Server reestablishes trust, and enables vCenter Server to
unconditionally issue the renewed certificate.

By default, vCenter Server renews the certificates of a host with status Expired, Expiration
imminent, or Expiring shortly, each time the host is added to the inventory, or reconnected.

Prerequisites

Verify the following:

n The ESXi hosts are connected to the vCenter Server system.

n There is proper time synchronization between the vCenter Server system and the ESXi hosts.

n DNS resolution works between the vCenter Server system and the ESXi hosts.

n The vCenter Server system's MACHINE_SSL_CERT and Trusted_Root certificates are valid
and have not expired. See the VMware knowledge base article at https://kb.vmware.com/s/
article/2111411.

n The ESXi hosts are not in maintenance mode.

VMware by Broadcom 73
vSphere Security

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, click Certificate.

You can view detailed information about the selected host's certificate.

4 Click Renew or Refresh CA Certificates.

Option Description

Renew Retrieves a fresh signed certificate for the host from VMCA.

Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server
VECS store to the host.

5 Click Yes to confirm.

Change the Certificate Mode

Use VMCA to provision the ESXi hosts in your environment unless corporate policy requires that
you use custom certificates. To use custom certificates with a different root CA, you can edit
the vCenter Server vpxd.certmgmt.mode advanced option. After the change, the hosts are no
longer automatically provisioned with VMCA certificates when you refresh certificates. You are
responsible for the certificate management in your environment.

You can use the vCenter Server advanced settings to change to thumbprint mode or to custom
CA mode. Use thumbprint mode only as a fallback option.

Procedure

1 In the vSphere Client, select the vCenter Server system that manages the hosts.

2 Click Configure, and under Settings, click Advanced Settings.

3 Click Edit Settings.

4 Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt to
display only certificate management parameters.

5 Change the value of vpxd.certmgmt.mode to custom if you intend to manage your own
certificates, and to thumbprint if you temporarily want to use thumbprint mode, and click
Save.

6 Restart the vCenter Server service.

Replacing ESXi SSL Certificates and Keys

Your company's security policy might require that you replace the default ESXi SSL certificate
with a third-party CA-signed certificate on each host.

VMware by Broadcom 74
vSphere Security

By default, vSphere components use the VMCA-signed certificate and key that are created
during installation. If you accidentally delete the VMCA-signed certificate, remove the host from
its vCenter Server system, and add it back. When you add the host, vCenter Server requests a
new certificate from VMCA and provisions the host with it.

Replace VMCA-signed certificates with certificates from a trusted CA, either a commercial CA or
an organizational CA, if your company policy requires it.

The default certificates are in the same location as the vSphere 5.5 certificates. You can replace
the default certificates with trusted certificates in various ways.

Note You can also use the vim.CertificateManager and vim.host.CertificateManager

managed objects in the vSphere Web Services SDK. See the vSphere Web Services SDK
documentation.

After you replace the certificate, you have to update the TRUSTED_ROOTS store in VECS on the
vCenter Server system that manages the host to ensure that the vCenter Server and the ESXi
host have a trust relationship.

For detailed instructions about using CA-signed certificates for ESXi hosts, see Certificate Mode
Switch Workflows.

Note If you are replacing SSL certificates on an ESXi host that is part of a vSAN cluster, follow
the steps that are in the VMware knowledge base article at https://kb.vmware.com/s/article/
56441.

What to read next

n Requirements for ESXi Certificate Signing Requests

If you want to use an enterprise or third-party CA-signed certificate, you have to send a
Certificate Signing Request (CSR) to the CA.

n Replace the Default Certificate and Key from the ESXi Shell
You can replace the default VMCA-signed ESXi certificates from the ESXi Shell.

n Replace a Default Certificate and Key with the vifs Command

You can replace the default VMCA-signed ESXi certificates by using the vifs command.

n Replace a Default Certificate Using HTTPS PUT

You can use third-party applications to upload certificates and key. Applications that
support HTTPS PUT operations work with the HTTPS interface that is included with ESXi.

n Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates)

If you set up your ESXi hosts to use custom certificates, you must update the
TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.

VMware by Broadcom 75
vSphere Security

Requirements for ESXi Certificate Signing Requests

If you want to use an enterprise or third-party CA-signed certificate, you have to send a
Certificate Signing Request (CSR) to the CA.

Use a CSR with these characteristics:

n Key size: 2048 bits or more (PEM encoded)

n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS,
they are converted to PKCS8.

n x509 version 3

n For root certificates, the CA extension must be set to true, and the cert sign must be in the
list of requirements.

n SubjectAltName must contain DNS Name=<machine_FQDN>.

n CRT format

n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

n Start time of one day before the current time.

n CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the
vCenter Server inventory.

For information about generating the CSR, see the VMware knowledge base article at https://
kb.vmware.com/s/article/2113926.

Replace the Default Certificate and Key from the ESXi Shell
You can replace the default VMCA-signed ESXi certificates from the ESXi Shell.

Prerequisites

n If you want to use third-party CA-signed certificates, generate the certificate request, send it
to the certificate authority, and store the certificates on each ESXi host.

n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Client.

n All file transfers and other communications occur over a secure HTTPS session. The user who
is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on
the host.

Procedure

1 Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with
administrator privileges.

VMware by Broadcom 76
vSphere Security

2 In the directory /etc/vmware/ssl, rename the existing certificates using the following
commands.

mv rui.crt orig.rui.crt
mv rui.key orig.rui.key

3 Copy the certificates that you want to use to /etc/vmware/ssl.

4 Rename the new certificate and key to rui.crt and rui.key.

5 Restart the host after you install the new certificate.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the
Direct Console User Interface (DCUI) to restart the management agents, and set the host to
exit maintenance mode.

What to do next

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server
TRUSTED_ROOTS Store (Custom Certificates).

Replace a Default Certificate and Key with the vifs Command

You can replace the default VMCA-signed ESXi certificates by using the vifs command.

You run vifs as a vCLI command. See vSphere Command-Line Interface Reference.

Prerequisites

n If you want to use third-party CA-signed certificates, generate the certificate request, send it
to the certificate authority, and store the certificates on each ESXi host.

n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Client.

n All file transfers and other communications occur over a secure HTTPS session. The user who
is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on
the host.

Procedure

1 Back up the existing certificates.

2 Generate a certificate request following the instructions from the certificate authority.

See Requirements for ESXi Certificate Signing Requests.

3 When you have the certificate, use the vifs command to upload the certificate to the
appropriate location on the host from an SSH connection to the host.

vifs --server hostname --username username --put rui.crt /host/ssl_cert

vifs --server hostname --username username --put rui.key /host/ssl_key

VMware by Broadcom 77
vSphere Security

4 Restart the host.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the
Direct Console User Interface (DCUI) to restart the management agents, and set the host to
exit maintenance mode.

What to do next

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server
TRUSTED_ROOTS Store (Custom Certificates).

Replace a Default Certificate Using HTTPS PUT

You can use third-party applications to upload certificates and key. Applications that support
HTTPS PUT operations work with the HTTPS interface that is included with ESXi.

Prerequisites

n If you want to use third-party CA-signed certificates, generate the certificate request, send it
to the certificate authority, and store the certificates on each ESXi host.

n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Client.

n All file transfers and other communications occur over a secure HTTPS session. The user who
is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on
the host.

Procedure

1 Back up the existing certificates.

2 In your upload application, process each file as follows:

a Open the file.

b Publish the file to one of these locations.

Option Description

Certificates https://hostname/host/ssl_cert

Keys https://hostname/host/ssl_key

The location /host/ssl_cert and host/ssl_key link to the certificate files in /etc/
vmware/ssl.

3 Restart the host.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the
Direct Console User Interface (DCUI) to restart the management agents, and set the host to
exit maintenance mode.

VMware by Broadcom 78
vSphere Security

What to do next

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server
TRUSTED_ROOTS Store (Custom Certificates).

Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates)

If you set up your ESXi hosts to use custom certificates, you must update the TRUSTED_ROOTS
store on the vCenter Server system that manages the hosts.

Prerequisites

Replace the certificates on each host with custom certificates.

Note This step is not required if the vCenter Server system is also running with custom
certificates issued by the same CA as those installed on the ESXi hosts.

Procedure

1 Log in to the vCenter Server system that manages the ESXi hosts.

Log in to the Windows system on which you installed the software, or log in to the vCenter
Server Appliance shell.

2 To add the new certificates to the TRUSTED_ROOTS store, run dir-cli, for example:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_RootCA>

Option Description

Linux //usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish

<path_to_RootCA>

Windows C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli

trustedcert publish <path_to_RootCA>

3 When prompted, provide the Single Sign-On Administrator credentials.

4 If your custom certificates are issued by an intermediate CA, you must also add the
intermediate CA to the TRUSTED_ROOTS store on the vCenter Server, for example:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish <path_to_intermediateCA>

What to do next

Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a
certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See
Change the Certificate Mode.

VMware by Broadcom 79
vSphere Security

Use Custom Certificates with Auto Deploy

By default, the Auto Deploy server provisions each host with certificates that are signed by
VMCA. You can set up the Auto Deploy server to provision all hosts with custom certificates
that are not signed by VMCA. In that scenario, the Auto Deploy server becomes a subordinate
certificate authority of your third-party CA.

Prerequisites

n Request a certificate from your CA. The certificate must meet these requirements.

n Key size: 2048 bits or more (PEM encoded)

n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to
VECS, they are converted to PKCS8.

n x509 version 3

n For root certificates, the CA extension must be set to true, and the cert sign must be in
the list of requirements.

n SubjectAltName must contain DNS Name=<machine_FQDN>.

n CRT format

n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

n Start time of one day before the current time.

n CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in
the vCenter Server inventory.

n Name the certificate and key files rbd-ca.crt and rbd-ca.key.

Procedure

1 Back up the default ESXi certificates.

The certificates are in the /etc/vmware-rbd/ssl/ directory.

VMware by Broadcom 80
vSphere Security

2 Stop the vSphere Authentication Proxy service.

Tool Steps

vCenter Server Appliance a In a Web browser, go to the vCenter Server Appliance Management
Management Interface (VAMI) Interface, https://appliance-IP-address-or-FQDN:5480.
b Log in as root.

The default root password is the password that you set while deploying
the vCenter Server Appliance.
c Click Services, and click the VMware vSphere Authentication Proxy
service.
d Click Stop.

vSphere Web Client
a Select Administration, and click System Configuration under
Deployment.
b Click Services and click the VMware vSphere Authentication Proxy
service.
c Click the red Stop the service icon.

CLI service-control --stop vmcam

3 On the system where the Auto Deploy service runs, replace rbd-ca.crt and rbd-ca.key
in /etc/vmware-rbd/ssl/ with your custom certificate and key files.

4 On the system where the Auto Deploy service runs, run the following commands to update
the TRUSTED_ROOTS store inside the VECS to use your new certificates.

Option Description

Windows cd "C:\Program Files\VMware\vCenter Server\vmafdd\"

.\dir-cli.exe trustedcert publish --cert
C:\ProgramData\VMware\vCenterServer\data\autodeploy\ssl\rb
d-ca.crt
.\vecs-cli force-refresh

Linux /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --

cert /etc/vmware-rbd/ssl/rbd-ca.crt
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

5 Create a castore.pem file that contains what is in the TRUSTED_ROOTS store and place the
file in the /etc/vmware-rbd/ssl/ directory.

In custom mode, you are responsible for maintaining this file.

6 Change the ESXi certificate mode for the vCenter Server system to custom.

See Change the Certificate Mode.

7 Restart the vCenter Server service and start the Auto Deploy service.

VMware by Broadcom 81
vSphere Security

Results

The next time you provision a host that is set up to use Auto Deploy, the Auto Deploy server
generates a certificate. The Auto Deploy server uses the root certificate that you just added to
the TRUSTED_ROOTS store.

Note If you encounter problems with Auto Deploy after certificate replacement, see the
VMware knowledge base article at http://kb.vmware.com/kb/2000988.

Restore ESXi Certificate and Key Files

When you replace a certificate on an ESXi host by using the vSphere Web Services SDK, the
previous certificate and key are appended to a .bak file. You can restore previous certificates by
moving the information in the .bak file to the current certificate and key files.

The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/
rui.key. When you replace a host certificate and key by using the vSphere Web Services SDK
vim.CertificateManager managed object, the previous key and certificate are appended to the
file /etc/vmware/ssl/rui.bak.

Note If you replace the certificate by using HTTP PUT, vifs, or from the ESXi Shell, the existing
certificates are not appended to the .bak file.

Procedure

1 On the ESXi host, locate the file /etc/vmware/ssl/rui.bak.

The file has the following format.

#
# Host private key and certificate backup from 2014-06-20 08:02:49.961
#

-----BEGIN PRIVATE KEY-----

previous key
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
previous cert
-----END CERTIFICATE-----

2 Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE
KEY----- into the /etc/vmware/ssl/rui.key file.

Include -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

3 Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into
the /etc/vmware/ssl/rui.crt file.

Include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

VMware by Broadcom 82
vSphere Security

4 Restart the ESXi host.

Alternatively, you can put the host into maintenance mode and use the Direct Console User
Interface (DCUI) to restart the management agents, and set the host to exit maintenance
mode.

Customizing Hosts with the Security Profile

You can customize many of the essential security settings for your host through the Security
Profile, Services, and Firewall panels available in the vSphere Client. The Security Profile is
especially useful for single host management. If you are managing multiple hosts, consider using
one of the CLIs or SDKs and automating the customization.

ESXi Firewall Configuration

ESXi includes a firewall that is enabled by default.

At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except
traffic for services that are enabled in the host's security profile.

As you open ports on the firewall, consider that unrestricted access to services running on an
ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by
configuring the ESXi firewall to enable access only from authorized networks.

Note The firewall also allows Internet Control Message Protocol (ICMP) pings and
communication with DHCP and DNS (UDP only) clients.

You can manage ESXi firewall ports as follows:

n Use Configure > Firewall for each host in the vSphere Client. See Manage ESXi Firewall
Settings.

n Use ESXCLI commands from the command line or in scripts. See ESXi ESXCLI Firewall
Commands.

n Use a custom VIB if the port you want to open is not included in the security profile.

You create custom VIBs with the VIB Author tool available from VMware Labs. To
install the custom VIB, you have to change the acceptance level of the ESXi host to
CommunitySupported.

Note If you engage VMware Technical Support to investigate a problem on an ESXi host
with a CommunitySupported VIB installed, VMware Support might request you to uninstall
this VIB. Such a request is a troubleshooting step to determine if that VIB is related to the
problem being investigated.

(ESXi Firewall Concepts )

VMware by Broadcom 83
vSphere Security

The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the
NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list
of allowed IP addresses. See NFS Client Firewall Behavior for more information.

Manage ESXi Firewall Settings

You can configure incoming and outgoing firewall connections for a service or a management
agent from the vSphere Client, the vSphere Web Client, or at the command line.

Note If different services have overlapping port rules, enabling one service might implicitly
enable other services. You can specify which IP addresses are allowed to access each service on
the host to avoid this problem.

Procedure

1 Browse to the host in the inventory.

2 Navigate to the Firewall section.

Option Description

vSphere Client a Click Configure.

b Under System, click Firewall.

vSphere Web Client a Click Configure.

b Under System, click Security Profile.
c If necessary, scroll to the Firewall section.

The display shows a list of active incoming and outgoing connections with the corresponding
firewall ports.

3 In the Firewall section, click Edit.

The display shows firewall rule sets, which include the name of the rule and the associated
information.

4 Select the rule sets to enable, or deselect the rule sets to disable.

5 For some services, you can also manage service details.

Option Description

vSphere Client Manage service details by navigating to Configure > Services under System.

vSphere Web Client In the Service Details section, you can:

n Use the Start, Stop, or Restart buttons to change the status of a service
temporarily.
n Change the Startup Policy to have the service start with the host or with
port usage.

For more information about starting, stopping, and restarting services, see Enable or Disable
a Service.

VMware by Broadcom 84
vSphere Security

6 For some services, you can explicitly specify IP addresses from which connections are
allowed.

See Add Allowed IP Addresses for an ESXi Host.

7 Click OK.

Add Allowed IP Addresses for an ESXi Host

By default, the firewall for each service allows access to all IP addresses. To restrict traffic,
change each service to allow traffic only from your management subnet. You might also deselect
some services if your environment does not use them.

You can use the vSphere Client, vSphere Web Client, vCLI, or PowerCLI to update the Allowed IP
list for a service. By default, all IP addresses are allowed for a service. This task describes how to
use either the vSphere Client or the vSphere Web Client. See the topic on managing the firewall
in vSphere Command-Line Interface Concepts and Examples at https://code.vmware.com/ for
instructions on using the vCLI.

(Adding Allowed IP Addresses to the ESXi Firewall)

Procedure

1 Browse to the host in the inventory.

2 Navigate to the Firewall section.

Option Description

vSphere Client a Click Configure.

b Under System, click Firewall.

vSphere Web Client a Click Configure.

b Under System, click Security Profile.
c If necessary, scroll to the Firewall section.

3 In the Firewall section, click Edit and select a service from the list.

4 In the Allowed IP Addresses section, deselect Allow connections from any IP address and
enter the IP addresses of networks that are allowed to connect to the host.

Separate IP addresses with commas. You can use the following address formats:

n 192.168.0.0/24

n 192.168.1.2, 2001::1/64

n fd3e:29a6:0a81:e478::/64

5 Click OK.

VMware by Broadcom 85
vSphere Security

Incoming and Outgoing Firewall Ports for ESXi Hosts

The vSphere Client, vSphere Web Client, and VMware Host Client allow you to open and close
firewall ports for each service or to allow traffic from selected IP addresses.

ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is
configured to block incoming and outgoing traffic, except traffic for services that are enabled
in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see
the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.

The VMware Ports and Protocols Tool lists port information for services that are installed by
default. If you install other VIBs on your host, additional services and firewall ports might become
available. The information is primarily for services that are visible in the vSphere Client and
vSphere Web Client but the VMware Ports and Protocols Tool includes some other ports as well.

NFS Client Firewall Behavior

The NFS Client firewall rule set behaves differently than other ESXi firewall rule sets. ESXi
configures NFS Client settings when you mount or unmount an NFS datastore. The behavior
differs for different versions of NFS.

When you add, mount, or unmount an NFS datastore, the resulting behavior depends on the
version of NFS.

NFS v3 Firewall Behavior

When you add or mount an NFS v3 datastore, ESXi checks the state of the NFS Client
(nfsClient) firewall rule set.

n If the nfsClient rule set is disabled, ESXi enables the rule set and disables the Allow All IP
Addresses policy by setting the allowedAll flag to FALSE. The IP address of the NFS server
is added to the allowed list of outgoing IP addresses.

n If the nfsClient rule set is enabled, the state of the rule set and the allowed IP address
policy are not changed. The IP address of the NFS server is added to the allowed list of
outgoing IP addresses.

Note If you manually enable the nfsClient rule set or manually set the Allow All IP Addresses
policy, either before or after you add an NFS v3 datastore to the system, your settings are
overridden when the last NFS v3 datastore is unmounted. The nfsClient rule set is disabled
when all NFS v3 datastores are unmounted.

When you remove or unmount an NFS v3 datastore, ESXi performs one of the following actions.

n If none of the remaining NFS v3 datastores are mounted from the server of the datastore
being unmounted, ESXi removes the server's IP address from the list of outgoing IP
addresses.

n If no mounted NFS v3 datastores remain after the unmount operation, ESXi disables the
nfsClient firewall rule set.

VMware by Broadcom 86
vSphere Security

NFS v4.1 Firewall Behavior

When you mount the first NFS v4.1 datastore, ESXi enables the nfs41client rule set and sets its
allowedAll flag to TRUE. This action opens port 2049 for all IP addresses. Unmounting an NFS
v4.1 datastore does not affect the firewall state. That is, the first NFS v4.1 mount opens port 2049
and that port remains enabled unless you close it explicitly.

ESXi ESXCLI Firewall Commands

If your environment includes multiple ESXi hosts, automating firewall configuration by using
ESXCLI commands or the vSphere Web Services SDK is recommended.

Firewall Command Reference

You can use the ESXi Shell or vSphere CLI commands to configure ESXi at the command line to
automate firewall configuration. See Getting Started with ESXCLI for an introduction, and vSphere
Command-Line Interface Concepts and Examples for examples of using ESXCLI to manipulate
firewalls and firewall rules. See VMware Knowledge Base article 2008226 for information about
creating custom firewall rules.

Table 3-4. Firewall Commands

Command Description

esxcli network firewall get Return the enabled or disabled status of the firewall and
lists default actions.

esxcli network firewall set --default-action Set to true to set the default action to pass. Set to false to
set the default action to drop.

esxcli network firewall set --enabled Enable or disable the ESXi firewall.

esxcli network firewall load Load the firewall module and rule set configuration files.

esxcli network firewall refresh Refresh the firewall configuration by reading the rule set
files if the firewall module is loaded.

esxcli network firewall unload Destroy filters and unload the firewall module.

esxcli network firewall ruleset list List rule sets information.

esxcli network firewall ruleset set --allowed- Set to true to allow all access to all IPs. Set to false to use
all a list of allowed IP addresses.

esxcli network firewall ruleset set --enabled Set enabled to true to enable the specified ruleset. Set
--ruleset-id=<string> enabled to false to disable the specified ruleset.

esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.

esxcli network firewall ruleset allowedip add Allow access to the rule set from the specified IP address
or range of IP addresses.

esxcli network firewall ruleset allowedip Remove access to the rule set from the specified IP
remove address or range of IP addresses.

esxcli network firewall ruleset rule list List the rules of each ruleset in the firewall.

VMware by Broadcom 87
vSphere Security

Firewall Command Examples

The following examples are from a blog post on virtuallyGhetto.

1 Verify a new ruleset called virtuallyGhetto.

esxcli network firewall ruleset rule list | grep virtuallyGhetto

2 Specify specific IP Address or IP ranges to access a particular service. The following example
disable the allow all option and specifies a particular range for the virtuallyGhetto service.

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto

esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-
id=virtuallyGhetto

Customizing ESXi Services from the Security Profile

An ESXi host includes several services that are running by default. You can disable services from
the security profile, or enable services if your company policy allows it.

Enable or Disable a Service is an example of how to enable a service.

Note Enabling services affects the security of your host. Do not enable a service unless strictly
necessary.

Available services depend on the VIBs that are installed on the ESXi host. You cannot add
services without installing a VIB. Some VMware products, for example, vSphere HA, install VIBs
on hosts and make services and the corresponding firewall ports available.

In a default installation, you can modify the status of the following services from the vSphere
Client.

Table 3-5. ESXi Services in the Security Profile

Service Default Description

Direct Console UI Running The Direct Console User Interface (DCUI) service
allows you to interact with an ESXi host from the local
console host using text-based menus.

ESXi Shell Stopped The ESXi Shell is available from the Direct
Console User Interface and includes a set of fully
supported commands and a set of commands for
troubleshooting and remediation. You must enable
access to the ESXi Shell from the direct console of
each system. You can enable access to the local ESXi
Shell or access to the ESXi Shell with SSH.

SSH Stopped The host's SSH client service that allows remote
connections through Secure Shell.

Load-Based Teaming Daemon Running Load-Based Teaming.

Active Directory Service Stopped When you configure ESXi for Active Directory, this
service is started.

VMware by Broadcom 88
vSphere Security

Table 3-5. ESXi Services in the Security Profile (continued)

Service Default Description

NTP Daemon Stopped Network Time Protocol daemon.

PC/SC Smart Card Daemon Stopped When you enable the host for smart card
authentication, this service starts. See Configuring
Smart Card Authentication for ESXi.

CIM Server Running Service that can be used by Common Information

Model (CIM) applications.

SNMP Server Stopped SNMP daemon. See vSphere Monitoring and

Performance for information on configuring SNMP v1,
v2, and v3.

Syslog Server Stopped Syslog daemon. You can enable syslog from the
Advanced System Settings in the vSphere Client. See
vCenter Server Installation and Setup.

VMware vCenter Agent Running vCenter Server agent. Allows a vCenter Server to
connect to an ESXi host. Specifically, vpxa is the
communication conduit to the host daemon, which in
turn communicates with the ESXi kernel.

X.Org Server Stopped X.Org Server. This optional feature is used internally
for 3D graphics for virtual machines.

Enable or Disable a Service

You can enable or disable services from either the vSphere Client or the vSphere Web Client.

After installation, certain services are running by default, while others are stopped. Sometimes,
additional setup is necessary before a service becomes available in the UI. For example, the NTP
service is a way of getting accurate time information, but this service only works when required
ports are opened in the firewall.

Prerequisites

Connect to vCenter Server with either the vSphere Client or the vSphere Web Client.

Procedure

1 Browse to a host in the inventory.

2 Navigate to the services section.

Option Description

vSphere Client a Click Configure.

b Under System, click Services.

vSphere Web Client a Click Configure.

b Under System, click Security Profile.

VMware by Broadcom 89
vSphere Security

3 Manage services.

Option Description

vSphere Client a Select the service you want to change.

b Select Restart, Start, or Stop for a one-time change to the host's status.
c To change the status of the host across reboots, click Edit Startup
Policy and select a policy.

vSphere Web Client a Click Edit.

b Scroll to the service that you want to change.
c In the Service Details pane, select Start, Stop, or Restart for a one-time
change to the host's status.
d To change the status of the host across reboots, select a policy from the
Startup Policy menu.

n Start and stop with host: The service starts shortly after the host starts, and closes
shortly before the host shuts down. Much like Start and stop with port usage, this
option means that the service regularly attempts to complete its tasks, such as contacting
the specified NTP server. If the port was closed but is later opened, the client begins
completing its tasks shortly thereafter.

n Start and stop manually: The host preserves the user-determined service settings,
regardless of whether ports are open or not. When a user starts the NTP service, that
service is kept running if the host is powered on. If the service is started and the host is
powered off, the service is stopped as part of the shutdown process, but as soon as the
host is powered on, the service is started again, preserving the user-determined state.

n Start and stop with port usage: The default setting for these services. If any port is open,
the client attempts to contact the network resources for the service. If some ports are
open, but the port for a particular service is closed, the attempt fails. If and when the
applicable outgoing port is opened, the service begins completing its startup.

Note These settings apply only to service settings that are configured through the UI or
to applications that are created with the vSphere Web Services SDK. Configurations made
through other means, such as from the ESXi Shell or with configuration files, are not affected
by these settings.

4 Click OK.

Lockdown Mode
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown
mode, operations must be performed through vCenter Server by default.

VMware by Broadcom 90
vSphere Security

Starting with vSphere 6.0, you can select normal lockdown mode or strict lockdown mode,
which offer different degrees of lockdown. vSphere 6.0 also introduces the Exception User list.
Exception users do not lose their privileges when the host enters lockdown mode. Use the
Exception User list to add the accounts of third-party solutions and external applications that
need to access the host directly when the host is in lockdown mode. See Specify Lockdown
Mode Exception Users.

(Lockdown Mode in vSphere 6 )

Lockdown Mode Behavior

In lockdown mode, some services are disabled, and some services are accessible only to certain
users.

Lockdown Mode Services for Different Users

When the host is running, available services depend on whether lockdown mode is enabled, and
on the type of lockdown mode.

n In strict and normal lockdown mode, privileged users can access the host through vCenter
Server, from the vSphere Client or the vSphere Web Client, or by using the vSphere Web
Services SDK.

n Direct Console Interface behavior differs for strict lockdown mode and normal lockdown
mode.

n In strict lockdown mode, the Direct Console User Interface (DCUI) service is disabled.

n In normal lockdown mode, accounts on the Exception User list can access the DCUI
if they have administrator privileges. In addition, all users who are specified in the
DCUI.Access advanced system setting can access the DCUI.

n If the ESXi Shell or SSH is enabled and the host is placed in lockdown mode, accounts on the
Exception Users list who have administrator privileges can use these services. For all other
users, ESXi Shell or SSH access is disabled. Starting with vSphere 6.0, ESXi or SSH sessions
for users who do not have administrator privileges are closed.

All access is logged for both strict and normal lockdown mode.

VMware by Broadcom 91
vSphere Security

Table 3-6. Lockdown Mode Behavior

Service Normal Mode Normal Lockdown Mode Strict Lockdown Mode

vSphere Web Services All users, based on vCenter (vpxuser) vCenter (vpxuser)
API permissions Exception users, based Exception users, based on
on permissions permissions
vCloud Director vCloud Director (vslauser, if
(vslauser, if available) available)

CIM Providers Users with administrator vCenter (vpxuser) vCenter (vpxuser)

privileges on the host Exception users, based Exception users, based on
on permissions. permissions.
vCloud Director vCloud Director (vslauser, if
(vslauser, if available) available)

Direct Console UI (DCUI) Users with administrator Users defined in the DCUI service is stopped.
privileges on the host, DCUI.Access advanced
and users in the option
DCUI.Access advanced Exception users with
option administrator privileges
on the host

ESXi Shell Users with administrator Users defined in the Users defined in the DCUI.Access
(if enabled) privileges on the host DCUI.Access advanced advanced option
option Exception users with administrator
Exception users with privileges on the host
administrator privileges
on the host

SSH Users with administrator Users defined in the Users defined in the DCUI.Access
(if enabled) privileges on the host DCUI.Access advanced advanced option
option Exception users with administrator
Exception users with privileges on the host
administrator privileges
on the host

Users Logged in to the ESXi Shell When Lockdown Mode Is Enabled

Users might log in to the ESXi Shell or access the host through SSH before lockdown mode is
enabled. In that case, users who are on the list of Exception Users and who have administrator
privileges on the host remain logged in. Starting with vSphere 6.0, the session is closed for all
other users. Termination applies to both normal and strict lockdown mode.

Enable Lockdown Mode

Enable lockdown mode to require that all configuration changes go through vCenter Server.
vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode.

If you want to disallow all direct access to a host completely, you can select strict lockdown
mode. Strict lockdown mode makes it impossible to access a host if the vCenter Server is
unavailable and SSH and the ESXi Shell are disabled. See Lockdown Mode Behavior.

VMware by Broadcom 92
vSphere Security

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Security Profile.

4 In the Lockdown Mode panel, click Edit.

5 Click Lockdown Mode and select one of the lockdown mode options.

Option Description

Normal The host can be accessed through vCenter Server. Only users who are on
the Exception Users list and have administrator privileges can log in to the
Direct Console User Interface. If SSH or the ESXi Shell is enabled, access
might be possible.

Strict The host can only be accessed through vCenter Server. If SSH or the ESXi
Shell is enabled, running sessions for accounts in the DCUI.Access advanced
option and for Exception User accounts that have administrator privileges
remain enabled. All other sessions are closed.

6 Click OK.

Disable Lockdown Mode

Disable lockdown mode to allow configuration changes from direct connections to the ESXi host.
Leaving lockdown mode enabled results in a more secure environment.

In vSphere 6.0 you can disable lockdown mode as follows:

From the Graphical User Interface

Users can disable both normal lockdown mode and strict lockdown mode from either the
vSphere Client or the vSphere Web Client.

From the Direct Console User Interface

Users who can access the Direct Console User Interface on the ESXi host can disable normal
lockdown mode. In strict lockdown mode, the Direct Console Interface service is stopped.

Procedure

1 Browse to a host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Security Profile.

4 In the Lockdown Mode panel, click Edit.

5 Click Lockdown Mode and select Disabled to disable lockdown mode.

6 Click OK.

VMware by Broadcom 93
vSphere Security

Results

The system exits lockdown mode, vCenter Server displays an alarm, and an entry is added to the
audit log.

Enable or Disable Normal Lockdown Mode from the Direct Console User
Interface
You can enable and disable normal lockdown mode from the Direct Console User Interface
(DCUI). You can enable and disable strict lockdown mode only from the vSphere Client or the
vSphere Web Client.

When the host is in normal lockdown mode, the following accounts can access the Direct
Console User Interface:

n Accounts in the Exception Users list who have administrator privileges on the host. The
Exception Users list is meant for service accounts such as a backup agent.

n Users defined in the DCUI.Access advanced option for the host. This option can be used to
enable access in case of catastrophic failure.

For ESXi 6.0 and later, user permissions are preserved when you enable lockdown mode. User
permissions are restored when you disable lockdown mode from the Direct Console Interface.

Note If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting
lockdown mode, and if you exit lockdown mode after the upgrade, all permissions defined
before the host entered lockdown mode are lost. The system assigns the administrator role to
all users who are found in the DCUI.Access advanced option to guarantee that the host remains
accessible.

To retain permissions, disable lockdown mode for the host from either the vSphere Client or the
vSphere Web Client before the upgrade.

Procedure

1 At the Direct Console User Interface of the host, press F2 and log in.

2 Scroll to the Configure Lockdown Mode setting and press Enter to toggle the current setting.

3 Press Esc until you return to the main menu of the Direct Console User Interface.

Specifying Accounts with Access Privileges in Lockdown Mode

You can specify service accounts that can access the ESXi host directly by adding them to the
Exception Users list. You can specify a single user who can access the ESXi host in a catastrophic
vCenter Server failure.

The vSphere version determines what different accounts can do by default when lockdown
mode is enabled, and how you can change the default behavior.

n In vSphere 5.0 and earlier, only the root user can log in to the Direct Console User Interface
on an ESXi host that is in lockdown mode.

VMware by Broadcom 94
vSphere Security

n In vSphere 5.1 and later, you can add a user to the DCUI.Access advanced system setting for
each host. The option is meant for a catastrophic failure of vCenter Server. Companies usually
lock the password for the user with this access into a safe. A user in the DCUI.Access list does
not need to have full administrative privileges on the host.

n In vSphere 6.0 and later, the DCUI.Access advanced system setting is still supported. In
addition, vSphere 6.0 and later supports an Exception User list, which is for service accounts
that have to log in to the host directly. Accounts with administrator privileges that are on the
Exception Users list can log in to the ESXi Shell. In addition, those users can log in to a host's
DCUI in normal lockdown mode and can exit lockdown mode.

You specify Exception Users from either the vSphere Client or the vSphere Web Client.

Note Exception users are host local users or Active Directory users with privileges defined
locally for the ESXi host. Users that are members of an Active Directory group lose their
permissions when the host is in lockdown mode.

Add Users to the DCUI.Access Advanced Option

If there is a catastrophic failure, the DCUI.Access advanced option allows you to exit lockdown
mode when you cannot access the host from vCenter Server. You add users to the list by editing
the Advanced Settings for the host from the vSphere Client.

Note Users in the DCUI.Access list can change lockdown mode settings regardless of their
privileges. The ability to change lockdown modes can impact the security of your host. For
service accounts that need direct access to the host, consider adding users to the Exception
Users list instead. Exception users can only perform tasks for which they have privileges. See
Specify Lockdown Mode Exception Users.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, click Advanced System Settings, and click Edit.

4 Filter for DCUI.

5 In the DCUI.Access text box, enter the local ESXi user names, separated by commas.

By default, the root user is included. Consider removing the root user from the DCUI.Access
list, and specifying a named account for better auditability.

6 Click OK.

Specify Lockdown Mode Exception Users

You can add users to the Exception Users list from the vSphere Client. These users do not lose
their permissions when the host enters lockdown mode. It makes sense to add service accounts
such as a backup agent to the Exception Users list.

VMware by Broadcom 95
vSphere Security

Exception users do not lose their privileges when the host enters lockdown mode. Usually
these accounts represent third-party solutions and external applications that need to continue
to function in lockdown mode.

Note The Exception Users list is meant for service accounts that perform very specific tasks,
and not for administrators. Adding administrator users to the Exception Users list defeats the
purpose of lockdown mode.

Exception users are host local users or Active Directory users with privileges defined locally for
the ESXi host. They are not members of an Active Directory group and are not vCenter Server
users. These users are allowed to perform operations on the host based on their privileges. That
means, for example, that a read-only user cannot disable lockdown mode on a host.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Security Profile.

4 In the Lockdown Mode panel, click Edit.

5 Click Exception Users and click the Add User icon to add exception users.

Manage the Acceptance Levels of Hosts and VIBs

The acceptance level of a VIB depends on the amount of certification of that VIB. The
acceptance level of the host depends on the level of the lowest VIB. You can change
the acceptance level of the host if you want to allow lower-level VIBs. You can remove
CommunitySupported VIBs to be able to change the host acceptance level.

VIBs are software packages that include a signature from VMware or a VMware partner.
To protect the integrity of the ESXi host, do not allow users to install unsigned (community-
supported) VIBs. An unsigned VIB contains code that is not certified by, accepted by, or
supported by VMware or its partners. Community-supported VIBs do not have a digital signature.

The host's acceptance level must be the same or less restrictive than the acceptance level of any
VIB you want to add to the host. For example, if the host acceptance level is VMwareAccepted,
you cannot install VIBs at the PartnerSupported level. You can use ESXCLI commands to set an
acceptance level for a host. To protect the security and integrity of your ESXi hosts, do not allow
unsigned (CommunitySupported) VIBs to be installed on hosts in production systems.

The acceptance level for an ESXi host is displayed in the Security Profile in the vSphere Client.

The following acceptance levels are supported.

VMwareCertified

VMware by Broadcom 96
vSphere Security

The VMwareCertified acceptance level has the most stringent requirements. VIBs with this
level go through thorough testing fully equivalent to VMware in-house Quality Assurance
testing for the same technology. Today, only I/O Vendor Program (IOVP) program drivers are
published at this level. VMware takes support calls for VIBs with this acceptance level.

VMwareAccepted

VIBs with this acceptance level go through verification testing, but the tests do not fully
test every function of the software. The partner runs the tests and VMware verifies the
result. Today, CIM providers and PSA plug-ins are among the VIBs published at this level.
VMware directs customers with support calls for VIBs with this acceptance level to contact
the partner's support organization.

PartnerSupported

VIBs with the PartnerSupported acceptance level are published by a partner that VMware
trusts. The partner performs all testing. VMware does not verify the results. This level is used
for a new or nonmainstream technology that partners want to enable for VMware systems.
Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with
nonstandard hardware drivers. VMware directs customers with support calls for VIBs with
this acceptance level to contact the partner's support organization.

CommunitySupported

The CommunitySupported acceptance level is for VIBs created by individuals or companies

outside of VMware partner programs. VIBs at this level have not gone through any VMware-
approved testing program and are not supported by VMware Technical Support or by a
VMware partner.

Procedure

1 Connect to each ESXi host and verify that the acceptance level is set to VMwareCertified,
VMwareAccepted, or PartnerSupported by running the following command.

esxcli software acceptance get

2 If the host acceptance level is CommunitySupported, determine whether any of the VIBs are
at the CommunitySupported level by running the following commands.

esxcli software vib list

esxcli software vib get -n vibname

3 Remove any CommunitySupported VIBs by running the following command.

esxcli software vib remove --vibname vib

VMware by Broadcom 97
vSphere Security

4 Change the acceptance level of the host by using one of the following methods.

Option Description

CLI command esxcli software acceptance set --level level

The level parameter is required and specifies the acceptance level to set.
Should be one of VMwareCertified, VMwareAccepted, PartnerSupported,
or CommunitySupported. See ESXCLI Reference for more information.

vSphere Client a Select a host in the inventory.

b Click Configure.
c Under System, select Security Profile.
d Click Edit for Host Image Profile Acceptance Level and choose the
acceptance level.

Results

The new acceptance level is in effect.

Note ESXi conducts integrity checks of VIBs governed by the Acceptance Level. You can
use the VMkernel.Boot.execInstalledOnly setting to instruct ESXi to only execute binaries that
originate from a valid VIB installed on the host. Combined with Secure Boot, this setting ensures
that every single process ever run on an ESXi host is signed, allowed, and expected. Enabling this
setting when possible improves security. For more information on configuring advanced options
for ESXi, see the VMware knowledge base article at https://kb.vmware.com/kb/1038578.

Assigning Privileges for ESXi Hosts

Usually, you give privileges to users by assigning permissions to ESXi host objects that are
managed by a vCenter Server system. If you are using a standalone ESXi host, you can assign
privileges directly.

Assigning Permissions to ESXi Hosts That Are Managed by vCenter

Server
If your ESXi host is managed by a vCenter Server, perform management tasks through the
vSphere Client.

You can select the ESXi host object in the vCenter Server object hierarchy and assign
the administrator role to a limited number of users. Those users can then perform direct
management on the ESXi host. See Using Roles to Assign Privileges.

Best practice is to create at least one named user account, assign it full administrative privileges
on the host, and use this account instead of the root account. Set a highly complex password for
the root account and limit the use of the root account. Do not remove the root account.

VMware by Broadcom 98
vSphere Security

Assigning Permissions to Standalone ESXi Hosts

You can add local users and define custom roles from the Management tab of the VMware Host
Client. See the vSphere Single Host Management - VMware Host Client documentation.

For all versions of ESXi, you can see the list of predefined users in the /etc/passwd file.

The following roles are predefined.

Read Only

Allows a user to view objects associated with the ESXi host but not to make any changes to
objects.

Administrator

Administrator role.

No Access

No access. This role is the default role. You can override the default role.

You can manage local users and groups and add local custom roles to an ESXi host using
a VMware Host Client connected directly to the ESXi host. See the vSphere Single Host
Management - VMware Host Client documentation.
Starting with vSphere 6.0, you can use ESXCLI account management commands for managing
ESXi local user accounts. You can use ESXCLI permission management commands for setting or
removing permissions on both Active Directory accounts (users and groups) and on ESXi local
accounts (users only).

Note If you define a user for the ESXi host by connecting to the host directly, and a user with
the same name also exists in vCenter Server, those users are different. If you assign a role to the
ESXi user, the vCenter Server user is not assigned the same role.

Predefined Privileges
If your environment does not include a vCenter Server system, the following users are
predefined.

root User

By default each ESXi host has a single root user account with the Administrator role. That
root user account can be used for local administration and to connect the host to vCenter
Server.

Assigning root user privileges can make it easier to break into an ESXi host because the name
is already known. Having a common root account also makes it harder to match actions to
users.

VMware by Broadcom 99
vSphere Security

For better auditing, create individual accounts with Administrator privileges. Set a highly
complex password for the root account and limit the use of the root account, for example,
for use when adding a host to vCenter Server. Do not remove the root account. For more
information about assigning permissions to a user for an ESXi host, see vSphere Single Host
Management - VMware Host Client documentation.
Best practice is to ensure that any account with the Administrator role on an ESXi host is
assigned to a specific user with a named account. Use ESXi Active Directory capabilities,
which allow you to manage Active Directory credentials.

Important You can remove the access privileges for the root user. However, you must
first create another permission at the root level that has a different user assigned to the
Administrator role.

vpxuser User

vCenter Server uses vpxuser privileges when managing activities for the host.

The vCenter Server administrator can perform most of the same tasks on the host as the root
user and also schedule tasks, work with templates, and so forth. However, the vCenter Server
administrator cannot directly create, delete, or edit local users and groups for hosts. Only a
user with Administrator privileges can perform these tasks directly on a host.

Note You cannot manage vpxuser using Active Directory.

Caution Do not change vpxuser in any way. Do not change its password. Do not change its
permissions. If you do so, you might experience problems when working with hosts through
vCenter Server.

dcui User

The dcui user runs on hosts and acts with Administrator rights. This user’s primary purpose is
to configure hosts for lockdown mode from the Direct Console User Interface (DCUI).

This user acts as an agent for the direct console and cannot be modified or used by
interactive users.

Using Active Directory to Manage ESXi Users

You can configure ESXi to use a directory service such as Active Directory to manage users.

Creating local user accounts on each host presents challenges with having to synchronize
account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory
domain to eliminate the need to create and maintain local user accounts. Using Active
Directory for user authentication simplifies the ESXi host configuration and reduces the risk for
configuration issues that could lead to unauthorized access.

When you use Active Directory, users supply their Active Directory credentials and the domain
name of the Active Directory server when adding a host to a domain.

VMware by Broadcom 100

vSphere Security

Configure a Host to Use Active Directory

You can configure a host to use a directory service such as Active Directory to manage users
and groups.

When you add an ESXi host to Active Directory, the DOMAIN group ESX Admins is assigned full
administrative access to the host if it exists. If you do not want to make full administrative access
available, see VMware Knowledge Base article 1025569 for a workaround.

If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the
hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory
domain. Because a trust chain exists between the vSphere Authentication Proxy and the host,
the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere
Authentication Proxy.

Note When you define user account settings in Active Directory, you can limit the computers
that a user can log in to by the computer name. By default, no equivalent restrictions are set on
a user account. If you set this limitation, LDAP Bind requests for the user account fail with the
message LDAP binding not successful, even if the request is from a listed computer. You
can avoid this issue by adding the netBIOS name for the Active Directory server to the list of
computers that the user account can log in to.

Prerequisites

n Verify that you have an Active Directory domain. See your directory server documentation.

n Verify that the host name of ESXi is fully qualified with the domain name of the Active
Directory forest.

fully qualified domain name = host_name.domain_name

Procedure

1 Synchronize the time between ESXi and the directory service system using NTP.

See Synchronize ESXi Clocks with a Network Time Server or the VMware Knowledge Base for
information about how to synchronize ESXi time with a Microsoft Domain Controller.

2 Ensure that the DNS servers that you configured for the host can resolve the host names for
the Active Directory controllers.

a Browse to the host in the vSphere Client inventory.

b Click Configure.

c Under Networking, click TCP/IP configuration.

d Under TCP/IP Stack: Default, click DNS and verify that the host name and DNS server
information for the host are correct.

VMware by Broadcom 101

vSphere Security

What to do next

Join the host to a directory service domain. See Add a Host to a Directory Service Domain. For
hosts that are provisioned with Auto Deploy, set up the vSphere Authentication Proxy. See Using
vSphere Authentication Proxy. You can configure permissions so that users and groups from
the joined Active Directory domain can access the vCenter Server components. For information
about managing permissions, see Add a Permission to an Inventory Object .

Add a Host to a Directory Service Domain

To have your host use a directory service, you must join the host to the directory service domain.

You can enter the domain name in one of two ways:

n name.tld (for example, domain.com): The account is created under the default container.

n name.tld/container/path (for example, domain.com/OU1/OU2): The account is created

under a particular organizational unit (OU).

To use the vSphere Authentication Proxy service, see Using vSphere Authentication Proxy.

Procedure

1 Browse to a host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Authentication Services.

4 Click Join Domain.

5 Enter a domain.

Use the form name.tld or name.tld/container/path.

6 Enter the user name and password of a directory service user who has permissions to join the
host to the domain, and click OK.

7 (Optional) If you intend to use an authentication proxy, enter the proxy server IP address.

8 Click OK to close the Directory Services Configuration dialog box.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain
can access the vCenter Server components. For information about managing permissions, see
Add a Permission to an Inventory Object .

View Directory Service Settings

You can view the type of directory server, if any, that the host uses to authenticate users and the
directory server settings.

Procedure

1 Browse to the host in the vSphere Client inventory.

VMware by Broadcom 102

vSphere Security

2 Click Configure.

3 Under System, select Authentication Services.

The Authentication Services page displays the directory service and domain settings.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain
can access the vCenter Server components. For information about managing permissions, see
Add a Permission to an Inventory Object .

Using vSphere Authentication Proxy

You can add ESXi hosts to an Active Directory domain by using vSphere Authentication Proxy
instead of adding the hosts explicitly to the Active Directory domain.

You only have to set up the host so it knows about the domain name of the Active Directory
server and about the IP address of vSphere Authentication Proxy. When vSphere Authentication
Proxy is enabled, it automatically adds hosts that are being provisioned with Auto Deploy to the
Active Directory domain. You can also use vSphere Authentication Proxy with hosts that are not
provisioned by using Auto Deploy.

See Required Ports for vCenter Server and Platform Services Controller for information about
TCP ports used by vSphere Authentication Proxy.

Auto Deploy

If you are provisioning hosts with Auto Deploy, you can set up a reference host that points to
Authentication Proxy. You then set up a rule that applies the reference host's profile to any
ESXi host that is provisioned with Auto Deploy. vSphere Authentication Proxy stores the IP
addresses of all hosts that Auto Deploy provisions using PXE in its access control list. When
the host boots, it contacts vSphere Authentication Proxy, and vSphere Authentication Proxy
joins those hosts, which are already in its access control list, to the Active Directory domain.

Even if you use vSphere Authentication Proxy in an environment that uses certificates that
are provisioned by VMCA or third-party certificates, the process works seamlessly if you
follow the instructions for using custom certificates with Auto Deploy.

See Use Custom Certificates with Auto Deploy.

Other ESXi Hosts

You can set up other hosts to use vSphere Authentication Proxy if you want to make it
possible for the host to join the domain without using Active Directory credentials. That
means you do not need to transmit Active Directory credentials to the host, and you do not
save Active Directory credentials in the host profile.

In that case, you add the host's IP address to the vSphere Authentication Proxy access
control list, and vSphere Authentication Proxy authorizes the host based on its IP address by

VMware by Broadcom 103

vSphere Security

default. You can enable client authentication to have vSphere Authentication Proxy check the
host's certificate.

Note You cannot use vSphere Authentication Proxy in an environment that supports only IPv6.

Enable vSphere Authentication Proxy

The vSphere Authentication Proxy service is available on each vCenter Server system. By default,
the service is not running. If you want to use vSphere Authentication Proxy in your environment,
you can start the service from the vCenter Server Appliance Management Interface, from the
vSphere Web Client, or from the command line.

The vSphere Authentication Proxy service binds to an IPv4 address for communication with
vCenter Server, and does not support IPv6. The vCenter Server instance can be on a host
machine in an IPv4-only or IPv4/IPv6 mixed-mode network environment. However, when you
specify the address of vSphere Authentication Proxy, you must specify an IPv4 address.

Prerequisites

Verify that you are using vCenter Server 6.5 or later. In earlier versions of vSphere, vSphere
Authentication Proxy is installed separately. See the documentation for the earlier version of the
product for instructions.

Procedure

1 Start the VMware vSphere Authentication Proxy service.

Option Description

vCenter Server Appliance a In a Web browser, go to the vCenter Server Appliance Management
Management Interface (VAMI) Interface, https://appliance-IP-address-or-FQDN:5480.
b Log in as root.

The default root password is the password that you set while deploying
the vCenter Server Appliance.
c Click Services, and click the VMware vSphere Authentication Proxy
service.
d Click Start.

vSphere Web Client
a Click Administration, and click System Configuration under Deployment.
b Click Services, and click the VMware vSphere Authentication Proxy
service.
c Click the green Start the service icon in the menu bar at the top of the
window.
d (Optional) After the service has started, click Actions > Edit Startup
Type and click Automatic to make startup automatic.

2 Confirm that the service started successfully.

VMware by Broadcom 104

vSphere Security

Results

You can now set the vSphere Authentication Proxy domain. After that, vSphere Authentication
Proxy handles all hosts that are provisioned with Auto Deploy, and you can explicitly add hosts
to vSphere Authentication Proxy.

Add a Domain to vSphere Authentication Proxy with the vSphere

Web Client
You can add a domain to vSphere Authentication Proxy from the vSphere Web Client or by using
the camconfig command.

You can add a domain to vSphere Authentication Proxy only after you enable the proxy. After
you add the domain, vSphere Authentication Proxy adds all hosts that you provision with Auto
Deploy to that domain. For other hosts, you can also use vSphere Authentication Proxy if you do
not want to give those hosts domain privileges.

Procedure

1 Connect to a vCenter Server system with the vSphere Web Client.

2 Click Administration, and click System Configuration under Deployment.

3 Click Services, click the VMware vSphere Authentication Proxy service, and click Edit.

4 Enter the name of the domain that vSphere Authentication Proxy will add hosts to, and the
name of a user who has Active Directory privileges to add hosts to the domain.

The other fields in this dialog are for information only.

5 Click the ellipsis icon to add and confirm the password for the user, and click OK.

Add a Domain to vSphere Authentication Proxy with the camconfig

Command
You can add a domain to vSphere Authentication from the vSphere Web Client or by using the
camconfig command.

You can add a domain to vSphere Authentication Proxy only after you enable the proxy. After
you add the domain, vSphere Authentication Proxy adds all hosts that you provision with Auto
Deploy to that domain. For other hosts, you can also use vSphere Authentication Proxy if you do
not want to give those hosts domain privileges.

Procedure

1 Log in to the vCenter Server appliance or the vCenter Server Windows machine as a user
with administrator privileges.

2 Run the command to enable access to the Bash shell.

shell

VMware by Broadcom 105

vSphere Security

3 Go to the directory where the camconfig script is located.

OS Location

vCenter Server Appliance /usr/lib/vmware-vmcam/bin/

vCenter Server Windows C:\Program Files\VMware\vCenter Server\vmcamd\

4 To add the domain and user Active Directory credentials to the Authentication Proxy
configuration, run the following command.

camconfig add-domain -d domain -u user

You are prompted for a password.

vSphere Authentication Proxy caches that user name and password. You can remove and
recreate the user as needed. The domain must be reachable through DNS, but does not have
to be a vCenter Single Sign-On identity source.

vSphere Authentication Proxy uses the user name specified by user to create the accounts
for ESXi hosts in Active Directory. The user must have privileges to create accounts in the
Active Directory domain to which you are adding the hosts. At the time of writing of this
information, the Microsoft Knowledge Base article 932455 had background information for
account creation privileges.

5 If you later want to remove the domain and user information from vSphere Authentication
Proxy, run the following command.

camconfig remove-domain -d domain

Use vSphere Authentication Proxy to Add a Host to a Domain

The Auto Deploy server adds all hosts that it provisions to vSphere Authentication Proxy,
and vSphere Authentication Proxy adds those hosts to the domain. If you want to add other
hosts to a domain using vSphere Authentication Proxy, you can add those hosts to vSphere
Authentication Proxy explicitly. Afterwards, the vSphere Authentication Proxy server adds those
hosts to the domain. As a result, user-supplied credentials no longer have to be transmitted to
the vCenter Server system.

You can enter the domain name in one of two ways:

n name.tld (for example, domain.com): The account is created under the default container.

n name.tld/container/path (for example, domain.com/OU1/OU2): The account is created

under a particular organizational unit (OU).

Prerequisites

n If the ESXi host is using a VMCA-signed certificate, verify that the host has been added to
vCenter Server. Otherwise, the Authentication Proxy service cannot trust the ESXi host.

VMware by Broadcom 106

vSphere Security

n If the ESXi host is using a root CA-signed certificate, verify that the appropriate root CA-
signed certificate has been added to the vCenter Server system. See Certificate Management
for ESXi Hosts.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Authentication Services.

4 Click Join Domain.

5 Enter a domain.

Use the form name.tld, for example mydomain.com, or name.tld/container/path, for

example, mydomain.com/organizational_unit1/organizational_unit2.

6 Select Using Proxy Server.

7 Enter the IP address of the Authentication Proxy server, which is always the same as the IP
address of the vCenter Server system.

8 Click OK.

Enable Client Authentication for vSphere Authentication Proxy

By default, vSphere Authentication Proxy adds any host if it has the IP address of that host
in its access control list. For additional security, you can enable client authentication. If client
authentication is enabled, vSphere Authentication Proxy also checks the certificate of the host.

Prerequisites

n Verify that the vCenter Server system trusts the host. By default, when you add a host to
vCenter Server, the host is assigned a certificate that is signed by a vCenter Server trusted
root CA. vSphere Authentication Proxy trusts vCenter Server trusted root CA.

n If you plan on replacing ESXi certificates in your environment, perform the replacement
before you enable vSphere Authentication Proxy. The certificates on the ESXi host must
match that of the host's registration.

Procedure

1 Log in to the vCenter Server appliance or the vCenter Server Windows machine as a user
with administrator privileges.

2 Run the command to enable access to the Bash shell.

shell

VMware by Broadcom 107

vSphere Security

3 Go to the directory where the camconfig script is located.

OS Location

vCenter Server Appliance /usr/lib/vmware-vmcam/bin/

vCenter Server Windows C:\Program Files\VMware\vCenter Server\vmcamd\

4 Run the following command to enable client authentication.

camconfig ssl-cliAuth -e

Going forward, vSphere Authentication Proxy checks the certificate of each host that is
added.

5 If you later want to disable client authentication again, run the following command.

camconfig ssl-cliAuth -n

Import the vSphere Authentication Proxy Certificate to ESXi Host

By default, ESXi hosts require explicit verification of the vSphere Authentication Proxy certificate.
If you are using vSphere Auto Deploy, the Auto Deploy service takes care of adding the
certificate to hosts that it provisions. For other hosts, you have to add the certificate explicitly.

Prerequisites

n Upload the vSphere Authentication Proxy certificate to a datastore accessible to the ESXi
host. Using an SFTP application such WinSCP, you can download the certificate from the
vCenter Server host at the following location.

vCenter Server Appliance

/var/lib/vmware/vmcam/ssl/rui.crt

vCenter Server Windows

C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt

n Verify that the UserVars.ActiveDirectoryVerifyCAMCertificate ESXi advanced setting is set

to 1 (the default).

Procedure

1 Select the ESXi host and click Configure.

2 Under System, select Authentication Services.

3 Click Import Certificate.

4 Enter the certificate file path following the format [datastore]/path/certname.crt, and
click OK.

VMware by Broadcom 108

vSphere Security

Generate a New Certificate for vSphere Authentication Proxy

If you want to generate a new certificate that is provisioned by VMCA, or a new certificate that
includes VMCA as a subordinate certificate, follow the steps in this topic.

See Set Up vSphere Authentication Proxy to Use Custom Certificates if you want to use a custom
certificate that is signed by a third-party or enterprise CA.

Prerequisites

You must have root or Administrator privileges on the system on which vSphere Authentication
Proxy is running.

Procedure

1 Make a copy of certool.cfg.

cp /usr/lib/vmware-vmca/share/config/certool.cfg /var/lib/vmware/vmcam/ssl/vmcam.cfg

2 Edit the copy with some information about your organization, as in the following example.

Country = IE
Name = vmcam
Organization = VMware
OrgUnit = vTSU
State = Cork
Locality = Cork
Hostname = test-cam-1.test1.vmware.com

3 Generate the new private key in /var/lib/vmware/vmcam/ssl/.

/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/var/lib/vmware/vmcam/ssl/rui.key --

pubkey=/tmp/vmcam.pub --server=localhost

For localhost, supply the FQDN of the Platform Services Controller.

4 Generate the new certificate in /var/lib/vmware/vmcam/ssl/ using the key and

vmcam.cfg file that you created in Step 1 and Step 2.

/usr/lib/vmware-vmca/bin/certool --server=localhost --gencert --privkey=/var/lib/

vmware/vmcam/ssl/rui.key --cert=/var/lib/vmware/vmcam/ssl/rui.crt --config=/var/lib/vmware/
vmcam/ssl/vmcam.cfg

For localhost, supply the FQDN of the Platform Services Controller.

Set Up vSphere Authentication Proxy to Use Custom Certificates

Using custom certificates with vSphere Authentication Proxy consists of several steps. First you
generate a CSR and send it to your CA for signing. Then you place the signed certificate and key
file in a location that vSphere Authentication Proxy can access.

VMware by Broadcom 109

vSphere Security

By default, vSphere Authentication Proxy generates a CSR during first boot and asks VMCA to
sign that CSR. vSphere Authentication Proxy registers with vCenter Server using that certificate.
You can use custom certificates in your environment, if you add those certificates to vCenter
Server.

Procedure

1 Generate a CSR for vSphere Authentication Proxy.

a Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following

example.

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:dns.static-1.csl.vmware.com
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = Cork
localityName = Cork
0.organizationName = VMware
organizationalUnitName = vTSU
commonName = test-cam-1.test1.vmware.com

b Run openssl to generate a CSR file and a key file, passing in the configuration file.

openssl req -new -nodes -out vmcam.csr -newkey rsa:2048 -keyout /var/lib/vmware/
vmcam/ssl/rui.key -config /var/lib/vmware/vmcam/ssl/vmcam.cfg

2 Back up the rui.crt certificate and rui.key files, which are stored in the following location.

OS Location

vCenter Server Appliance /var/lib/vmware/vmcam/ssl/rui.crt

vCenter Server Windows C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt

VMware by Broadcom 110

vSphere Security

3 Unregister vSphere Authentication Proxy.

a Go to the directory where the camregister script is located.

OS Commands

vCenter Server Appliance /usr/lib/vmware-vmcam/bin

vCenter Server Windows C:\Program Files\VMware\vCenter Server\vmcamd

b Run the following command.

camregister --unregister -a VC_address -u user

user must be a vCenter Single Sign-On user that has administrator permissions on vCenter
Server.

4 Stop the vSphere Authentication Proxy service.

Tool Steps

vCenter Server Appliance a In a Web browser, go to the vCenter Server Appliance Management
Management Interface (VAMI) Interface, https://appliance-IP-address-or-FQDN:5480.
b Log in as root.

The default root password is the password that you set while deploying
the vCenter Server Appliance.
c Click Services, and click the VMware vSphere Authentication Proxy
service.
d Click Stop.

vSphere Web Client a Select Administration, and click System Configuration under
Deployment.
b Click Services, click the VMware vSphere Authentication Proxy service,
and click the red Stop the service icon.

CLI service-control --stop vmcam

5 Replace the existing rui.crt certificate and rui.key files with the files that you received
from your CA.

6 Restart the vSphere Authentication Proxy service.

7 Reregister vSphere Authentication Proxy explicitly with vCenter Server by using the new
certificate and key.

camregister --register -a VC_address -u user -c full_path_to_rui.crt -k

full_path_to_rui.key

VMware by Broadcom 111

vSphere Security

Configuring Smart Card Authentication for ESXi

You can use smart card authentication to log in to the ESXi Direct Console User Interface (DCUI)
by using a Personal Identity Verification (PIV), Common Access Card (CAC) or SC650 smart card
instead specifying a user name and password.

A smart card is a small plastic card with an embedded integrated circuit chip. Many government
agencies and large enterprises use smart card based two-factor authentication to increase the
security of their systems and comply with security regulations.

When smart card authentication is enabled on an ESXi host, the DCUI prompts for a smart card
and PIN combination instead of the default prompt for a user name and password.

1 When you insert the smart card into the smart card reader, the ESXi host reads the
credentials on it.

2 The ESXi DCUI displays your login ID, and prompts for your PIN.

3 After you enter your PIN, the ESXi host matches it with the PIN stored on the smart card and
verifies the certificate on the smart card with Active Directory.

4 After successful verification of the smart card certificate, ESXi logs you in to the DCUI.

You can switch to user name and password authentication from the DCUI by pressing F3.

The chip on the smart card locks after a few consecutive incorrect PIN entries, usually three. If a
smart card is locked, only selected personnel can unlock it.

Enable Smart Card Authentication

Enable smart card authentication to prompt for smart card and PIN combination to log in to the
ESXi DCUI.

Prerequisites

n Set up the infrastructure to handle smart card authentication, such as accounts in the Active
Directory domain, smart card readers, and smart cards.

n Configure ESXi to join an Active Directory domain that supports smart card authentication.
For more information, see Using Active Directory to Manage ESXi Users .

n Use the vSphere Client to add root certificates. See Certificate Management for ESXi Hosts.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Authentication Services.

You see the current smart card authentication status and a list with imported certificates.

4 In the Smart Card Authentication panel, click Edit.

VMware by Broadcom 112

vSphere Security

5 In the Edit Smart Card Authentication dialog box, select the Certificates page.

6 Add trusted Certificate Authority (CA) certificates, for example, root and intermediary CA
certificates.

Certificates must be in PEM format.

7 Open the Smart Card Authentication page, select the Enable Smart Card Authentication
check box, and click OK.

Disable Smart Card Authentication

Disable smart card authentication to return to the default user name and password
authentication for ESXi DCUI login.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Authentication Services.

You see the current smart card authentication status and a list with imported certificates.

4 In the Smart Card Authentication panel, click Edit.

5 On the Smart Card Authentication page, deselect the Enable Smart Card Authentication
check box, and click OK.

Authenticating With User Name and Password in Case of

Connectivity Problems
If the Active Directory (AD) domain server is not reachable, you can log in to the ESXi DCUI by
using user name and password authentication to perform emergency actions on the host.

In exceptional circumstances, the AD domain server is not reachable to authenticate the user
credentials on the smart card because of connectivity problems, network outage, or disasters. In
that case, you can log in to the ESXi DCUI by using the credentials of a local ESXi Administrator
user. After logging in, you can perform diagnostics or other emergency actions. The fallback to
user name and password login is logged. When the connectivity to AD is restored, smart card
authentication is enabled again.

Note Loss of network connectivity to vCenter Server does not affect smart card authentication
if the Active Directory (AD) domain server is available.

Using Smart Card Authentication in Lockdown Mode

When enabled, lockdown mode on the ESXi host increases the security of the host and limits
access to the DCUI. Lockdown mode might disable the smart card authentication feature.

VMware by Broadcom 113

vSphere Security

In normal lockdown mode, only users on the Exception Users list with administrator privileges can
access the DCUI. Exception users are host local users or Active Directory users with permissions
defined locally for the ESXi host. If you want to use smart card authentication in normal lockdown
mode, you must add users to the Exception Users list from the vSphere Client. These users do
not lose their permissions when the host enters normal lockdown mode and can log in to the
DCUI. For more information, see Specify Lockdown Mode Exception Users.

In strict lockdown mode, the DCUI service is stopped. As a result, you cannot access the host by
using smart card authentication.

Using the ESXi Shell

The ESXi Shell is disabled by default on ESXi hosts. You can enable local and remote access to
the shell if necessary.

To reduce the risk of unauthorized access, enable the ESXi Shell for troubleshooting only.

The ESXi Shell is independent of lockdown mode. Even if the host is running in lockdown mode,
you can still log in to the ESXi Shell if it is enabled.

ESXi Shell

Enable this service to access the ESXi Shell locally.

SSH

Enable this service to access the ESXi Shell remotely by using SSH.

The root user and users with the Administrator role can access the ESXi Shell. Users who are
in the Active Directory group ESX Admins are automatically assigned the Administrator role. By
default, only the root user can run system commands (such as vmware -v) by using the ESXi
Shell.

Note Do not enable the ESXi Shell unless you actually need access.

What to read next

n Enable Access to the ESXi Shell

You can use the vSphere Client or the vSphere Web Client to enable local and remote (SSH)
access to the ESXi Shell and to set the idle timeout and availability timeout.

n Use the Direct Console User Interface to Enable Access to the ESXi Shell
The Direct Console User Interface (DCUI) allows you to interact with the host locally
using text-based menus. Evaluate carefully whether the security requirements of your
environment support enabling the Direct Console User Interface.

n Log in to the ESXi Shell for Troubleshooting

Perform ESXi configuration tasks with the vSphere Client, the vSphere CLI, or vSphere
PowerCLI. Log in to the ESXi Shell (formerly Tech Support Mode or TSM) for troubleshooting
purposes only.

VMware by Broadcom 114

vSphere Security

Enable Access to the ESXi Shell

You can use the vSphere Client or the vSphere Web Client to enable local and remote (SSH)
access to the ESXi Shell and to set the idle timeout and availability timeout.

Note Access the host by using the vSphere Web Client, remote command-line tools (vCLI and
PowerCLI), and published APIs. Do not enable remote access to the host using SSH unless special
circumstances require that you enable SSH access.

Prerequisites

If you want to use an authorized SSH key, you can upload it. See ESXi SSH Keys.

Procedure

1 Browse to the host in the inventory.

2 Navigate to the Services panel.

Option Description

vSphere Client a Click Configure.

b Under System, click Services.

vSphere Web Client a Click Configure.

b Under System, click Security Profile.

3 Manage ESXi, SSH, or Direct Console UI services.

Option Description

vSphere Client a In the Services pane, select the service.

b Click Edit Startup Policy and select the startup policy Start and stop
manually.
c To enable the service, click Start.

vSphere Web Client a In the Services pane, click Edit.

b Click Service Details and select the startup policy Start and stop
manually
c To enable the service, click Start.
d Click OK.

When you select Start and stop manually, the service does not start when you reboot the
host. If you want the service to start when you reboot the host, select Start and stop with
host.

What to do next

Set the availability and idle timeouts for the ESXi Shell. See Create a Timeout for ESXi Shell
Availability and Create a Timeout for Idle ESXi Shell Sessions

VMware by Broadcom 115

vSphere Security

Create a Timeout for ESXi Shell Availability

The ESXi Shell is disabled by default. You can set an availability timeout for the ESXi Shell to
increase security when you enable the shell.

The availability timeout setting is the amount of time that can elapse before you must log in
after the ESXi Shell is enabled. After the timeout period, the service is disabled and users are not
allowed to log in.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Advanced System Settings.

4 Click Edit, and select UserVars.ESXiShellTimeOut.

5 Enter the idle timeout setting.

You must restart the SSH service and the ESXi Shell service for the timeout to take effect.

6 Click OK.

Results

If you are logged in when the timeout period elapses, your session will persist. However, after
you log out or your session is terminated, users are not allowed to log in.

Create a Timeout for Idle ESXi Shell Sessions

If you enable the ESXi Shell on a host, but forget to log out of the session, the idle session
remains connected indefinitely. The open connection increases the potential for someone to gain
privileged access to the host. Prevent this by setting a timeout for idle sessions.

The idle timeout is the amount of time that can elapse before a user is logged out of an idle
interactive session. You can control the amount of time for both local and remote (SSH) session
from the Direct Console Interface (DCUI) or from the vSphere Client.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, select Advanced System Settings.

4 Click Edit, select UserVars.ESXiShellInteractiveTimeOut, and enter the timeout setting.

A value of zero (0) disables the idle time.

5 Restart the ESXi Shell service and the SSH service for the timeout to take effect.

Results

If the session is idle, users are logged out after the timeout period elapses.

VMware by Broadcom 116

vSphere Security

Use the Direct Console User Interface to Enable Access to the ESXi
Shell
The Direct Console User Interface (DCUI) allows you to interact with the host locally using text-
based menus. Evaluate carefully whether the security requirements of your environment support
enabling the Direct Console User Interface.

You can use the Direct Console User Interface (DCUI) to enable local and remote access to the
ESXi Shell. You access the Direct Console User Interface from the physical console attached
to the host. After the host reboots and loads ESXi, press F2 to log in to the DCUI. Enter the
credentials that you created when you installed ESXi.

Note Changes made to the host using the Direct Console User Interface, the vSphere Client,
ESXCLI, or other administrative tools are committed to permanent storage every hour or upon
graceful shutdown. If the host fails before the changes are committed, they might be lost.

Procedure

1 From the Direct Console User Interface, press F2 to access the System Customization menu.

2 Select Troubleshooting Options and press Enter.

3 From the Troubleshooting Mode Options menu, select a service to enable.

n Enable ESXi Shell

n Enable SSH

4 Press Enter to enable the service.

5 Press Esc until you return to the main menu of the Direct Console User Interface.

What to do next

Set the availability and idle timeouts for the ESXi Shell. See Set Availability Timeout or Idle
Timeout for the ESXi Shell.

Set Availability Timeout or Idle Timeout for the ESXi Shell

The ESXi Shell is disabled by default. To increase security when you enable the shell, you can set
an availability timeout, an idle timeout, or both.

The two types of timeout apply in different situations.

Idle Timeout

If a user enables the ESXi Shell on a host, but forgets to log out of the session, the idle
session remains connected indefinitely. The open connection can increase the potential for
someone to gain privileged access to the host. You can prevent this situation by setting a
timeout for idle sessions.

Availability Timeout

VMware by Broadcom 117

vSphere Security

The availability timeout determines how much time can elapse before you log in after you
initially enable the shell. If you wait longer, the service is disabled and you cannot log in to the
ESXi Shell.

Prerequisites

Enable the ESXi Shell. See Use the Direct Console User Interface to Enable Access to the ESXi
Shell.

Procedure

1 Log in to the ESXi Shell.

2 From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts
and press Enter.

3 Enter the idle timeout (in seconds) or the availability timeout.

You must restart the SSH service and the ESXi Shell service for the timeout to take effect.

4 Press Enter and press Esc until you return to the main menu of the Direct Console User
Interface.

5 Click OK.

Results

n If you set the idle timeout, users are logged out after the session is idle for the specified time.

n If you set the availability timeout, and you do not log in before that timeout elapses, logins
become disabled again.

Log in to the ESXi Shell for Troubleshooting

Perform ESXi configuration tasks with the vSphere Client, the vSphere CLI, or vSphere PowerCLI.
Log in to the ESXi Shell (formerly Tech Support Mode or TSM) for troubleshooting purposes only.

Procedure

1 Log in to the ESXi Shell using one of the following methods.

n If you have direct access to the host, press Alt+F1 to open the login page on the
machine's physical console.

n If you are connecting to the host remotely, use SSH or another remote console
connection to start a session on the host.

2 Enter a user name and password recognized by the host.

UEFI Secure Boot for ESXi Hosts

Secure boot is part of the UEFI firmware standard. With secure boot enabled, a machine refuses
to load any UEFI driver or app unless the operating system bootloader is cryptographically
signed. Starting with vSphere 6.5, ESXi supports secure boot if it is enabled in the hardware.

VMware by Broadcom 118

vSphere Security

UEFI Secure Boot Overview

ESXi version 6.5 and later supports UEFI secure boot at each level of the boot stack.

Note Before you use UEFI Secure Boot on a host that was upgraded to ESXi 6.5, check
for compatibility by following the instructions in Run the Secure Boot Validation Script on an
Upgraded ESXi Host. If you upgrade an ESXi host by using esxcli commands, the upgrade does
not update the bootloader. In that case, you cannot perform a secure boot on that system.

Figure 3-1. UEFI Secure Boot

Management apps (hostd, dcui, etc.)

Drivers and modules

ESXi base system 2

VMware Secure boot VIB verifier

public key

1 VMkernel
1

VMware
bootloader
public key

Root
of trust UEFI CA
public key UEFI firmware

UEFI secure boot

enabled machine

With secure boot enabled, the boot sequence proceeds as follows.

1 Starting with vSphere 6.5, the ESXi bootloader contains a VMware public key. The bootloader
uses this key to verify the signature of the kernel and a small subset of the system that
includes a secure boot VIB verifier.

2 The VIB verifier verifies every VIB package that is installed on the system.

At this point, the entire system boots with the root of trust in certificates that are part of the UEFI
firmware.

UEFI Secure Boot Troubleshooting

If secure boot does not succeed at any level of the boot sequence, an error results.

VMware by Broadcom 119

vSphere Security

The error message depends on the hardware vendor and on the level at which verification did
not succeed.

n If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error
during the boot sequence results. The exact message depends on the hardware vendor. It
might look like the following error, but might look different.

UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy

n If the kernel has been tampered with, an error like the following results.

Fatal error: 39 (Secure Boot Failed)

n If a package (VIB or driver) has been tampered with, a purple screen with the following
message appears.

UEFI Secure Boot failed:

Failed to verify signatures of the following vibs (XX)

To resolve issues with secure boot, follow these steps.

1 Reboot the host with secure boot disabled.

2 Run the secure boot verification script (see Run the Secure Boot Validation Script on an
Upgraded ESXi Host).

3 Examine the information in the /var/log/esxupdate.log file.

Run the Secure Boot Validation Script on an Upgraded ESXi Host

After you upgrade an ESXi host from an older version of ESXi that did not support UEFI secure
boot, you might be able to enable secure boot. Whether you can enable secure boot depends
on how you performed the upgrade and whether the upgrade replaced all the existing VIBs or
left some VIBs unchanged. You can run a validation script after you perform the upgrade to
determine whether the upgraded installation supports secure boot.

For secure boot to succeed, the signature of every installed VIB must be available on the system.
Older versions of ESXi do not save the signatures when installing VIBs.

n If you upgrade using ESXCLI commands, the old version of ESXi performs the installation of
the new VIBs, so their signatures are not saved and secure boot is not possible.

n If you upgrade using the ISO, new VIBs do have their signatures saved. This is true also for
vSphere Upgrade Manager upgrades that use the ISO.

n If old VIBs remain on the system, the signatures of those VIBs are not available and secure
boot is not possible.

n If the system uses a third-party driver, and the VMware upgrade does not include a new
version of the driver VIB, then the old VIB remains on the system after upgrade.

VMware by Broadcom 120

vSphere Security

n In rare cases, VMware might drop ongoing development of a specific VIB without
providing a new VIB that replaces or obsoletes it, so the old VIB remains on the system
after upgrade.

Note UEFI secure boot also requires an up-to-date bootloader. This script does not check for an
up-to-date bootloader.

Prerequisites

n Verify that the hardware supports UEFI secure boot.

n Verify that all VIBs are signed with an acceptance level of at least PartnerSupported. If you
include VIBs at the CommunitySupported level, you cannot use secure boot.

Procedure

1 Upgrade the ESXi and run the following command.

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

2 Check the output.

The output either includes Secure boot can be enabled or Secure boot CANNOT be enabled.

Securing ESXi Hosts with Trusted Platform Module

ESXi hosts can use Trusted Platform Modules (TPM) chips, which are secure cryptoprocessors
that enhance host security by providing a trust assurance rooted in hardware as opposed to
software.

TPM is an industry-wide standard for secure cryptoprocessors. TPM chips are found in most of
today's computers, from laptops, to desktops, to servers. vSphere 6.7 and later supports TPM
version 2.0.

A TPM 2.0 chip attests to an ESXi host's identity. Host attestation is the process of authenticating
and attesting to the state of the host's software at a given point in time. UEFI secure boot,
which ensures that only signed software is loaded at boot time, is a requirement for successful
attestation. The TPM 2.0 chip records and securely stores measurements of the software
modules booted in the system, which vCenter Server remotely verifies.

The high-level steps of the remote attestation process are:

1 Establish the trustworthiness of the remote TPM and create an Attestation Key (AK) on it.

When an ESXi host is added to, rebooted from, or reconnected to vCenter Server, vCenter
Server requests an AK from the host. Part of the AK creation process also involves the
verification of the TPM hardware itself, to ensure that a known (and trusted) vendor has
produced it.

2 Retrieve the Attestation Report from the host.

VMware by Broadcom 121

vSphere Security

vCenter Server requests that the host sends an Attestation Report, which contains a quote
of Platform Configuration Registers (PCRs), signed by the TPM, and other signed host binary
metadata. By checking that the information corresponds to a configuration it deems trusted,
a vCenter Server identifies the platform on a previously untrusted host.

3 Verify the host's authenticity.

vCenter Server verifies the authenticity of the signed quote, infers the software versions, and
determines the trustworthiness of said software versions. If vCenter Server determines the
signed quote is invalid, remote attestation fails and the host is not trusted.

To use a TPM 2.0 chip, your vCenter Server environment must meet these requirements:

n vCenter Server 6.7 or later

n ESXi 6.7 host or later with TPM 2.0 chip installed and enabled in UEFI

n UEFI Secure Boot enabled

Ensure that the TPM is configured in the ESXi host's BIOS to use the SHA-256 hashing algorithm
and the TIS/FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). For
information about setting these required BIOS options, refer to the vendor documentation.

Review the TPM 2.0 chips certified by VMware at the following location:

https://www.vmware.com/resources/compatibility/search.php

When you boot an ESXi host with an installed TPM 2.0 chip, vCenter Server monitors the host's
attestation status. The vSphere Client displays the hardware trust status in the vCenter Server's
Summary tab under Security with the following alarms:

n Green: Normal status, indicating full trust.

n Red: Attestation failed.

Note If you add a TPM 2.0 chip to an ESXi host that vCenter Server already manages, you
must first disconnect the host, then reconnect it. See vCenter Server and Host Management
documentation for information about disconnecting and reconnecting hosts.

(ESXi and Trusted Platform Module 2.0 Feature Demonstration )

View ESXi Host Attestation Status

When added to an ESXi host, a Trusted Platform Module 2.0 compatible chip attests the integrity
of the platform. You can view the attestation status of the host in the vSphere Client. You can
also view the Intel Trusted Execution Technology (TXT) status.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Navigate to a data center and click the Monitor tab.

VMware by Broadcom 122

vSphere Security

3 Click Security.

4 Review the host's status in the Attestation column and read the accompanying message in
the Message column.

What to do next

For a Failed or Warning attestation status, see Troubleshoot ESXi Host Attestation Problems.

Troubleshoot ESXi Host Attestation Problems

When you install a Trusted Platform Module (TPM) device on an ESXi host, the host might fail to
pass attestation. You can troubleshoot the potential causes of this problem.

Procedure

1 View the ESXi host alarm status and accompanying error message. See View ESXi Host
Attestation Status.

2 If the error message is Host secure boot was disabled, you must re-enable secure boot
to resolve the problem.

3 If the attestation status of the host is failed, check the vCenter Server vpxd.log file for the
following message:

No cached identity key, loading from DB

This message indicates that you are adding a TPM 2.0 chip to an ESXi host that vCenter
Server already manages. You must first disconnect the host, then reconnect it. See vCenter
Server and Host Management documentation for information about disconnecting and
reconnecting hosts.
For more information about vCenter Server log files, including location and log rotation, see
the VMware knowledge base article at https://kb.vmware.com/s/article/1021804.

4 For all other error messages, contact Customer Support.

ESXi Log Files

Log files are an important component of troubleshooting attacks and obtaining information about
breaches. Logging to a secure, centralized log server can help prevent log tampering. Remote
logging also provides a long-term audit record.

To increase the security of the host, take the following measures

n Configure persistent logging to a datastore. By default, the logs on ESXi hosts are stored
in the in-memory file system. Therefore, they are lost when you reboot the host, and only
24 hours of log data is stored. When you enable persistent logging, you have a dedicated
activity record for the host.

VMware by Broadcom 123

vSphere Security

n Remote logging to a central host allows you to gather log files on a central host. From that
host, you can monitor all hosts with a single tool, do aggregate analysis, and search log data.
This approach facilitates monitoring and reveals information about coordinated attacks on
multiple hosts.

n Configure the remote secure syslog on ESXi hosts by using a CLI such as vCLI or PowerCLI, or
by using an API client.

n Query the syslog configuration to make sure that the syslog server and port are valid.

See the vSphere Monitoring and Performance documentation for information about syslog setup,
and for additional information on ESXi log files.

Configure Syslog on ESXi Hosts

You can use the vSphere Client or the esxcli system syslog vCLI command to configure the
syslog service.

For information about using the esxcli system syslog command and other vCLI commands,
see Getting Started with ESXCLI.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

3 Under System, click Advanced System Settings.

4 Click Edit.

5 Filter for syslog.

6 To set up logging globally, select the setting to change and enter the value.

Option Description

Syslog.global.defaultRotate Maximum number of archives to keep. You can set this number globally and
for individual subloggers.

Syslog.global.defaultSize Default size of the log, in KB, before the system rotates logs. You can set
this number globally and for individual subloggers.

Syslog.global.LogDir
Directory where logs are stored. The directory can be on mounted NFS
or VMFS volumes. Only the /scratch directory on the local file system
is persistent across reboots. Specify the directory as [datastorename]
path_to_file, where the path is relative to the root of the volume backing
the datastore. For example, the path [storage1] /systemlogs maps to
the path /vmfs/volumes/storage1/systemlogs.

VMware by Broadcom 124

vSphere Security

Option Description

Syslog.global.logDirUnique Selecting this option creates a subdirectory with the name of the ESXi host
under the directory specified by Syslog.global.LogDir. A unique directory is
useful if the same NFS directory is used by multiple ESXi hosts.

Syslog.global.LogHost
Remote host to which syslog messages are forwarded and port on which
the remote host receives syslog messages. You can include the protocol
and the port, for example, ssl://hostName1:1514. UDP (only on port 514),
TCP, and SSL are supported. The remote host must have syslog installed
and correctly configured to receive the forwarded syslog messages. See
the documentation for the syslog service installed on the remote host for
information on configuration.

7 (Optional) To overwrite the default log size and log rotation for any of the logs:

a Click the name of the log that you want to customize.

b Enter the number of rotations and the log size you want.

8 Click OK.

Results

Changes to the syslog options take effect immediately.

ESXi Log File Locations

ESXi records host activity in log files, using a syslog facility.

Component Location Purpose

VMkernel /var/log/vmkernel.log Records activities related to virtual

machines and ESXi.

VMkernel warnings /var/log/vmkwarning.log Records activities related to virtual

machines.

VMkernel summary /var/log/vmksummary.log Used to determine uptime and

availability statistics for ESXi (comma
separated).

ESXi host agent log /var/log/hostd.log Contains information about the agent
that manages and configures the ESXi
host and its virtual machines.

vCenter agent log /var/log/vpxa.log Contains information about the agent

that communicates with vCenter
Server (if the host is managed by
vCenter Server).

Shell log /var/log/shell.log Contains a record of all commands

typed into the ESXi Shell as well as
shell events (for example, when the
shell was enabled).

Authentication /var/log/auth.log Contains all events related to

authentication for the local system.

VMware by Broadcom 125

vSphere Security

Component Location Purpose

System messages /var/log/syslog.log Contains all general log messages and

can be used for troubleshooting. This
information was formerly located in the
messages log file.

Virtual machines The same directory as the affected
virtual machine's configuration
files, named vmware.log and
vmware*.log. For example, /
vmfs/volumes/datastore/virtual
machine/vwmare.log
Contains virtual machine power
events, system failure information,
tools status and activity, time sync,
virtual hardware changes, vMotion
migrations, machine clones, and so on.

Quick Boot /var/log/loadESX.log Contains all events related to restarting

an ESXi host through Quick Boot.

Securing Fault Tolerance Logging Traffic

VMware Fault Tolerance (FT) captures inputs and events that occur on a primary VM and sends
them to the secondary VM, which is running on another host.

This logging traffic between the primary and secondary VMs is unencrypted and contains guest
network and storage I/O data, as well as the memory contents of the guest operating system.
This traffic might include sensitive data such as passwords in plaintext. To avoid such data being
divulged, ensure that this network is secured, especially to avoid man-in-the-middle attacks. For
example, use a private network for FT logging traffic.

VMware by Broadcom 126

Securing vCenter Server Systems
4
Securing vCenter Server includes ensuring security of the host where vCenter Server is running,
following best practices for assigning privileges and roles, and verifying the integrity of the
clients that connect to vCenter Server.

Read the following topics next:

n vCenter Server Security Best Practices

n Verify Thumbprints for Legacy ESXi Hosts

n Required Ports for vCenter Server and Platform Services Controller

vCenter Server Security Best Practices

Following vCenter Server security best practices helps you ensure the integrity of your vSphere
environment.

Best Practices for vCenter Server Access Control

Strictly control access to different vCenter Server components to increase security for the
system.

The following guidelines help ensure security of your environment.

Use Named Accounts

n If the local Windows administrator account currently has the Administrator role vCenter
Server, remove that role and assign the role to one or more named vCenter Server
administrator accounts. Grant the Administrator role only to those administrators who are
required to have it. You can create custom roles or use the No cryptography administrator
role for administrators with more limited privileges. Do not apply this role any group whose
membership is not strictly controlled.

Note Starting with vSphere 6.0, the local administrator no longer has full administrative
rights to vCenter Server by default.

n Install vCenter Server using a service account instead of a Windows account. The service
account must be an administrator on the local machine.

VMware by Broadcom 127

vSphere Security

n Make sure that applications use unique service accounts when connecting to a vCenter
Server system.

Monitor Privileges of vCenter Server Administrator Users

Not all administrator users must have the Administrator role. Instead, create a custom role with
the appropriate set of privileges and assign it to other administrators.

Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy.
For example, by default the Administrator role allows users to interact with files and programs
inside a virtual machine's guest operating system. Assigning that role to too many users can
lessen virtual machine data confidentiality, availability, or integrity. Create a role that gives the
administrators the privileges they need, but remove some of the virtual machine management
privileges.

Minimize Access
Do not allow users to log directly in to the vCenter Server host machine. Users who are logged
in to the vCenter Server host machine can cause harm, either intentionally or unintentionally, by
altering settings and modifying processes. Those users also have potential access to vCenter
credentials, such as the SSL certificate. Allow only users who have legitimate tasks to perform to
log in to the system and ensure that login events are audited.

Grant Minimal Privileges to vCenter Server Database Users

The database user requires only certain privileges specific to database access.

Some privileges are required only for installation and upgrade. You can remove these privileges
from the database administrator after vCenter Server is installed or upgraded.

Restrict Datastore Browser Access

Assign the Datastore.Browse datastore privilege only to users or groups who really need those
privileges. Users with the privilege can view, upload, or download files on datastores associated
with the vSphere deployment through the Web browser or the vSphere Client.

Restrict Users From Running Commands in a Virtual Machine

By default, a user with the vCenter Server Administrator role can interact with files and programs
within a virtual machine's guest operating system. To reduce the risk of breaching guest
confidentiality, availability, or integrity, create a custom nonguest access role without the Guest
Operations privilege. See Restrict Users from Running Commands Within a Virtual Machine.

Consider Modifying the Password Policy for vpxuser

By default, vCenter Server changes the vpxuser password automatically every 30 days. Ensure
that this setting meets company policy, or configure the vCenter Server password policy. See Set
the vCenter Server Password Policy.

Note Make sure that password aging policy is not too short.

VMware by Broadcom 128

vSphere Security

Check Privileges After vCenter Server Restart

Check for privilege reassignment when you restart vCenter Server. If the user or group that has
the Administrator role on the root folder cannot be validated during a restart, the role is removed
from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter
Single Sign-On administrator, [email protected] by default. This account can then act
as the vCenter Server administrator.

Reestablish a named administrator account and assign the Administrator role to that
account to avoid using the anonymous vCenter Single Sign-On administrator account
([email protected] by default).

Use High RDP Encryption Levels

On each Windows computer in the infrastructure, ensure that Remote Desktop Host
Configuration settings are set to ensure the highest level of encryption appropriate for your
environment.

Verify vSphere Client Certificates

Instruct users of the vSphere Client or other client applications to heed certificate verification
warnings. Without certificate verification, the user might be subject of a MiTM attack.

Set the vCenter Server Password Policy

By default, vCenter Server changes the vpxuser password automatically every 30 days. You can
change that value from the vSphere Client.

Procedure

1 Log in to the vCenter Server system by using the vSphere Client.

2 Select the vCenter Server system in the object hierarchy.

3 Click Configure.

4 Click Advanced Settings and click Edit Settings.

5 Click the Filter icon and enter VimPasswordExpirationInDays.

6 Set VirtualCenter.VimPasswordExpirationInDays to comply with your requirements.

Removing Expired or Revoked Certificates and Logs from Failed Installations

Leaving expired or revoked certificates or leaving vCenter Server installation logs for failed
installation on your vCenter Server system can compromise your environment.

Removing expired or revoked certificates is required for the following reasons.

n If expired or revoked certificates are not removed from the vCenter Server system, the
environment can be subject to a MiTM attack

VMware by Broadcom 129

vSphere Security

n In certain cases, a log file that contains the database password in plain text is created on
the system if vCenter Server installation fails. An attacker who breaks into the vCenter Server
system, might gain access to this password and, at the same time, access to the vCenter
Server database.

Protecting the vCenter Server Windows Host

Protect the Windows host where vCenter Server is running against vulnerabilities and attacks by
ensuring that the host environment is as secure as possible.

n Maintain a supported operating system, database, and hardware for the vCenter Server
system. If vCenter Server is not running on a supported operating system, it might not run
properly, making vCenter Server vulnerable to attacks.

n Keep the vCenter Server system properly patched. By staying up-to-date with operating
system patches, the server is less vulnerable to attack.

n Provide operating system protection on the vCenter Server host. Protection includes antivirus
and anti-malware software.

n On each Windows computer in the infrastructure, ensure that Remote Desktop (RDP) Host
Configuration settings are set to ensure the highest level of encryption according to industry-
standard guidelines or internal guidelines.

For operating system and database compatibility information, see the vSphere Compatibility
Matrices.

Limiting vCenter Server Network Connectivity

For improved security, avoid putting the vCenter Server system on any network other than a
management network, and ensure that vSphere management traffic is on a restricted network.
By limiting network connectivity, you limit certain types of attack.

vCenter Server requires access to a management network only. Avoid putting the vCenter Server
system on other networks such as your production network or storage network, or on any
network with access to the Internet. vCenter Server does not need access to the network where
vMotion operates.

vCenter Server requires network connectivity to the following systems.

n All ESXi hosts.

n The vCenter Server database.

n Other vCenter Server systems (if the vCenter Server systems are part of a common vCenter
Single Sign-On domain for purposes of replicating tags, permissions, and so on).

n Systems that are authorized to run management clients. For example, the vSphere Client, a
Windows system where you use the PowerCLI, or any other SDK-based client.

n Systems that run add-on components such as VMware vSphere Update Manager.

n Infrastructure services such as DNS, Active Directory, and NTP.

VMware by Broadcom 130

vSphere Security

n Other systems that run components that are essential to functionality of the vCenter Server
system.

Use a local firewall on the Windows system where the vCenter Server system is running or use
a network firewall. Include IP-based access restrictions so that only necessary components can
communicate with the vCenter Server system.

Evaluate the Use of Linux Clients with CLIs and SDKs

Communications between client components and a vCenter Server system or ESXi hosts are
protected by SSL-based encryption by default. Linux versions of these components do not
perform certificate validation. Consider restricting the use of these clients.

To improve security, you can replace the VMCA-signed certificates on the vCenter Server system
and on the ESXi hosts with certificates that are signed by an enterprise or third-party CA.
However, certain communications with Linux clients might still be vulnerable to man-in-the-middle
attacks. The following components are vulnerable when they run on the Linux operating system.

n vCLI commands

n vSphere SDK for Perl scripts

n Programs that are written using the vSphere Web Services SDK

You can relax the restriction against using Linux clients if you enforce proper controls.

n Restrict management network access to authorized systems only.

n Use firewalls to ensure that only authorized hosts are allowed to access vCenter Server.

n Use jump-box systems to ensure that Linux clients are behind the jump.

Examine Client Plug-Ins

vSphere Client and vSphere Web Client extensions run at the same privilege level as the user
who is logged in. A malicious extension can masquerade as a useful plug-in and perform
harmful operations such as stealing credentials or changing the system configuration. To increase
security, use an installation that includes only authorized extensions from trusted sources.

A vCenter installation includes an extensibility framework for the vSphere Client and the vSphere
Web Client. You can use this framework to extend the clients with menu selections or toolbar
icons. The extensions can provide access to vCenter add-on components or external, Web-
based functionality.

Using the extensibility framework results in a risk of introducing unintended capabilities. For
example, if an administrator installs a plug-in in an instance of the vSphere Client, the plug-in can
run arbitrary commands with the privilege level of that administrator.

To protect against potential compromise of your vSphere Client or vSphere Web Client, examine
all installed plug-ins periodically and make sure that each plug-in comes from a trusted source.

VMware by Broadcom 131

vSphere Security

Prerequisites

You must have privileges to access the vCenter Single Sign-On service. These privileges differ
from vCenter Server privileges.

Procedure

1 Log in to the client as [email protected] or a user with vCenter Single Sign-On

privileges.

2 From the Home page, select Administration, then select Client Plug-Ins under Solutions.

3 Examine the list of client plug-ins.

vCenter Server Appliance Security Best Practices

Follow all best practices for securing a vCenter Server system to secure your vCenter Server
Appliance. Additional steps help you make your appliance more secure.

Configure NTP

Ensure that all systems use the same relative time source. This time source must be in sync
with an agreed-upon time standard such as Coordinated Universal Time (UTC). Synchronized
systems are essential for certificate validation. NTP also makes it easier to track an intruder in
log files. Incorrect time settings make it difficult to inspect and correlate log files to detect
attacks, and make auditing inaccurate. See Synchronize the Time in the vCenter Server
Appliance with an NTP Server.

Restrict vCenter Server Appliance network access

Restrict access to components that are required to communicate with the vCenter Server
Appliance. Blocking access from unnecessary systems reduces the potential for attacks on
the operating system.

For the list of all supported ports and protocols in VMware products, including vSphere and
vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can
search ports by VMware product, create a customized list of ports, and print or save port
lists.

Configure a Bastion Host

To help protect your assets, configure a bastion host (also called a jump box) to perform
elevated administrative tasks. A bastion host is a special-purpose computer that hosts a
minimal number of administrative applications. All other unnecessary services are removed.
The host typically resides on the management network. A bastion host increases the
protection of assets through restricting login to key individuals, requiring firewall rules to
log in, and adding monitoring through auditing tools.

VMware by Broadcom 132

vSphere Security

vCenter Password Requirements and Lockout Behavior

To manage your vSphere environment, you must be aware of the vCenter Single Sign-On
password policy, of vCenter Server passwords, and of lockout behavior.

This section discusses vCenter Single Sign-On passwords. See ESXi Passwords and Account
Lockout for a discussion of passwords of ESXi local users.

vCenter Single Sign-On Administrator Password

The password for the administrator of vCenter Single Sign-On, [email protected] by
default, is specified by the vCenter Single Sign-On password policy. By default, this password
must meet the following requirements:

n At least 8 characters

n At least one lowercase character

n At least one numeric character

n At least one special character

The password for this user cannot be more than 20 characters long. Starting with vSphere 6.0,
non-ASCII characters are allowed. Administrators can change the default password policy. See
the Platform Services Controller Administration documentation.

vCenter Server Passwords

In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the
configured identity source, which can be Active Directory, OpenLDAP.

vCenter Single Sign-On Lockout Behavior

Users are locked out after a preset number of consecutive failed attempts. By default,
users are locked out after five consecutive failed attempts in three minutes and a locked
account is unlocked automatically after five minutes. You can change these defaults using
the vCenter Single Sign-On lockout policy. See the Platform Services Controller Administration
documentation.

Starting with vSphere 6.0, the vCenter Single Sign-On domain administrator,
[email protected] by default, is not affected by the lockout policy. The user is affected
by the password policy.

Password Changes
If you know your password, you can change the password by using the dir-cli password
change command. If you forget your password, a vCenter Single Sign-On administrator can reset
your password by using the dir-cli password reset command.

Search the VMware Knowledge Base for information on password expiration and related topics
in different versions of vSphere.

VMware by Broadcom 133

vSphere Security

Verify Thumbprints for Legacy ESXi Hosts

In vSphere 6 and later, hosts are assigned VMCA certificates by default. If you change the
certificate mode to thumbprint, you can continue to use thumbprint mode for legacy hosts. You
can verify the thumbprints in the vSphere Client.

Note Certificates are preserved across upgrades by default.

Procedure

1 Browse to the vCenter Server in the vSphere Client inventory.

2 Click Configure.

3 Under Settings, click General.

4 Click Edit.

5 Click SSL settings.

6 If any of your ESXi 5.5 or earlier hosts require manual validation, compare the thumbprints
listed for the hosts to the thumbprints in the host console.

To obtain the host thumbprint, use the Direct Console User Interface (DCUI).
a Log in to the direct console and press F2 to access the System Customization menu.

b Select View Support Information.

The host thumbprint appears in the column on the right.

7 If the thumbprint matches, select the Verify check box next to the host.

Hosts that are not selected will be disconnected after you click OK.

8 Click Save.

Required Ports for vCenter Server and Platform Services

Controller
The vCenter Server system, both on Windows and in the appliance, must be able to send data
to every managed host and receive data from the vSphere Client and the Platform Services
Controller services. To enable migration and provisioning activities between managed hosts, the
source and destination hosts must be able to receive data from each other.

vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network
components from outside a firewall, you might be required to reconfigure the firewall to allow
access on the appropriate ports. For the list of all supported ports and protocols in vCenter
Server, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.

During installation, if a port is in use or is blocked using a denylist, the vCenter Server installer
displays an error message. You must use another port number to proceed with the installation.

VMware by Broadcom 134

vSphere Security

VMware uses designated ports for communication. Also, the managed hosts monitor designated
ports for data from vCenter Server. If a built-in firewall exists between any of these elements,
the installer opens the ports during the installation or upgrade process. For custom firewalls, you
must manually open the required ports. If you have a firewall between two managed hosts and
you want to perform source or target activities, such as migration or cloning, you must configure
a means for the managed hosts to receive data.

To configure the vCenter Server system to use a different port to receive vSphere Client data,
see the vCenter Server and Host Management documentation.

VMware by Broadcom 135

Securing Virtual Machines
5
The guest operating system that runs in the virtual machine is subject to the same security risks
as a physical system. Secure virtual machines like physical machines, and follow best practices
discussed in this document and in the Security Configuration Guide (formerly known as the
Hardening Guide).
The Security Configuration Guide is available at https://core.vmware.com/security.

Read the following topics next:

n Enable or Disable UEFI Secure Boot for a Virtual Machine

n Limit Informational Messages from Virtual Machines to VMX Files

n Virtual Machine Security Best Practices

Enable or Disable UEFI Secure Boot for a Virtual Machine

UEFI Secure Boot is a security standard that helps ensure that your PC boots using only software
that is trusted by the PC manufacturer. For certain virtual machine hardware versions and
operating systems, you can enable secure boot just as you can for a physical machine.

In an operating system that supports UEFI secure boot, each piece of boot software is signed,
including the bootloader, the operating system kernel, and operating system drivers. The virtual
machine's default configuration includes several code signing certificates.

n A Microsoft certificate that is used only for booting Windows.

n A Microsoft certificate that is used for third-party code that is signed by Microsoft, such as
Linux bootloaders.

n A VMware certificate that is used only for booting ESXi inside a virtual machine.

The virtual machine's default configuration includes one certificate for authenticating requests to
modify the secure boot configuration, including the secure boot revocation list, from inside the
virtual machine, which is a Microsoft KEK (Key Exchange Key) certificate.

In almost all cases, it is not necessary to replace the existing certificates. If you do want to
replace the certificates, see the VMware Knowledge Base system.

VMware by Broadcom 136

vSphere Security

VMware Tools version 10.1 or later is required for virtual machines that use UEFI secure boot.
You can upgrade those virtual machines to a later version of VMware Tools when it becomes
available.

For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode.
Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot.

Note If you turn on secure boot for a virtual machine, you can load only signed drivers into that
virtual machine.

This task describes how to use the vSphere Client to enable and disable secure boot for a
virtual machine. You can also write scripts to manage virtual machine settings. For example, you
can automate changing the firmware from BIOS to EFI for virtual machines with the following
PowerCLI code:

$vm = Get-VM TestVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi
$vm.ExtensionData.ReconfigVM($spec)

See VMware PowerCLI User's Guide for more information.

Prerequisites

You can enable secure boot only if all prerequisites are met. If prerequisites are not met, the
check box is not visible in the vSphere Client.

n Verify that the virtual machine operating system and firmware support UEFI boot.

n EFI firmware

n Virtual hardware version 13 or later.

n Operating system that supports UEFI secure boot.

Note Some guest operating systems do not support changing from BIOS boot to UEFI boot
without guest OS modifications. Consult your guest OS documentation before changing to
UEFI boot. If you upgrade a virtual machine that already uses UEFI boot to an operating
system that supports UEFI secure boot, you can enable Secure Boot for that virtual machine.

n Turn off the virtual machine. If the virtual machine is running, the check box is dimmed.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and select Edit Settings.

3 Click the VM Options tab, and expand Boot Options.

4 Under Boot Options, ensure that firmware is set to EFI.

VMware by Broadcom 137

vSphere Security

5 Select your task.

n Select the Secure Boot check box to enable secure boot.

n Deselect the Secure Boot check box to disable secure boot.

6 Click OK.

Results

When the virtual machine boots, only components with valid signatures are allowed. The boot
process stops with an error if it encounters a component with a missing or invalid signature.

Limit Informational Messages from Virtual Machines to VMX

Files
Limit informational messages from the virtual machine to the VMX file to avoid filling the
datastore and causing a Denial of Service (DoS). A DoS can occur when you do not control the
size of a virtual machine's VMX file and the amount of information exceeds datastore capacity.

The virtual machine configuration file (VMX file) limit is 1 MB by default. In general, this capacity is
sufficient, but you can change this value if necessary. For example, you might increase the limit if
you store large amounts of custom information in the file.

Note Consider carefully how much information you require. If the amount of information
exceeds datastore capacity, a DoS can result.

The default limit of 1 MB is applied even when the tools.setInfo.sizeLimit parameter is not
listed in the advanced options.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 Add or edit the tools.setInfo.sizeLimit parameter.

Virtual Machine Security Best Practices

Following virtual machine security best practices helps ensure the integrity of your vSphere
deployment.

n General Virtual Machine Protection

A virtual machine is, in most respects, the equivalent of a physical server. Employ the same
security measures in virtual machines that you do for physical systems.

VMware by Broadcom 138

vSphere Security

n Use Templates to Deploy Virtual Machines

When you manually install guest operating systems and applications on a virtual machine,
you introduce a risk of misconfiguration. By using a template to capture a hardened
base operating system image with no applications installed, you can ensure that all virtual
machines are created with a known baseline level of security.

n Minimize Use of the Virtual Machine Console

The virtual machine console provides the same function for a virtual machine that a monitor
provides on a physical server. Users with access to the virtual machine console have access
to virtual machine power management and removable device connectivity controls. Console
access might therefore allow a malicious attack on a virtual machine.

n Prevent Virtual Machines from Taking Over Resources

When one virtual machine consumes so much of the host resources that other virtual
machines on the host cannot perform their intended functions, a Denial of Service
(DoS) might occur. To prevent a virtual machine from causing a DoS, use host resource
management features such as setting Shares and using resource pools.

n Disable Unnecessary Functions Inside Virtual Machines

Any service that is running in a virtual machine provides the potential for attack. By disabling
system components that are not necessary to support the application or service that is
running on the system, you reduce the potential.

General Virtual Machine Protection

A virtual machine is, in most respects, the equivalent of a physical server. Employ the same
security measures in virtual machines that you do for physical systems.

Follow these best practices to protect your virtual machine:

Patches and other protection

Keep all security measures up-to-date, including applying appropriate patches. It is especially
important to keep track of updates for dormant virtual machines that are powered off,
because it can be easy to overlook them. For example, ensure that anti-virus software,
anti-spy ware, intrusion detection, and other protection are enabled for every virtual machine
in your virtual infrastructure. You should also ensure that you have enough space for the
virtual machine logs.

Anti-virus scans

Because each virtual machine hosts a standard operating system, you must protect it from
viruses by installing anti-virus software. Depending on how you are using the virtual machine,
you might also want to install a software firewall.

VMware by Broadcom 139

vSphere Security

Stagger the schedule for virus scans, particularly in deployments with a large number
of virtual machines. Performance of systems in your environment degrades significantly
if you scan all virtual machines simultaneously. Because software firewalls and antivirus
software can be virtualization-intensive, you can balance the need for these two security
measures against virtual machine performance, especially if you are confident that your
virtual machines are in a fully trusted environment.

Serial ports

Serial ports are interfaces for connecting peripherals to the virtual machine. They are often
used on physical systems to provide a direct, low-level connection to the console of a server,
and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for
low-level access, which often does not have strong controls like logging or privileges.

Use Templates to Deploy Virtual Machines

When you manually install guest operating systems and applications on a virtual machine, you
introduce a risk of misconfiguration. By using a template to capture a hardened base operating
system image with no applications installed, you can ensure that all virtual machines are created
with a known baseline level of security.

You can use templates that can contain a hardened, patched, and properly configured operating
system to create other, application-specific templates, or you can use the application template to
deploy virtual machines.

Procedure

u Provide templates for virtual machine creation that contain hardened, patched, and properly
configured operating system deployments.

If possible, deploy applications in templates as well. Ensure that the applications do not
depend on information specific to the virtual machine to be deployed.

What to do next

For more information about templates, see the vSphere Virtual Machine Administration
documentation.

Minimize Use of the Virtual Machine Console

The virtual machine console provides the same function for a virtual machine that a monitor
provides on a physical server. Users with access to the virtual machine console have access to
virtual machine power management and removable device connectivity controls. Console access
might therefore allow a malicious attack on a virtual machine.

Procedure

1 Use native remote management services, such as terminal services and SSH, to interact with
virtual machines.

Grant access to the virtual machine console only when necessary.

VMware by Broadcom 140

vSphere Security

2 Limit the connections to the virtual machine console.

For example, in a highly secure environment, limit the connection to one. In some
environments, you can increase the limit if several concurrent connections are necessary to
accomplish normal tasks.
a In the vSphere Client, power off the virtual machine.

b Right-click the virtual machine and select Edit Settings.

c Click the VM Options tab, and expand VMware Remote Console Options.

d Enter the maximum number of sessions, for example, 2.

e Click OK.

Prevent Virtual Machines from Taking Over Resources

When one virtual machine consumes so much of the host resources that other virtual machines
on the host cannot perform their intended functions, a Denial of Service (DoS) might occur. To
prevent a virtual machine from causing a DoS, use host resource management features such as
setting Shares and using resource pools.

By default, all virtual machines on an ESXi host share resources equally. You can use Shares and
resource pools to prevent a denial of service attack that causes one virtual machine to consume
so much of the host’s resources that other virtual machines on the same host cannot perform
their intended functions.

Do not set limits or use resource pools until you fully understand the impact.

Procedure

1 Provision each virtual machine with just enough resources (CPU and memory) to function
properly.

2 Use Shares to guarantee resources to critical virtual machines.

3 Group virtual machines with similar requirements into resource pools.

4 In each resource pool, leave Shares set to the default to ensure that each virtual machine in
the pool receives approximately the same resource priority.

With this setting, a single virtual machine cannot use more than other virtual machines in the
resource pool.

What to do next

See the vSphere Resource Management documentation for information about shares and limits.

Disable Unnecessary Functions Inside Virtual Machines

Any service that is running in a virtual machine provides the potential for attack. By disabling
system components that are not necessary to support the application or service that is running
on the system, you reduce the potential.

VMware by Broadcom 141

vSphere Security

Virtual machines do not usually require as many services or functions as physical servers. When
you virtualize a system, evaluate whether a particular service or function is necessary.

Note When possible, install guest operating systems using "minimal" or "core" installation modes
to reduce the size, complexity, and attack surface of the guest operating system.

Procedure

u Disable unused services in the operating system.

For example, if the system runs a file server, turn off any Web services.

u Disconnect unused physical devices, such as CD/DVD drives, floppy drives, and USB
adapters.

u Disable unused functionality, such as unused display features, or VMware Shared Folders,
which enables sharing of host files to the virtual machine (Host Guest File System).

u Turn off screen savers.

u Do not run the X Window system on top of Linux, BSD, or Solaris guest operating systems
unless it is necessary.

Remove Unnecessary Hardware Devices

Any enabled or connected device represents a potential attack channel. Users and processes
with privileges on a virtual machine can connect or disconnect hardware devices, such as
network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine
security. Removing unnecessary hardware devices can help prevent attacks.

An attacker with access to a virtual machine can connect a disconnected hardware device
and access sensitive information on media that is left in a hardware device. The attacker can
potentially disconnect a network adapter to isolate the virtual machine from its network, resulting
in a denial of service.

n Do not connect unauthorized devices to the virtual machine.

n Remove unneeded or unused hardware devices.

n Disable unnecessary virtual devices from within a virtual machine.

n Ensure that only required devices are connected to a virtual machine. Virtual machines rarely
use serial or parallel ports. As a rule, CD/DVD drives are connected only temporarily during
software installation.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

VMware by Broadcom 142

vSphere Security

3 Disable hardware devices that are not required.

Include checks for the following devices:

n Floppy drives

n Serial ports

n Parallel ports

n USB controllers

n CD-ROM drives

Disable Unused Display Features

Attackers can use an unused display feature as a vector for inserting malicious code into your
environment. Disable features that are not in use in your environment.

Prerequisites

Power off the virtual machine.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 If appropriate, add or edit the following parameters.

Option Description

svga.vgaonly If you set this parameter to TRUE, advanced graphics functions no longer
work. Only character-cell console mode is available. If you use this setting,
mks.enable3d has no effect.

Note Apply this setting only to virtual machines that do not need a
virtualized video card.

mks.enable3d Set this parameter to FALSE on virtual machines that do not require 3D
functionality.

Disable Unexposed Features

VMware virtual machines can work both in a vSphere environment and on hosted virtualization
platforms such as VMware Workstation and VMware Fusion. Certain virtual machine parameters
do not need to be enabled when you run a virtual machine in a vSphere environment. Disable
these parameters to reduce the potential for vulnerabilities.

Prerequisites

Turn off the virtual machine.

VMware by Broadcom 143

vSphere Security

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 Set the following parameters to TRUE by adding or editing them.

n isolation.tools.unity.push.update.disable

n isolation.tools.ghi.launchmenu.change

n isolation.tools.memSchedFakeSampleStats.disable

n isolation.tools.getCreds.disable

n isolation.tools.ghi.autologon.disable

n isolation.bios.bbs.disable

n isolation.tools.hgfsServerSet.disable

6 Click OK.

Disable VMware Shared Folders Sharing Host Files to the Virtual Machine
In high-security environments, you can disable certain components to minimize the risk that an
attacker can use the host guest file system (HGFS) to transfer files inside the guest operating
system.

Modifying the parameters described in this section affects only the Shared Folders feature and
does not affect the HGFS server running as part of tools in the guest virtual machines. Also, these
parameters do not affect the auto-upgrade and VIX commands that use the tools' file transfers.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 Verify that the isolation.tools.hgfsServerSet.disable parameter is set to TRUE.

A setting of TRUE prevents the VMX process from receiving a notification from each tool's
service, daemon, or upgrader processes of its HGFS server capability.

6 (Optional) Verify that the isolation.tools.hgfs.disable parameter is set to TRUE.

A setting of TRUE disables the unused VMware Shared Folders feature for sharing host files
to the virtual machine.

VMware by Broadcom 144

vSphere Security

Disable Copy and Paste Operations Between Guest Operating System and
Remote Console
Copy and paste operations between the guest operating system and remote console are
disabled by default. For a secure environment, retain the default setting. If you require copy
and paste operations, you must enable them using the vSphere Client.

The default values for these options are set to ensure a secure environment. However, you must
set them to true explicitly if you want to enable audit tools to check that the setting is correct.

Prerequisites

Turn off the virtual machine.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 Ensure that the following values are in the Name and Value columns, or add them.

Name Value

isolation.tools.copy.disable true

isolation.tools.paste.disable true

isolation.tools.setGUIOptions.ena false
ble

These options override any settings made in the guest operating system’s VMware Tools
control panel.

6 Click OK.

7 (Optional) If you made changes to the configuration parameters, restart the virtual machine.

Limiting Exposure of Sensitive Data Copied to the Clipboard

Copy and paste operations are disabled by default for hosts to prevent exposing sensitive data
that has been copied to the clipboard.

When copy and paste is enabled on a virtual machine running VMware Tools, you can copy and
paste between the guest operating system and remote console. When the console window gains
focus, processes running in the virtual machine and non-privileged users can access the virtual
machine console clipboard. If a user copies sensitive information to the clipboard before using
the console, the use might expose sensitive data to the virtual machine. To prevent this problem,
copy and paste operations for the guest operating system are disabled by default.

It is possible to enable copy and paste operations for virtual machines if necessary.

VMware by Broadcom 145

vSphere Security

Restrict Users from Running Commands Within a Virtual Machine

By default, a user who has the vCenter Server Administrator role can interact with files and
applications within a virtual machine's guest operating system. To reduce the risk of breaching
guest confidentiality, availability, or integrity, create a nonguest access role without the Guest
Operations privilege. Assign that role to administrators who do not need virtual machine file
access.

For security, be as restrictive about allowing access to the virtual data center as you are to
the physical data center. Apply a custom role that disables guest access to users who require
administrator privileges, but who are not authorized to interact with guest operating system files
and applications.

For example, a configuration might include a virtual machine on the infrastructure that has
sensitive information on it.

If tasks such as migration with vMotion require that data center administrators can access the
virtual machine, disable some remote guest OS operations to ensure that those administrators
cannot access sensitive information.

Prerequisites

Verify that you have Administrator privileges on the vCenter Server system where you create
the role.

Procedure

1 Log in to the vSphere Client as a user who has Administrator privileges on the vCenter
Server system where you want to create the role.

2 Select Administration and click Roles.

3 Click the Administrator role and click the Clone role action icon.

4 Enter a role name and description and click OK.

For example, type Administrator No Guest Access.

5 Select the cloned role and click the Edit role action icon.

6 Under the Virtual machine privilege, deselect Guests operations and click Next.

7 Click Finish.

What to do next

Select the vCenter Server system or the host and assign a permission that pairs the user or group
that should have the new privileges to the newly created role. Remove those users from the
Administrator role.

VMware by Broadcom 146

vSphere Security

Prevent a Virtual Machine User or Process from Disconnecting Devices

Users and processes without root or administrator privileges within virtual machines can connect
or disconnect devices, such as network adapters and CD-ROM drives, and can modify device
settings. To increase virtual machine security, remove these devices.

You can prevent virtual machine users in the guest OS, and processes running in the guest OS,
from making any changes to the devices by changing the virtual machine advanced settings.

Prerequisites

Turn off the virtual machine.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

5 Verify that the following values are in the Name and Value columns, or add them.

Name Value

isolation.device.connectable.disable true

isolation.device.edit.disable true

These settings do not affect a vSphere administrator's ability to connect or disconnect the
devices attached to the virtual machine.

6 Click OK to close the Configuration Parameters dialog box, and click OK again.

Prevent Guest Operating System Processes from Sending Configuration

Messages to the Host
To ensure that the guest operating system does not modify configuration settings, you can
prevent these processes from writing any name-value pairs to the configuration file.

Prerequisites

Turn off the virtual machine.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 Right-click the virtual machine and click Edit Settings.

3 Select VM Options.

4 Click Advanced and click Edit Configuration.

VMware by Broadcom 147

vSphere Security

5 Click Add Configuration Params and enter the following values in the Name and Value
columns.

Column Value

Name isolation.tools.setinfo.disable

Value true

6 Click OK to close the Configuration Parameters dialog box, and click OK again.

Avoid Using Independent Nonpersistent Disks

When you use independent nonpersistent disks, successful attackers can remove any evidence
that the machine was compromised by shutting down or rebooting the system. Without a
persistent record of activity on a virtual machine, administrators might be unaware of an attack.
Therefore, you should avoid using independent nonpersistent disks.

Procedure

u Ensure that virtual machine activity is logged remotely on a separate server, such as a syslog
server or equivalent Windows-based event collector.

If remote logging of events and activity is not configured for the guest, scsiX:Y.mode should
be one of the following settings:

n Not present

n Not set to independent nonpersistent

Results

When nonpersistent mode is not enabled, you cannot roll a virtual machine back to a known
state when you reboot the system.

VMware by Broadcom 148

Virtual Machine Encryption
6
Starting with vSphere 6.5, you can take advantage of virtual machine encryption. Encryption
protects not only your virtual machine but also virtual machine disks and other files. You set
up a trusted connection between vCenter Server and a key management server (KMS). vCenter
Server can then retrieve keys from the KMS as needed.

You manage different aspects of virtual machine encryption in different ways.

n Manage setup of the trusted connection with the KMS and perform most encryption
workflows from the vSphere Client.

n Manage automation of some advanced features from the vSphere Web Services SDK. See
vSphere Web Services SDK Programming Guide and VMware vSphere API Reference.
n Use the crypto-util command-line tool directly on the ESXi host for some special cases, for
example, to decrypt the core dumps in a vm-support bundle.

(vSphere Virtual Machine Encryption Overview )

Read the following topics next:

n How vSphere Virtual Machine Encryption Protects Your Environment

n vSphere Virtual Machine Encryption Components

n Encryption Process Flow

n Virtual Disk Encryption

n Prerequisites and Required Privileges for Encryption Tasks

n Encrypted vSphere vMotion

n Encryption Best Practices, Caveats, and Interoperability

How vSphere Virtual Machine Encryption Protects Your

Environment
With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and
encrypt existing virtual machines. Because all virtual machine files with sensitive information are

VMware by Broadcom 149

vSphere Security

encrypted, the virtual machine is protected. Only administrators with encryption privileges can
perform encryption and decryption tasks.

Important ESXi Shell users also have cryptographic operation privileges.

What Keys Are Used

vSphere uses two levels of encryption in the form of a Key Encryption Key (KEK) and a Data
Encryption Key (DEK). Briefly, an ESXi host generates a DEK to encrypt virtual machines and
disks. The KEK is provided by the KMS, and encrypts (or "wraps") the DEK. The KEK encrypts
the DEK using the AES256 algorithm and the DEK encrypts the VMDK using the XTS-AES-256
(512-bit key size) algorithm.

The keys are generated and used as follows.

1 The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These
keys are used as DEKs.

2 vCenter Server requests keys from the KMS. These keys are used as the KEKs. vCenter
Server stores only the ID of each KEK, but not the key itself.

3 ESXi uses the KEK to encrypt the internal keys, and stores the encrypted internal key on disk.
ESXi does not store the KEK on disk. If a host reboots, vCenter Server requests the KEK with
the corresponding ID from the KMS and makes it available to ESXi. ESXi can then decrypt the
internal keys as needed.

What Is Encrypted
vSphere Virtual Machine Encryption supports encryption of virtual machine files, virtual disk files,
and core dump files.

Virtual machine files

Most virtual machine files, in particular, guest data that are not stored in the VMDK file, are
encrypted. This set of files includes but is not limited to the NVRAM, VSWP, and VMSN files.
The key that vCenter Server retrieves from the KMS unlocks an encrypted bundle in the VMX
file that contains internal keys and other secrets.

If you are using the vSphere Client to create an encrypted virtual machine, you can encrypt
and decrypt virtual disks separate from virtual machine files. If you are using the vSphere
Web Client to create an encrypted virtual machine, all virtual disks are encrypted by default.
For other encryption tasks, for both clients, such as encrypting an existing virtual machine,
you can encrypt and decrypt virtual disks separate from virtual machine files.

Note You cannot associate an encrypted virtual disk with a virtual machine that is not
encrypted.

Virtual disk files

VMware by Broadcom 150

vSphere Security

Data in an encrypted virtual disk (VMDK) file is never written in cleartext to storage or
physical disk, and is never transmitted over the network in cleartext. The VMDK descriptor
file is mostly cleartext, but contains a key ID for the KEK and the internal key (DEK) in the
encrypted bundle.
You can use the vSphere API to perform either a shallow recrypt operation with a new KEK or
deep recrypt operation with a new internal key.

Core dumps

Core dumps on an ESXi host that has encryption mode enabled are always encrypted. See
vSphere Virtual Machine Encryption and Core Dumps.

Note Core dumps on the vCenter Server system are not encrypted. Protect access to the
vCenter Server system.

Note For information on some limitations concerning devices and features that vSphere Virtual
Machine Encryption can interoperate with, see Virtual Machine Encryption Interoperability.

What Is Not Encrypted

Some of the files that are associated with a virtual machine are not encrypted or partially
encrypted.

Log files

Log files are not encrypted because they do not contain sensitive data.

Virtual machine configuration files

Most of the virtual machine configuration information, stored in the VMX and VMSD files, is
not encrypted.

Virtual disk descriptor file

To support disk management without a key, most of the virtual disk descriptor file is not
encrypted.

Who Can Perform Cryptographic Operations

Only users that are assigned the Cryptographic Operations privileges can perform cryptographic
operations. The privilege set is fine grained. See Cryptographic Operations Privileges. The default
Administrator system role includes all Cryptographic Operations privileges. A new role, No
Cryptography Administrator, supports all Administrator privileges except for the Cryptographic
Operations privileges.

You can create additional custom roles, for example, to allow a group of users to encrypt virtual
machines but to prevent them from decrypting virtual machines.

VMware by Broadcom 151

vSphere Security

How Can I Perform Cryptographic Operations

The vSphere Client and vSphere Web Client support many of the cryptographic operations. For
other tasks, you can use the vSphere API.

Table 6-1. Interfaces for Performing Cryptographic Operations

Interface Operations Information

vSphere Client or vSphere Web Create encrypted virtual machine This book.
Client Encrypt and decrypt virtual machines

vSphere Web Services SDK
Create encrypted virtual machine vSphere Web Services SDK
Encrypt and decrypt virtual machines Programming Guide
Perform a deep recrypt of a virtual machine (use VMware vSphere API Reference
a different DEK).
Perform a shallow recrypt of a virtual machine
(use a different KEK).

crypto-util Decrypt encrypted core dumps, check whether Command-line help.

files are encrypted, and perform other vSphere Virtual Machine
management tasks directly on the ESXi host. Encryption and Core Dumps

vSphere Virtual Machine Encryption Components

An external KMS, the vCenter Server system, and your ESXi hosts are contributing to the
vSphere Virtual Machine Encryption solution.

Figure 6-1. vSphere Virtual Encryption Architecture

Third-Party Key
Management Server

Managed
VM Keys

vSphere

vCenter Server

Managed VM
key IDs

ESXi Managed VM keys

protect internal
encryption keys
Encrypted VM

Key Management Server

vCenter Server requests keys from an external KMS. The KMS generates and stores the keys, and
passes them to vCenter Server for distribution.

VMware by Broadcom 152

vSphere Security

You can use the vSphere Web Client or the vSphere API to add a cluster of KMS instances to the
vCenter Server system. If you use multiple KMS instances in a cluster, all instances must be from
the same vendor and must replicate keys.

If your environment uses different KMS vendors in different environments, you can add a KMS
cluster for each KMS and specify a default KMS cluster. The first cluster that you add becomes
the default cluster. You can explicitly specify the default later.

As a KMIP client, vCenter Server uses the Key Management Interoperability Protocol (KMIP) to
make it easy to use the KMS of your choice.

vCenter Server
Only vCenter Server has the credentials for logging in to the KMS. Your ESXi hosts do not have
those credentials. vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts.
vCenter Server does not store the KMS keys, but keeps a list of key IDs.

vCenter Server checks the privileges of users who perform cryptographic operations. You can
use the vSphere Web Client to assign cryptographic operation privileges or to assign the No
cryptography administrator custom role to groups of users. See Prerequisites and Required
Privileges for Encryption Tasks.

vCenter Server adds cryptography events to the list of events that you can view and export
from the vSphere Web Client Event Console. Each event includes the user, time, key ID, and
cryptographic operation.

The keys that come from the KMS are used as key encryption keys (KEKs).

ESXi Hosts
ESXi hosts are responsible for several aspects of the encryption workflow.

n vCenter Server pushes keys to an ESXi host when the host needs a key. The host must
have encryption mode enabled. The current user's role must include cryptographic operation
privileges. See Prerequisites and Required Privileges for Encryption Tasks and Cryptographic
Operations Privileges.

n Ensuring that guest data for encrypted virtual machines is encrypted when stored on disk.

n Ensuring that guest data for encrypted virtual machines is not sent over the network without
encryption.

The keys that the ESXi host generates are called internal keys in this document. These keys
typically act as data encryption keys (DEKs).

Encryption Process Flow

After vCenter Server is connected to the KMS, users with the required privileges can create
encrypted virtual machines and disks. Those users can also perform other encryption tasks such
as encrypting existing virtual machines and decrypting encrypted virtual machines.

VMware by Broadcom 153

vSphere Security

The process flow includes the KMS, the vCenter Server, and the ESXi host.

Figure 6-2. vSphere Virtual Encryption Architecture

Third-Party Key
Management Server

Managed
VM Keys

vSphere

vCenter Server

Managed VM
key IDs

ESXi Managed VM keys

protect internal
encryption keys
Encrypted VM

During the encryption process, different vSphere components interact as follows.

1 When the user performs an encryption task, for example, creating an encrypted virtual
machine, vCenter Server requests a new key from the default KMS. This key will be used
as the KEK.

2 vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part
of a cluster, vCenter Server sends the KEK to each host in the cluster.

The key itself is not stored on the vCenter Server system. Only the key ID is known.

3 The ESXi host generates internal keys (DEKs) for the virtual machine and its disks. It keeps
the internal keys in memory only, and uses the KEKs to encrypt internal keys.

Unencrypted internal keys are never stored on disk. Only encrypted data is stored. Because
the KEKs come from the KMS, the host continues to use the same KEKs.

4 The ESXi host encrypts the virtual machine with the encrypted internal key.

Any hosts that have the KEK and that can access the encrypted key file can perform
operations on the encrypted virtual machine or disk.

If you later want to decrypt a virtual machine, you change its storage policy. You can change the
storage policy for the virtual machine and all disks. If you want to decrypt individual components,
decrypt selected disks first, then decrypt the virtual machine by changing the storage policy for
VM Home. Both keys are required for decryption of each component.

(Encrypting Virtual Machines and Disks )

VMware by Broadcom 154

vSphere Security

Virtual Disk Encryption

When you create an encrypted virtual machine from the vSphere Client, you can decide which
disks to exclude from encryption. When you create an encrypted virtual machine from the
vSphere Web Client, all virtual disks are encrypted. You can later add disks and set their
encryption policies. You cannot add an encrypted disk to a virtual machine that is not encrypted,
and you cannot encrypt a disk if the virtual machine is not encrypted.

Encryption for a virtual machine and its disks is controlled through storage policies. The storage
policy for VM Home governs the virtual machine itself, and each virtual disk has an associated
storage policy.

n Setting the storage policy of VM Home to an encryption policy encrypts only the virtual
machine itself.

n Setting the storage policy of VM Home and all the disks to an encryption policy encrypts all
components.

Consider the following use cases.

Table 6-2. Virtual Disk Encryption Use Cases

Use case Details

Create an encrypted virtual machine.
If you add disks while creating an encrypted virtual
machine, the disks are encrypted by default. You can
change the policy to not encrypt one or more of the disks.
After virtual machine creation, you can explicitly change
the storage policy for each disk. See Change the
Encryption Policy for Virtual Disks.

Encrypt a virtual machine. To encrypt an existing virtual machine, you change its
storage policy. You can change the storage policy for
the virtual machine and all virtual disks. To encrypt just
the virtual machine, you can specify an encryption policy
for VM Home and select a different storage policy, such
as Datastore Default, for each virtual disk. See Create an
Encrypted Virtual Machine.

Add an existing unencrypted disk to an encrypted virtual Fails with an error. You have to add the disk with the
machine (encryption storage policy). default storage policy, but can later change the storage
policy. See Change the Encryption Policy for Virtual Disks.

Add an existing unencrypted disk to an encrypted virtual The disk uses the default storage policy. You can explicitly
machine with a storage policy that does not include change the storage policy after adding the disk if you
encryption, for example Datastore Default. want an encrypted disk. See Change the Encryption
Policy for Virtual Disks.

Add an encrypted disk to an encrypted virtual machine.
VM Home storage policy is Encryption.
When you add the disk, it remains encrypted. The
vSphere Web Client displays the size and other attributes,
including encryption status but might not display the
correct storage policy. For consistency, change the
storage policy.

Add an existing encrypted disk to an unencrypted virtual This use case is not supported.
machine

VMware by Broadcom 155

vSphere Security

Prerequisites and Required Privileges for Encryption Tasks

Encryption tasks are possibly only in environments that include vCenter Server. In addition, the
ESXi host must have encryption mode enabled for most encryption tasks. The user who performs
the task must have the appropriate privileges. A set of Cryptographic Operations privileges
allows fine-grained control. If virtual machine encryption tasks require a change to the host
encryption mode, additional privileges are required.

Cryptography Privileges and Roles

By default, the user with the vCenter Server Administrator role has all privileges. The No
cryptography administrator role does not have the following privileges that are required for
cryptographic operations.

Important ESXi Shell users also have cryptographic operation privileges.

n Add Cryptographic Operations privileges.

n Global.Diagnostics

n Host.Inventory.Add host to cluster

n Host.Inventory.Add standalone host

n Host.Local operations.Manage user groups

You can assign the No cryptography administrator role to vCenter Server administrators that do
not need Cryptographic Operations privileges.

To further limit what users can do, you can clone the No cryptography administrator role and
create a custom role with only some of the Cryptographic Operations privileges. For example,
you can create a role that allows users to encrypt but not to decrypt virtual machines. See Using
Roles to Assign Privileges.

Host Encryption Mode

Host encryption mode determines if an ESXi host is ready to accept cryptographic material
for the purpose of encrypting virtual machines and virtual disks. Before any cryptographic
operations can occur on a host, host encryption mode must be enabled. Host encryption mode is
often enabled automatically, but it can be enabled explicitly. You can check and explicitly set the
current host encryption mode from the vSphere Client or by using the vSphere API.

When host encryption mode is enabled, vCenter Server installs a host key on the host, which
ensures that the host is cryptographically "safe." With the host key in place, other cryptographic
operations can proceed, including vCenter Server obtaining keys from the Key Management
Server cluster and pushing them to the ESXi hosts.

In "safe" mode, user worlds (that is, hostd) and encrypted virtual machines have their core dumps
encrypted. Unencrypted virtual machines do not have their core dumps encrypted.

VMware by Broadcom 156

vSphere Security

For more information about encrypted core dumps and how they are used by VMware Technical
Support, see the VMware knowledge base article at http://kb.vmware.com/kb/2147388.

For instructions, see Enable Host Encryption Mode Explicitly.

After Host encryption mode is enabled, it cannot be disabled easily. See Disable Host Encryption
Mode.

Automatic changes occur when encryption operations attempt to enable host encryption mode.
For example, assume that you add an encrypted virtual machine to a standalone host. Host
encryption mode is not enabled. If you have the required privileges on the host, encryption mode
changes to enabled automatically.

Assume that a cluster has three ESXi hosts, host A, B, and C. You create an encrypted virtual
machine on host A. What happens depends on several factors.

n If hosts A, B, and C already have encryption enabled, you need only Cryptographic
operations.Encrypt new privileges to create the virtual machine.

n If hosts A and B are enabled for encryption and C is not enabled, the system proceeds as
follows.

n Assume that you have both the Cryptographic operations.Encrypt new and the
Cryptographic operations.Register host privileges on each host. In that case, the virtual
machine creation process enables encryption on host C. The encryption process enables
host encryption mode on host C, and pushes the key to each host in the cluster.

For this case, you can also explicitly enable host encryption on host C.

n Assume that you have only Cryptographic operations.Encrypt new privileges on the
virtual machine or virtual machine folder. In that case, virtual machine creation succeeds
and the key becomes available on host A and host B. Host C remains disabled for
encryption and does not have the virtual machine key.

n If none of the hosts has encryption enabled, and you have Cryptographic
operations.Register host privileges on host A, then the virtual machine creation process
enables host encryption on that host. Otherwise, an error results.

Disk Space Requirements

When you encrypt an existing virtual machine, you need at least twice the space that the virtual
machine is currently using.

Encrypted vSphere vMotion

Starting with vSphere 6.5, vSphere vMotion always uses encryption when migrating encrypted
virtual machines. For virtual machines that are not encrypted, you can select one of the
encrypted vSphere vMotion options.

VMware by Broadcom 157

vSphere Security

Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is
transferred with vSphere vMotion.

n vSphere supports encrypted vMotion of unencrypted virtual machines across vCenter Server
instances.

n vSphere does not support vMotion of encrypted virtual machines across vCenter Server
instances. Because one vCenter instance cannot verify that another vCenter instance is
connected to the same Key Management System cluster, the proper encryption keys are
not available for successful VM encryption operation. As a result, vMotion in this situation is
not currently supported.

What Is Encrypted
For encrypted disks, the data is transmitted encrypted. For disks that are not encrypted, Storage
vMotion encryption is not supported.

For virtual machines that are encrypted, migration with vSphere vMotion always uses encrypted
vSphere vMotion. You cannot turn off encrypted vSphere vMotion for encrypted virtual
machines.

Encrypted vSphere vMotion States

For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of
the following states. The default is Opportunistic.

Disabled

Do not use encrypted vSphere vMotion.

Opportunistic

Use encrypted vSphere vMotion if source and destination hosts support it. Only ESXi versions
6.5 and later use encrypted vSphere vMotion.

Required

Allow only encrypted vSphere vMotion. If the source or destination host does not support
encrypted vSphere vMotion, migration with vSphere vMotion is not allowed.

When you encrypt a virtual machine, the virtual machine keeps a record of the current encrypted
vSphere vMotion setting. If you later disable encryption for the virtual machine, the encrypted
vMotion setting remains at Required until you change the setting explicitly. You can change the
settings using Edit Settings.

See the vCenter Server and Host Management documentation for information on enabling and
disabling encrypted vSphere vMotion for virtual machines that are not encrypted.

VMware by Broadcom 158

vSphere Security

Encryption Best Practices, Caveats, and Interoperability

Any best practices and caveats that apply to the encryption of physical machines apply to
virtual machine encryption as well. The virtual machine encryption architecture results in some
additional recommendations. As you are planning your virtual machine encryption strategy,
consider interoperability limitations.

Virtual Machine Encryption Best Practices

Follow virtual machine encryption best practices to avoid problems later, for example, when you
generate a vm-support bundle.

General Best Practices

Follow these general best practices to avoid problems.

n Do not encrypt any vCenter Server Appliance virtual machines.

n If your ESXi host fails, retrieve the support bundle as soon as possible. The host key must
be available for generating a support bundle that uses a password, or for decrypting a core
dump. If the host is rebooted, it is possible that the host key changes. If that happens, you
can no longer generate a support bundle with a password or decrypt core dumps in the
support bundle with the host key.

n Manage KMS cluster names carefully. If the KMS cluster name changes for a KMS that is
already in use, a VM that is encrypted with keys from that KMS enters a locked state during
power-on or register. In that case, remove the KMS from the vCenter Server and add it with
the cluster name that you used initially.

n Do not edit VMX files and VMDK descriptor files. These files contain the encryption bundle. It
is possible that your changes make the virtual machine unrecoverable, and that the recovery
problem cannot be fixed.

n The encryption process encrypts data on the host before it is written to storage. Backend
storage features such as deduplication and compression might not be effective for encrypted
virtual machines. Consider storage tradeoffs when using vSphere Virtual Machine Encryption.

n Encryption is CPU intensive. AES-NI significantly improves encryption performance. Enable

AES-NI in your BIOS.

Best Practices for Encrypted Core Dumps

Follow these best practices to avoid having problems when you want to examine a core dump to
diagnose a problem.

n Establish a policy regarding core dumps. Core dumps are encrypted because they can
contain sensitive information such as keys. If you decrypt a core dump, consider it sensitive
information. ESXi core dumps might contain keys for the ESXi host and for the virtual
machines on it. Consider changing the host key and recrypting encrypted virtual machines
after you decrypt a core dump. You can perform both tasks by using the vSphere API.

VMware by Broadcom 159

vSphere Security

See vSphere Virtual Machine Encryption and Core Dumps for details.

n Always use a password when you collect a vm-support bundle. You can specify the
password when you generate the support bundle from the vSphere Client or using the
vm-support command.

The password recrypts core dumps that use internal keys to use keys that are based on the
password. You can later use the password to decrypt any encrypted core dumps that might
be included in the support bundle. Unencrypted core dumps and logs are not affected by
using the password option.

n The password that you specify during vm-support bundle creation is not persisted in
vSphere components. You are responsible for keeping track of passwords for support
bundles.

n Before you change the host key, generate a vm-support bundle with a password. You can
later use the password to access any core dumps that might have been encrypted with the
old host key.

Key Lifecycle Management Best Practices

Implement best practices that guarantee KMS availability and monitor keys on the KMS.

n You are responsible for having policies in place that guarantee KMS availability.

If the KMS is not available, virtual machine operations that require that vCenter Server
request the key from the KMS are not possible. That means running virtual machines continue
to run, and you can power on, power off, and reconfigure those virtual machines. However,
you cannot relocate the virtual machine to a host that does not have the key information.

Most KMS solutions include high availability features. You can use the vSphere Client or the
API to specify a KMS cluster and the associated KMS servers.

n You are responsible for keeping track of keys and for performing remediation if keys for
existing virtual machines are not in the Active state.

The KMIP standard defines the following states for keys.

n Pre-Active

n Active

n Deactivated

n Compromised

n Destroyed

n Destroyed Compromised

vSphere Virtual Machine Encryption uses only Active keys for encryption. If a key is Pre-
Active, vSphere Virtual Machine Encryption activates it. If the key state is Deactivated,
Compromised, Destroyed, Destroyed Compromised, you cannot encrypt a virtual machine
or disk with that key.

VMware by Broadcom 160

vSphere Security

For keys that are in other states, virtual machines using those keys continue to work.
Whether a clone or migration operation succeeds depends on whether they key is already on
the host.

n If the key is on the destination host, the operation succeeds even if the key is not Active
on the KMS.

n If the required virtual machine and virtual disk keys are not on the destination host,
vCenter Server has to fetch the keys from the KMS. If the key state is Deactivated,
Compromised, Destroyed, or Destroyed Compromised, vCenter Server displays an error
and the operation does not succeed.

A clone or migration operation succeeds if the key is already on the host. The operation fails
if vCenter Server has to pull the keys from the KMS.

If a key is not Active, perform a rekey operation using the API. See the vSphere Web Services
SDK Programming Guide.

Backup and Restore Best Practices

Set up policies on backup and restore operations.

n Not all backup architectures are supported. See Virtual Machine Encryption Interoperability.

n Set up policies for restore operations. Because backup is always in cleartext, plan to encrypt
virtual machines right after restore is complete. You can specify that the virtual machine is
encrypted as part of the restore operation. If possible, encrypt virtual machine as part of the
restore process to avoid exposing sensitive information. To change the encryption policy for
any disks that are associated with the virtual machine, change the storage policy for the disk.

n Because the VM home files are encrypted, ensure that the encryption keys are available at
the time of a restore.

Performance Best Practices

n Encryption performance depends on the CPU and storage speed.

n Encrypting existing virtual machines is more time consuming than encrypting a virtual
machine during creation. Encrypt a virtual machine when you create it if possible.

Storage Policy Best Practices

Do not modify the bundled VM Encryption sample storage policy. Instead, clone the policy and
edit the clone.

Note No automated way of returning VM Encryption Policy to its original settings exists.

See the vSphere Storage documentation for details customizing storage policies.

Virtual Machine Encryption Caveats

Review Virtual Machine Encryption caveats to avoid problems later.

VMware by Broadcom 161

vSphere Security

To understand which devices and features cannot be used with Virtual Machine Encryption, see
Virtual Machine Encryption Interoperability.

Limitations
Consider the following caveats when you plan your virtual machine encryption strategy.

n When you clone an encrypted virtual machine or perform a Storage vMotion operation,
you can attempt to change the disk format. Such conversions do not always succeed.
For example, if you clone a virtual machine and attempt to change the disk format from
lazy-zeroed thick format to thin format, the virtual machine disk keeps the lazy-zeroed thick
format.

n When you detach a disk from a virtual machine, the storage policy information for the virtual
disk is not retained.

n If the virtual disk is encrypted, you must explicitly set the storage policy to VM Encryption
Policy or to a storage policy that includes encryption.

n If the virtual disk is not encrypted, you can change the storage policy when you add the
disk to a virtual machine.

See Virtual Disk Encryption for details.

n Decrypt core dumps before moving a virtual machine to a different cluster.

The vCenter Server does not store KMS keys but only tracks the key IDs. As a result, vCenter
Server does not store the ESXi host key persistently.

Under certain circumstances, for example, when you move the ESXi host to a different cluster
and reboot the host, vCenter Server assigns a new host key to the host. You cannot decrypt
any existing core dumps with the new host key.

n OVF Export is not supported for an encrypted virtual machine.

n Using the VMware Host Client to register an encrypted virtual machine is not supported.

Virtual Machine Locked State

If the virtual machine key or one or more of the virtual disk keys are missing, the virtual machine
enters a locked state. In a locked state, you cannot perform virtual machine operations.

n When you encrypt both a virtual machine and its disks from the vSphere Client, the same key
is used for both.

n When you perform the encryption using the API, you can use different encryption keys for
the virtual machine and for disks. In that case, if you attempt to power on a virtual machine,
and one of the disk keys is missing, the power on operation fails. If you remove the virtual
disk, you can power on the virtual machine.

See Resolve Missing Key Issues for troubleshooting suggestions.

VMware by Broadcom 162

vSphere Security

Virtual Machine Encryption Interoperability

vSphere Virtual Machine Encryption has some limitations regarding devices and features that it
can interoperate with in vSphere 6.5 and later releases.

The following limitations and remarks refer to using vSphere Virtual Machine Encryption.
For similar information about using vSAN encryption, see the Administering VMware vSAN
documentation.

Limitations on Certain Encryption Tasks

Some restrictions apply when performing certain tasks on an encrypted virtual machine.

n For most virtual machine encryption operations, you must power off the virtual machine. You
can clone an encrypted virtual machine and you can perform a shallow recrypt while the
virtual machine is powered on.

Note Virtual machines configured with IDE controllers must be powered off to perform a
shallow rekey operation.

n You cannot perform a deep recrypt on a virtual machine with snapshots. You can perform a
shallow recrypt on a virtual machine with snapshots.

Virtual Trusted Platform Module Devices and vSphere Virtual Machine

Encryption
A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical
Trusted Platform Module 2.0 chip. You can add a vTPM to either a new or an existing virtual
machine. To add a vTPM to a virtual machine, you must configure a Key Management Server
(KMS) in your vSphere environment. When you configure a vTPM, the virtual machine “home”
files are encrypted (memory swap, NVRAM files, and so on). The disk files, or VMDK files, are
not automatically encrypted. You can choose to add encryption explicitly for the virtual machine
disks.

Caution Cloning a virtual machine duplicates the entire virtual machine, including the virtual
devices such as a vTPM. Information stored in the vTPM, including properties of the vTPM that
software can use to determine a system’s identity, is also duplicated.

vSphere Virtual Machine Encryption and Suspended State and Snapshots

Starting with vSphere 6.7, you can resume from a suspended state of an encrypted virtual
machine, or revert to a memory snapshot of an encrypted machine. You can migrate an
encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.

vSphere Virtual Machine Encryption and IPv6

You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can
configure the KMS with IPv6 addresses. You can configure both the vCenter Server and the KMS
with only IPv6 addresses.

VMware by Broadcom 163

vSphere Security

Limitations on Cloning in vSphere Virtual Machine Encryption

Certain cloning features do not work with vSphere Virtual Machine Encryption.

n Cloning is supported conditionally.

n Full clones are supported. The clone inherits the parent encryption state including keys.
You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the
full clone.

Linked clones are supported and the clone inherits the parent encryption state including
keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.

Note Verify that other applications support linked clones. For example, VMware
®
Horizon 7 supports both full clones and instant clones, but not linked clones.

n Instant clone is supported, but you cannot change encryption keys on clone.

Unsupported Disk Configurations with vSphere Virtual Machine Encryption

Certain types of virtual machine disk configurations are not supported with vSphere Virtual
Machine Encryption.

n RDM (Raw Device Mapping). However, vSphere Virtual Volumes (vVols) are supported.

n Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). Encrypted virtual machine “home”
files are supported for multi-writer disks. Encrypted virtual disks are not supported for multi-
writer disks. If you attempt to select Multi-writer in the Edit Settings page of the virtual
machine with encrypted virtual disks, the OK button is deactivated.

Miscellaneous Limitations in vSphere Virtual Machine Encryption

Other features that do not work with vSphere Virtual Machine Encryption include the following:

n vSphere Fault Tolerance

n vSphere ESXi Dump Collector

n Migration with vMotion of an encrypted virtual machine to a different vCenter Server

instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported.

n Content Library

n Content libraries support two types of templates, the OVF Template type and the VM
Template type. You cannot export an encrypted virtual machine to the OVF Template
type. The OVF Tool does not support encrypted virtual machines. You can create
encrypted VM templates using the VM Template type. See the vSphere Virtual Machine
Administration documentation.

VMware by Broadcom 164

vSphere Security

n Software for backing up encrypted virtual disks must use the VMware vSphere Storage API
- Data Protection (VADP) to either back up the disks in hot-add mode or NBD mode with
SSL enabled. However, not all backup solutions that use VADP for virtual disk backup are
supported. Check with your backup vendor for details.

n VADP SAN transport mode solutions are not supported for backing up encrypted virtual
disks.

n VADP Hot-Add solutions are supported for encrypted virtual disks. The backup software
must support encryption of the proxy VM that is used as part of the hot-add backup
workflow. The vendor must have the privilege Cryptographic Operations.Encrypt Virtual
Machine.

n Backup solutions using the NBD-SSL transport modes are supported for backing up
encrypted virtual disks. The vendor application must have the privilege Cryptographic
Operations.Direct Access.

n You cannot send output from an encrypted virtual machine to a serial port or parallel port.
Even if the configuration appears to succeed, output is sent to a file.

n vSphere Virtual Machine Encryption is not supported in VMware Cloud on AWS. See the
Managing the VMware Cloud on AWS Data Center documentation.

VMware by Broadcom 165

Use Encryption in Your vSphere
Environment 7
Using encryption in your vSphere environment requires some preparation. After your
environment is set up, you can create encrypted virtual machines and virtual disks and encrypt
existing virtual machines and disks.

You can perform additional tasks by using the API and by using the crypto-util CLI. See the
vSphere Web Services SDK Programming Guide for API documentation and the crypto-util
command-line help for details about that tool.

Set up the Key Management Server Cluster

Before you can start with virtual machine encryption tasks, you must set up the key management
server (KMS) cluster. That task includes adding the KMS and establishing trust with the KMS.
When you add a cluster, you are prompted to make it the default. You can explicitly change the
default cluster. vCenter Server provisions keys from the default cluster.

The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard. See the
vSphere Compatibility Matrices for details.
You can find information about VMware certified KMS vendors in the VMware Compatibility
Guide under Platform and Compute. If you select Compatibility Guides, you can open the
Key Management Server (KMS) compatibility documentation. This documentation is updated
frequently.

(Virtual Machine Encryption Key Management Server Setup )

Add a KMS to vCenter Server in the vSphere Client

You can add a Key Management Server (KMS) to your vCenter Server system from the vSphere
Client (HTML5-based client) or by using the public API.

The vSphere Client (HTML5-based client) provides a wizard to add a KMS to your vCenter Server
system, and establish trust between the KMS and vCenter Server.

vCenter Server creates a KMS cluster when you add the first KMS instance.

n After vCenter Server creates the first cluster, you can add KMS instances from the same
vendor to the cluster.

VMware by Broadcom 166

vSphere Security

n You can set up the cluster with only one KMS instance.

n If your environment supports KMS solutions from different vendors, you can add multiple
KMS clusters.

n If your environment includes multiple KMS clusters, and you delete the default cluster, you
must set another default explicitly.

Note The following steps apply to vCenter Server Appliance. For vCenter Server on Windows,
you are prompted to first make the KMS trust vCenter Server, then make vCenter Server trust the
KMS.

Prerequisites

n Verify that the key server is in the VMware Compatibility Guide for Key Management Servers
(KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
n Verify that you have the required privileges: Cryptographic operations.Manage key servers.

n You can configure the KMS with IPv6 addresses.

n Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Procedure

1 Log in to the vCenter Server system with the vSphere Client (HTML5-based client).

2 Browse the inventory list and select the vCenter Server instance.

3 Click Configure and click Key Management Servers.

4 Click Add, specify the KMS information in the wizard, and click OK.

5 Click Trust.

The wizard displays that vCenter Server trusts the KMS with a green check mark.

6 Click Make KMS Trust vCenter.

7 Select the option appropriate for your server and complete the steps.

Option See

Root CA certificate Use the Root CA Certificate Option to Establish a Trusted Connection.

Certificate Use the Certificate Option to Establish a Trusted Connection.

New Certificate Signing Request Use the New Certificate Signing Request Option to Establish a Trusted
Connection.

Upload certificate and private key Use the Upload Certificate and Private Key Option to Establish a Trusted
Connection.

8 Click Establish Trust.

The wizard displays that the KMS trusts vCenter Server with a green check mark.

VMware by Broadcom 167

vSphere Security

9 Set the default KMS.

a From the Actions menu, select Change Default Cluster.

b Select the KMS cluster and click Save.

The wizard displays the KMS cluster as the current default.

Add a KMS to vCenter Server in the vSphere Web Client

You add a KMS to your vCenter Server system from the vSphere Web Client or by using the
public API.

vCenter Server creates a KMS cluster when you add the first KMS instance.

n When you add the KMS, you are prompted to set this cluster as a default. You can later
change the default cluster explicitly.

n After vCenter Server creates the first cluster, you can add KMS instances from the same
vendor to the cluster.

n You can set up the cluster with only one KMS instance.

n If your environment supports KMS solutions from different vendors, you can add multiple
KMS clusters.

n If your environment includes multiple KMS clusters, and you delete the default cluster, you
must set the default explicitly. See Set the Default KMS Cluster.

Prerequisites

n Verify that the key server is in the vSphere Compatibility Matrices and is KMIP 1.1 compliant,
and that it can be a symmetric key foundry and server.

n Verify that you have the required privileges: Cryptographic operations.Manage key servers.

n You can configure the KMS with IPv6 addresses.

n Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Procedure

1 Log in to the vCenter Server system with the vSphere Web Client.

2 Browse the inventory list and select the vCenter Server instance.

3 Click Configure and click Key Management Servers.

4 Click Add KMS, specify the KMS information in the wizard, and click OK.

Option Value

KMS cluster Select Create new cluster for a new cluster. If a cluster exists, you can select
that cluster.

Cluster name Name for the KMS cluster. You might need this name to connect to the KMS
if your vCenter Server instance becomes unavailable.

VMware by Broadcom 168

vSphere Security

Option Value

Server alias Alias for the KMS. You might need this alias to connect to the KMS if your
vCenter Server instance becomes unavailable.

Server address IP address or FQDN of the KMS.

Server port Port on which vCenter Server connects to the KMS.

Proxy address Optional proxy address for connecting to the KMS.

Proxy port Optional proxy port for connecting to the KMS.

User name Some KMS vendors allow users to isolate encryption keys that are used by
different users or groups by specifying a user name and password. Specify
a user name only if your KMS supports this functionality, and if you intend to
use it.

Password Some KMS vendors allow users to isolate encryption keys that are used by
different users or groups by specifying a user name and password. Specify
a password only if your KMS supports this functionality, and if you intend to
use it.

Establish a Trusted Connection by Exchanging Certificates

After you add the KMS to the vCenter Server system, you can establish a trusted connection. The
exact process depends on the certificates that the KMS accepts, and on company policy.

Prerequisites

Add the KMS cluster.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

4 Click Establish trust with KMS.

5 Select the option appropriate for your server and complete the steps.

Option See

Root CA certificate Use the Root CA Certificate Option to Establish a Trusted Connection.

Certificate Use the Certificate Option to Establish a Trusted Connection.

New Certificate Signing Request Use the New Certificate Signing Request Option to Establish a Trusted
Connection.

Upload certificate and private key Use the Upload Certificate and Private Key Option to Establish a Trusted
Connection.

VMware by Broadcom 169

vSphere Security

Use the Root CA Certificate Option to Establish a Trusted Connection

Some KMS vendors require that you upload your root CA certificate to the KMS. All certificates
that are signed by your root CA are then trusted by this KMS.

The root CA certificate that vSphere Virtual Machine Encryption uses is a self-signed certificate
that is stored in a separate store in the VMware Endpoint Certificate Store (VECS) on the vCenter
Server system.

Note Generate a root CA certificate only if you want to replace existing certificates. If you do,
other certificates that are signed by that root CA become invalid. You can generate a new root
CA certificate as part of this workflow.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

4 Select Root CA Certificate and click OK.

The Download Root CA Certificate dialog box is populated with the root certificate that
vCenter Server uses for encryption. This certificate is stored in VECS.

5 Copy the certificate to the clipboard or download the certificate as a file.

6 Follow the instructions from your KMS vendor to upload the certificate to their system.

Note Some KMS vendors require that the KMS vendor restarts the KMS to pick up the root
certificate that you upload.

What to do next

Finalize the certificate exchange. See Complete the Trust Setup.

Use the Certificate Option to Establish a Trusted Connection

Some KMS vendors require that you upload the vCenter Server certificate to the KMS. After the
upload, the KMS accepts traffic that comes from a system with that certificate.

vCenter Server generates a certificate to protect connections with the KMS. The certificate is
stored in a separate key store in the VMware Endpoint Certificate Store (VECS) on the vCenter
Server system.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

VMware by Broadcom 170

vSphere Security

4 Select Certificate and click OK.

The Download Certificate dialog box is populated with the root certificate that vCenter Server
uses for encryption. This certificate is stored in VECS.

Note Do not generate a new certificate unless you want to replace existing certificates.

5 Copy the certificate to the clipboard or download it as a file.

6 Follow the instructions from your KMS vendor to upload the certificate to the KMS.

What to do next

Finalize the trust relationship. See Complete the Trust Setup.

Use the New Certificate Signing Request Option to Establish a Trusted

Connection
Some KMS vendors require that vCenter Server generate a Certificate Signing Request (CSR) and
send that CSR to the KMS. The KMS signs the CSR and returns the signed certificate. You can
upload the signed certificate to vCenter Server.

Using the New Certificate Signing Request option is a two-step process. First you generate the
CSR and send it to the KMS vendor. Then you upload the signed certificate that you receive from
the KMS vendor to vCenter Server.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

4 Select New Certificate Signing Request and click OK.

5 In the dialog box, copy the full certificate in the text box to the clipboard or download it as a
file, and click OK.

Use the Generate new CSR button in the dialog box only if you explicitly want to generate a
CSR. Using that option makes any signed certificates that are based on the old CSR invalid.

6 Follow the instructions from your KMS vendor to submit the CSR.

7 When you receive the signed certificate from the KMS vendor, click Key Management
Servers again, and select New Certificate Signing Request again.

8 Paste the signed certificate into the bottom text box or click Upload File and upload the file,
and click OK.

What to do next

Finalize the trust relationship. See Complete the Trust Setup.

VMware by Broadcom 171

vSphere Security

Use the Upload Certificate and Private Key Option to Establish a Trusted
Connection
Some KMS vendors require that you upload the KMS server certificate and private key to the
vCenter Server system.

Some KMS vendors generate a certificate and private key for the connection and make them
available to you. After you upload the files, the KMS trusts your vCenter Server instance.

Prerequisites

n Request a certificate and private key from the KMS vendor. The files are X509 files in PEM
format.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

4 Select Upload certificate and private key and click OK.

5 Paste the certificate that you received from the KMS vendor into the top text box or click
Upload File to upload the certificate file.

6 Paste the key file into the bottom text box or click Upload File to upload the key file.

7 Click OK.

What to do next

Finalize the trust relationship. See Complete the Trust Setup.

Set the Default KMS Cluster

You must set the default KMS cluster if you do not make the first cluster the default cluster, or if
your environment uses multiple clusters and you remove the default cluster.

Prerequisites

As a best practice, verify that the Connection Status in the Key Management Servers tab shows
Normal and a green check mark.

Procedure

1 Log in to the vSphere Web Client and select a vCenter Server system.

2 Click the Configure tab and click Key Management Servers under More.

3 Select the cluster and click Set KMS cluster as default.

Do not select the server. The menu to set the default is available only for the cluster.

VMware by Broadcom 172

vSphere Security

4 Click Yes.

The word default appears next to the cluster name.

Complete the Trust Setup

Unless the Add Server dialog box prompted you to trust the KMS, you must explicitly establish
trust after certificate exchange is complete.

You can complete the trust setup, that is, make vCenter Server trust the KMS, either by trusting
the KMS or by uploading a KMS certificate. You have two options:

n Trust the certificate explicitly by using the Refresh KMS certificate option.

n Upload a KMS leaf certificate or the KMS CA certificate to vCenter Server by using the
Upload KMS certificate option.

Note If you upload the root CA certificate or the intermediate CA certificate, vCenter Server
trusts all certificates that are signed by that CA. For strong security, upload a leaf certificate or an
intermediate CA certificate that the KMS vendor controls.

Procedure

1 Log in to the vSphere Web Client, and select a vCenter Server system.

2 Click Configure and select Key Management Servers.

3 Select the KMS instance with which you want to establish a trusted connection.

4 To establish the trust relationship, refresh or upload the KMS certificate.

Option Action

Refresh KMS certificate a Click All Actions, and select Refresh KMS certificate.
b In the dialog box that appears, click Trust.

Upload KMS certificate a Click All Actions, and select Upload KMS Certificate.
b In the dialog box that appears, click Upload file, upload a certificate file,
and click OK.

Set Up Separate KMS Clusters for Different Users

You can set up your environment with different KMS connections for different users of the same
KMS instance. Having multiple KMS connections is helpful, for example, if you want to grant
different departments in your company access to different sets of KMS keys.

Using multiple KMS clusters allows you to use the same KMS to separate keys. Having separate
sets of keys is essential for use cases like different BUs or different customers.

Note Not all KMS vendors support multiple users.

VMware by Broadcom 173

vSphere Security

Figure 7-1. Connecting from vCenter Server to the KMS for Two Different Users

vCenter Server KMS

C1 username/pwd C1
KMS Cluster C1
keys

C2 username/pwd C2
KMS Cluster C2
keys

Prerequisites

Set up the connection with the KMS. See Set up the Key Management Server Cluster.

Procedure

1 Create the two users with corresponding user names and passwords, for example C1 and C2,
on the KMS.

2 Log in to vCenter Server and create the first KMS cluster.

3 When prompted for a user name and password, give information that is unique to the first
user.

4 Create a second KMS cluster and add the same KMS, but use the second user name and
password (C2).

Results

The two clusters have independent connections to the KMS and use a different set of keys.

Create an Encryption Storage Policy

Before you can create encrypted virtual machines, you must create an encryption storage policy.
You create the storage policy once, and assign it each time you encrypt a virtual machine or
virtual disk.

If you want to use virtual machine encryption with other I/O filters, or to use the Create VM
Storage Policy wizard in the vSphere Client, see the vSphere Storage documentation for details.

Prerequisites

n Set up the connection to the KMS.

Although you can create a VM Encryption storage policy without the KMS connection in
place, you cannot perform encryption tasks until trusted connection with the KMS server is
established.

n Required privileges: Cryptographic operations.Manage encryption policies.

VMware by Broadcom 174

vSphere Security

Procedure

1 Log in to the vCenter Server by using the vSphere Web Client.

2 Select Home, click Policies and Profiles, and click VM Storage Policies.

3 Click Create VM Storage Policy.

4 Specify the storage policy values.

a Enter a storage policy name and optional description and click Next.

b If you are new to this wizard, review the Policy structure information, and click Next.

c Select the Use common rules in the VM storage policy check box.

d Click Add component and select Encryption > Default Encryption Properties and click
Next.

The default properties are appropriate in most cases. You need a custom policy only if
you want to combine encryption with other features such as caching or replication.

e Deselect the Use rule-sets in the storage policy check box and click Next.

f On the Storage compatibility page, leave Compatible selected, choose a datastore, and
click Next.

g Review the information and click Finish.

Enable Host Encryption Mode Explicitly

Host encryption mode must be enabled if you want to perform encryption tasks, such as creating
an encrypted virtual machine, on an ESXi host. In most cases, host encryption mode is enabled
automatically when you perform an encryption task.

Sometimes, turning on encryption mode explicitly is necessary. See Prerequisites and Required
Privileges for Encryption Tasks.

Prerequisites

Required privilege: Cryptographic operations.Register host

Procedure

1 Log in to the vCenter Server by using the vSphere Client.

2 Browse to the ESXi host and click Configure.

3 Under System, click Security Profile.

4 Click Edit in the Host Encryption Mode panel.

5 Select Enabled and click OK.

VMware by Broadcom 175

vSphere Security

Disable Host Encryption Mode

Host encryption mode is enabled automatically when you perform an encryption task, if the user
has sufficient privilege to enable the encryption mode. After host encryption mode is enabled,
all core dumps are encrypted to avoid the release of sensitive information to support personnel.
If you no longer use virtual machine encryption with an ESXi host, you can disable encryption
mode.

Procedure

1 Unregister all encrypted virtual machines from the host whose encryption mode you want to
disable.

2 Unregister the host from vCenter Server.

3 (Optional) If the host is in a cluster, unregister the other encryption-enabled hosts in that
cluster.

4 Reboot all hosts that were unregistered.

5 Register the hosts with vCenter Server again.

Results

If you do not add encrypted virtual machines to the host, host encryption mode is disabled.

Create an Encrypted Virtual Machine

After you set up the KMS, you can create encrypted virtual machines.

This task describes how to create an encrypted virtual machine using either the vSphere Web
Client or the vSphere Client (HTML5-based client). The vSphere Client filters storage policies to
those that include virtual machine encryption, easing creation of encrypted virtual machines.

Note Creating an encrypted virtual machine is faster and uses fewer storage resources than
encrypting an existing virtual machine. If possible, encrypt virtual machine during the creation
process.

Prerequisites

n Establish a trusted connection with the KMS and select a default KMS.

n Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.

n Ensure that the virtual machine is powered off.

n Verify that you have the required privileges:

n Cryptographic operations.Encrypt new

n If the host encryption mode is not Enabled, you also need Cryptographic
operations.Register host.

VMware by Broadcom 176

vSphere Security

Procedure

1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the
vSphere Web Client.

2 Select an object in the inventory that is a valid parent object of a virtual machine, for
example, an ESXi host or a cluster.

3 Create the virtual machine.

n vSphere Client: Right-click the object and select New Virtual Machine.

n vSphere Web Client: Right-click the object, select New Virtual Machine > New Virtual
Machine.

4 Follow the prompts to create an encrypted virtual machine.

Option Action

Select a creation type Create a new virtual machine.

Select a name and folder Specify a unique name and target location for the virtual machine.

Select a compute resource Specify an object for which you have privileges to create encrypted virtual
machines. See Prerequisites and Required Privileges for Encryption Tasks.

Select storage vSphere Client: Select the Encrypt this virtual machine check box. Virtual
machine storage policies are filtered to those that include encryption. Select
a VM storage policy (the bundled sample is VM Encryption Policy), and
select a compatible datastore.
vSphere Web Client: Select a VM storage policy with encryption (the
bundled sample is VM Encryption Policy). Select a compatible datastore.

Select compatibility Select the compatibility. You can migrate an encrypted virtual machine only
to hosts with compatibility ESXi 6.5 and later.

Select a guest OS Select a guest OS that you plan to install on the virtual machine later.

Customize hardware
Customize the hardware, for example, by changing disk size or CPU.
vSphere Client: (Optional) Select the VM Options tab, and open Encryption.
Choose which disks to exclude from encryption. When you deselect a disk,
only the VM Home and any other selected disks are encrypted.
Any New Hard disk that you add is encrypted. You can change the storage
policy for individual hard disks later.

Ready to complete Review the information and click Finish.

Clone an Encrypted Virtual Machine

When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To
change keys for the clone, power off the virtual machine and perform a recrypt of the clone
using the API. See vSphere Web Services SDK Programming Guide.

Prerequisites

n Establish a trusted connection with the KMS and select a default KMS.

VMware by Broadcom 177

vSphere Security

n Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.

n Required privileges:

n Cryptographic operations.Clone

n If the host encryption mode is not Enabled, you also must have Cryptographic
operations.Register host privileges.

Procedure

1 Browse to the virtual machine in the vSphere Client inventory.

2 To create a clone of an encrypted machine, right-click the virtual machine, select Clone >
Clone to Virtual Machine, and follow the prompts.

Option Action

Select a name and folder Specify a name and target location for the clone.

Select a compute resource Specify an object for which you have privileges to create encrypted virtual
machines. See Prerequisites and Required Privileges for Encryption Tasks.

Select storage Make a selection in the Select virtual disk format menu and select a
datastore. You cannot change the storage policy as part of the clone
operation.

Select clone options Select clone options, as discussed in the vSphere Virtual Machine
Administration documentation.

Ready to complete Review the information and click Finish.

3 (Optional) Change the keys for the cloned virtual machine.

By default, the cloned virtual machine is created with the same keys as its parent. Best
practice is to change the cloned virtual machine's keys to ensure that multiple virtual
machines do not have the same keys.
a Power off the virtual machine.

b Perform a recrypt of the clone using the API. See vSphere Web Services SDK
Programming Guide.
To use a different DEK and KEK, perform a deep recrypt of the cloned virtual machine.
To use a different KEK, perform a shallow recrypt of the cloned virtual machine. You can
perform a shallow recrypt operation while the virtual machine is powered on, unless the
virtual machine has snapshots present.

Encrypt an Existing Virtual Machine or Virtual Disk

You can encrypt an existing virtual machine or virtual disk by changing its storage policy. You can
encrypt virtual disks only for encrypted virtual machines.

This task describes how to encrypt an existing virtual machine or virtual disk using either the
vSphere Client (HTML5-based client) or the vSphere Web Client.

VMware by Broadcom 178

vSphere Security

(Encrypting Virtual Machines with the vSphere Client )

Prerequisites

n Establish a trusted connection with the KMS and select a default KMS.

n Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.

n Ensure that the virtual machine is powered off.

n Verify that you have the required privileges:

n Cryptographic operations.Encrypt new

n If the host encryption mode is not Enabled, you also need Cryptographic
operations.Register host.

Procedure

1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the
vSphere Web Client.

2 Right-click the virtual machine that you want to change and select VM Policies > Edit VM
Storage Policies.

You can set the storage policy for the virtual machine files, represented by VM home, and the
storage policy for virtual disks.

3 Select the storage policy.

n vSphere Client (HTML5-based client):

n To encrypt the VM and its hard disks, select an encryption storage policy and click
OK.

n To encrypt the VM but not the virtual disks, toggle on Configure per disk, select
the encryption storage policy for VM Home and other storage policies for the virtual
disks, and click OK.

n vSphere Web Client:

n To encrypt the VM and its hard disks, select an encryption storage policy and click
Apply to all.

n To encrypt the VM but not the virtual disks, select the encryption storage policy for
VM Home and other storage policies for the virtual disks, and click Apply.
You cannot encrypt the virtual disk of an unencrypted VM.

VMware by Broadcom 179

vSphere Security

4 If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the
Edit Settings menu in the vSphere Client.

a Right-click the virtual machine and select Edit Settings.

b Select the VM Options tab, and open Encryption. Choose an encryption policy. If you
deselect all disks, only the VM home is encrypted.

c Click OK.

Decrypt an Encrypted Virtual Machine or Virtual Disk

You can decrypt a virtual machine, its disks, or both, by changing the storage policy.

This task describes how to decrypt an encrypted virtual machine using either the vSphere Client
(HTML5-based client) or the vSphere Web Client.

All encrypted virtual machines require encrypted vMotion. During virtual machine decryption,
the Encrypted vMotion setting remains. To change this setting so that Encrypted vMotion is no
longer used, change the setting explicitly.

This task explains how to perform decryption using storage policies. For virtual disks, you can
also perform decryption using the Edit Settings menu.

Prerequisites

n The virtual machine must be encrypted.

n The virtual machine must be powered off or in maintenance mode.

n Required privileges: Cryptographic operations.Decrypt

Procedure

1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the
vSphere Web Client.

2 Right-click the virtual machine that you want to change and select VM Policies > Edit VM
Storage Policies.

You can set the storage policy for the virtual machine files, represented by VM home, and the
storage policy for virtual disks.

3 Select a storage policy.

n vSphere Client (HTML5-based client):

n To decrypt the VM and its hard disks, toggle off Configure per disk, select a storage
policy from the drop-down menu, and click OK.

n To decrypt a virtual disk but not the virtual machine, toggle on Configure per disk,
select the encryption storage policy for VM Home and other storage policies for the
virtual disks, and click OK.

VMware by Broadcom 180

vSphere Security

n vSphere Web Client:

n To decrypt the virtual machine and its hard disks, select a storage policy from the
drop-down menu, click Apply to all, and click OK.

n To decrypt a virtual disk but not the virtual machine, select a storage policy for the
virtual disk from the drop-down menu in the table. Do not change the policy for VM
Home. Click OK.
You cannot decrypt the virtual machine and leave the disk encrypted.

4 If you prefer, you can use the vSphere Client (HTML5-based client) to decrypt the virtual
machine and disks from the Edit Settings menu.

a Right-click the virtual machine and select Edit Settings.

b Select the VM Options tab and expand Encryption.

c To decrypt the VM and its hard disks, choose None from the Encrypt VM drop-down
menu.

d To decrypt a virtual disk but not the virtual machine, deselect the disk.

e Click OK.

5 (Optional) You can change the Encrypted vMotion setting.

a Right-click the virtual machine and click Edit Settings.

b Click VM Options, and open Encryption.

c Set the Encrypted vMotion value.

Change the Encryption Policy for Virtual Disks

When you create an encrypted virtual machine from the vSphere Web Client, any virtual disks
that you add during virtual machine creation are encrypted. You can decrypt virtual disks that are
encrypted by using the Edit VM Storage Policies option.

Note An encrypted virtual machine can have virtual disks that are not encrypted. However, an
unencrypted virtual machine cannot have encrypted virtual disks.

See Virtual Disk Encryption.

This task describes how to change the encryption policy using storage policies. You can use
either the vSphere Client (HTML5-based client) or the vSphere Web Client. You can also use the
Edit Settings menu to make this change.

Prerequisites

n You must have the Cryptographic operations.Manage encryption policies privilege.

n Ensure that the virtual machine is powered off.

VMware by Broadcom 181

vSphere Security

Procedure

1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the
vSphere Web Client.

2 Right-click the virtual machine and select VM Policies > Edit VM Storage Policies .

3 Change the storage policy.

n vSphere Client (HTML5-based client):

n To change the storage policy for the VM and its hard disks, select an encryption
storage policy and click OK.

n To encrypt the VM but not the virtual disks, toggle on Configure per disk, select
the encryption storage policy for VM Home and other storage policies for the virtual
disks, and click OK.

n vSphere Web Client:

n To change the storage policy for the VM and its hard disks, select an encryption
storage policy and click Apply to all.

n To encrypt the VM but not the virtual disks, select the encryption storage policy for
VM Home and other storage policies for the virtual disks, and click Apply.
You cannot encrypt the virtual disk of an unencrypted VM.

4 If you prefer, you can change the storage policy from the Edit Settings menu.

a Right-click the virtual machine and select Edit Settings.

b Select the Virtual Hardware tab, expand a hard disk, and choose an encryption policy
from the drop-down menu.

c Click OK.

Resolve Missing Key Issues

Under certain circumstances, the ESXi host cannot get the key (KEK) for an encrypted virtual
machine or an encrypted virtual disk from vCenter Server. In that case, you can still unregister
or reload the virtual machine. However, you cannot perform other virtual machine operations
such as powering on the virtual machine or deleting the virtual machine. A vCenter Server alarm
notifies you when an encrypted virtual machine is in a locked state. You can unlock a locked
encrypted virtual machine by using the vSphere Client after taking the necessary steps to make
the required keys available on the KMS.

VMware by Broadcom 182

vSphere Security

If the virtual machine key is not available, the state of the virtual machine displays as invalid.
The virtual machine cannot power on. If the virtual machine key is available, but a key for an
encrypted disk is not available, the virtual machine state does not display as invalid. However, the
virtual machine cannot power on and the following error results:

The disk [/path/to/the/disk.vmdk] is encrypted and a required key was not found.

Note The following procedure illustrates the situations that can cause a virtual machine to
become locked, the corresponding alarms and event logs that appear, and what to do in each
case.

Procedure

1 If the problem is the connection between the vCenter Server system and the KMS, a virtual
machine alarm is generated and the following message appears in the event log:

Virtual machine is locked because of a KMS cluster error.

You must manually check the keys in the KMS cluster, and restore the connection to the
KMS cluster. When the KMS and keys become available, unlock the locked virtual machines.
See Unlock Locked Virtual Machines. You can also reboot the host and re-register the virtual
machine to unlock it after restoring the connection.

Losing the connection to the KMS does not automatically lock the virtual machine. The virtual
machine only enters a locked state if the following conditions are met:

n The key is not available on the ESXi host.

n vCenter Server cannot retrieve keys from the KMS.

After each reboot, an ESXi host must be able to reach vCenter Server. vCenter Server
requests the key with the corresponding ID from the KMS and makes it available to ESXi.

If, after restoring connection to the KMS cluster, the virtual machine remains locked, see
Unlock Locked Virtual Machines.

2 If the connection is restored, register the virtual machine. If an error results when
you attempt to register the virtual machine, verify that you have the Cryptographic
operations.RegisterVM privilege for the vCenter Server system.

This privilege is not required for powering on an encrypted virtual machine if the key is
available. This privilege is required for registering the virtual machine if the key has to be
retrieved.

3 If the key is no longer available on the KMS, a virtual machine alarm is generated and the
following message appears in the event log:

Virtual machine is locked because keys are missing on KMS cluster.

VMware by Broadcom 183

vSphere Security

Ask the KMS administrator to restore the key. You might encounter an inactive key if you are
powering on a virtual machine that had been removed from the inventory and that had not
been registered for a long time. It also happens if you reboot the ESXi host, and the KMS is
not available.
a Retrieve the key ID by using the Managed Object Browser (MOB) or the vSphere API.

Retrieve the keyId from VirtualMachine.config.keyId.keyId.

b Ask the KMS administrator to reactivate the key that is associated with that key ID.

c After restoring the key, see Unlock Locked Virtual Machines.

If the key can be restored on the KMS, vCenter Server retrieves it and pushes it to the ESXi
host the next time it is needed.

4 If the KMS is accessible and the ESXi host is powered on, but the vCenter Server system is
unavailable, follow these steps to unlock virtual machines.

a Restore the vCenter Server system, or set up a different vCenter Server system, then
establish trust with the KMS.

You must use the same KMS cluster name, but the KMS IP address can be different.

b Reregister all virtual machines that are locked.

The new vCenter Server instance retrieves the keys from the KMS and the virtual
machines are unlocked.

5 If the keys are missing only on the ESXi host, a virtual machine alarm is generated and the
following message appears in the event log:

Virtual machine is locked because keys are missing on host.

The vCenter Server system can retrieve the missing keys from the KMS cluster. No manual
recovery of keys is required. See Unlock Locked Virtual Machines.

Unlock Locked Virtual Machines

A vCenter Server alarm notifies you when an encrypted virtual machine is in a locked state. You
can unlock a locked encrypted virtual machine by using the vSphere Client (HTML5-based client)
after taking the necessary steps to make the required keys available on the KMS.

Prerequisites

n Verify that you have the required privileges: Cryptographic operations.RegisterVM

n Other privileges might be required for optional tasks such as enabling host encryption.

n Before unlocking a locked virtual machine, troubleshoot the cause of the lock and attempt to
fix the problem manually. See Resolve Missing Key Issues.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

VMware by Broadcom 184

vSphere Security

2 Navigate to the virtual machine's Summary tab.

When a virtual machine is locked, the Virtual Machine Locked alarm appears.

3 Decide if you want to either acknowledge the alarm, or reset the alarm to green but not
unlock the virtual machine now.

When you click either Acknowledge or Reset to green, the alarm goes away, but the virtual
machine remains locked until you unlock it.

4 Navigate to the virtual machine's Monitor tab and click Events to get more information about
why the virtual machine is locked.

5 Perform suggested troubleshooting before you unlock the virtual machine.

6 Navigate to the virtual machine's Summary tab and click Unlock VM, located underneath the
virtual machine console.

A message appears, warning that encryption key data is transmitted to the host.

7 Click Yes.

Resolve ESXi Host Encryption Mode Issues

Under certain circumstances, the ESXi host's encryption mode can become disabled.

An ESXi host requires that host encryption mode is enabled if it contains any encrypted virtual
machines. If the host detects it is missing its host key, or if the KMS cluster is unavailable, the
host might fail to enable the encryption mode. vCenter Server generates an alarm when the host
encryption mode cannot be enabled.

Procedure

1 If the problem is the connection between the vCenter Server system and the KMS cluster, an
alarm is generated and an error message appears in the event log.

You must restore the connection to the KMS cluster that contains the encryption keys in
question.

2 If keys are missing, an alarm is generated and an error message appears in the event log.

You must ensure that the keys are present in the KMS cluster. Consult the documentation for
your key management vendor for information about restoring from backup.

What to do next

If, after restoring connection to the KMS cluster, or manually recovering keys to the KMS
cluster, the host's encryption mode remains disabled, re-enable the host encryption mode. See
Re-Enable ESXi Host Encryption Mode.

VMware by Broadcom 185

vSphere Security

Re-Enable ESXi Host Encryption Mode

Starting with vSphere 6.7, a vCenter Server alarm notifies you when an ESXi host's encryption
mode has become disabled. In vSphere 6.7, you can re-enable the host encryption mode.

Prerequisites

n Verify that you have the required privileges: Cryptographic operations.Register host

n Before re-enabling encryption mode, troubleshoot the cause and attempt to fix the problem
manually.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Navigate to the ESXi host's Summary tab.

When the encryption mode is disabled, the Host Requires Encryption Mode Enabled alarm
appears.

3 Decide if you want to either acknowledge the alarm, or reset the alarm to green but not
re-enable the host encryption mode now.

When you click either Acknowledge or Reset to green, the alarm goes way, but the host's
encryption mode remains disabled until you re-enable it.

4 Navigate to the ESXi host's Monitor tab and click Events to get more information on why
encryption mode is disabled.

Perform suggested troubleshooting before you re-enable the encryption mode.

5 On the Summary tab, click Enable Host Encryption Mode to re-enable host encryption.

A message appears, warning that encryption key data is transmitted to the host.

6 Click Yes.

Set Key Management Server Certificate Expiration Threshold

By default, vCenter Server notifies you 30 days before your Key Management Server (KMS)
certificates expire. You can change this default value.

KMS certificates have an expiration date. When the threshold for the expiration date is reached,
an alarm notifies you.

vCenter Server and KMS clusters exchange two types of certificates: server and client. The
VMware Endpoint Certificate Store (VECS) on the vCenter Server system stores the server
certificates and one client certificate per KMS cluster. Because there are two certificate types,
there are two alarms for each certificate type (one for client, one for server).

Procedure

1 Log in to a vCenter Server system by using the vSphere Client.

VMware by Broadcom 186

vSphere Security

2 Select the vCenter Server system in the object hierarchy.

3 Click Configure.

4 Under Settings, click Advanced Settings, and click Edit Settings.

5 Click the Filter icon and enter vpxd.kmscert.threshold, or scroll to the configuration
parameter itself.

6 Enter your value in days and click Save.

vSphere Virtual Machine Encryption and Core Dumps

If your environment uses vSphere Virtual Machine Encryption, and if an error occurs on the
ESXi host, the resulting core dump is encrypted to protect customer data. Core dumps that are
included in the vm-support package are also encrypted.

Note Core dumps can contain sensitive information. Follow your organization's data security
and privacy policy when handling core dumps.

Core Dumps on ESXi Hosts

When an ESXi host, a user world, or a virtual machine crashes, a core dump is generated, and
the host reboots. If the ESXi host has encryption mode enabled, the core dump is encrypted
using a key that is in the ESXi key cache. This key comes from the KMS. See How vSphere Virtual
Machine Encryption Protects Your Environment for background information.

The following table shows encryption keys used for each core dump type, by vSphere release.

Table 7-1. Core Dump Encryption Keys

Core Dump Type Encryption Key (ESXi 6.5) Encryption Key (ESXi 6.7 and Later)

ESXi Kernel Host Key Host Key

User World (hostd) Host Key Host Key

Encrypted Virtual Machine (VM) Host Key Virtual Machine Key

What you can do after an ESXi host reboot depends on several factors.

n In most cases, vCenter Server retrieves the key for the host from the KMS and attempts to
push the key to the ESXi host after reboot. If the operation is successful, you can generate
the vm-support package and you can decrypt or re-encrypt the core dump. See Decrypt or
Re-Encrypt an Encrypted Core Dump.

n If vCenter Server cannot connect to the ESXi host, you might be able to retrieve the key from
the KMS. See Resolve Missing Key Issues.

n If the host used a custom key, and that key differs from the key that vCenter Server pushes
to the host, you cannot manipulate the core dump. Avoid using custom keys.

VMware by Broadcom 187

vSphere Security

Core Dumps and vm-support Packages

When you contact VMware Technical Support because of a serious error, your support
representative usually asks you to generate a vm-support package. The package includes log
files and other information, including core dumps. If your support representatives cannot resolve
the issues by looking at log files and other information, they might ask you to decrypt the core
dumps and make relevant information available. To protect sensitive information such as keys,
follow your organization's security and privacy policy. See Collect a vm-support Package for an
ESXi Host That Uses Encryption.

Core Dumps on vCenter Server Systems

A core dump on a vCenter Server system is not encrypted. vCenter Server already contains
potentially sensitive information. At the minimum, ensure that the Windows system on which
vCenter Server runs or the vCenter Server Appliance is protected. See Chapter 4 Securing
vCenter Server Systems. You might also consider turning off core dumps for the vCenter Server
system. Other information in log files can help determine the problem.

Collect a vm-support Package for an ESXi Host That Uses Encryption

If host encryption mode is enabled for the ESXi host, any core dumps in the vm-support
package are encrypted. You can collect the package from the vSphere Client, and you can
specify a password if you expect to decrypt the core dump later.

The vm-support package includes log files, core dump files, and more.

Prerequisites

Inform your support representative that host encryption mode is enabled for the ESXi host. Your
support representative might ask you to decrypt core dumps and extract relevant information.

Note Core dumps can contain sensitive information. Follow your organization's security and
privacy policy to protect sensitive information such as host keys.

Procedure

1 Log in to the vCenter Server system with the vSphere Client.

2 Click Hosts & Clusters, and right-click the ESXi host.

3 Select Export System Logs.

4 In the dialog box, select Password for encrypted core dumps, and specify and confirm a
password.

5 Leave the defaults for other options or make changes if requested by VMware Technical
Support, and click Export Logs.

If you have not configured your browser to ask where to save files before downloading, the
download starts. If you have configured your browser to ask where to save files, specify a
location for the file.

VMware by Broadcom 188

vSphere Security

6 If your support representative asked you to decrypt the core dump in the vm-support
package, log in to any ESXi host and follow these steps.

a Log in to the ESXi host and connect to the directory where the vm-support package is
located.

The filename follows the pattern esx.date_and_time.tgz.

b Make sure that the directory has enough space for the package, the uncompressed
package, and the recompressed package, or move the package.

c Extract the package to the local directory.

vm-support -x *.tgz .

The resulting file hierarchy might contain core dump files for the ESXi host, usually
in /var/core, and might contain multiple core dump files for virtual machines.

d Decrypt each encrypted core dump file separately.

crypto-util envelope extract --offset 4096 --keyfile vm-support-incident-key-file

--password encryptedZdump decryptedZdump

vm-support-incident-key-file is the incident key file that you find at the top level in the
directory.

encryptedZdump is the name of the encrypted core dump file.

decryptedZdump is the name for the file that the command generates. Make the name
similar to the encryptedZdump name.

e Provide the password that you specified when you created the vm-support package.

f Remove the encrypted core dumps, and compress the package again.

vm-support --reconstruct

7 Remove any files that contain confidential information.

Results

(Exporting Host Support Bundles With Passwords )

Decrypt or Re-Encrypt an Encrypted Core Dump

You can decrypt or re-encrypt an encrypted core dump on your ESXi host by using the crypto-
util CLI.

You can decrypt and examine the core dumps in the vm-support package yourself. Core dumps
might contain sensitive information. Follow your organization's security and privacy policy to
protect sensitive information such as keys.

VMware by Broadcom 189

vSphere Security

For details about re-encrypting a core dump and other features of crypto-util, see the
command-line help.

Note crypto-util is for advanced users.

Prerequisites

The key that was used to encrypt the core dump must be available on the ESXi host that
generated the core dump.

Procedure

1 Log directly in to the ESXi host on which the core dump happened.

If the ESXi host is in lockdown mode, or if SSH access is disabled, you might have to enable
access first.

2 Determine whether the core dump is encrypted.

Option Description

Monitor core dump crypto-util envelope describe vmmcores.ve

zdump file crypto-util envelope describe --offset 4096 zdumpFile

3 Decrypt the core dump, depending on its type.

Option Description

Monitor core dump crypto-util envelope extract vmmcores.ve vmmcores

zdump file crypto-util envelope extract --offset 4096 zdumpEncrypted

zdumpUnencrypted

VMware by Broadcom 190

Securing Virtual Machines with
Virtual Trusted Platform Module 8
With the Virtual Trusted Platform Module (vTPM) feature, you can add a TPM 2.0 virtual
cryptoprocessor to a virtual machine.

A vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A

vTPM acts as any other virtual device. You can add a vTPM to a virtual machine in the same way
you add virtual CPUs, memory, disk controllers, or network controllers. A vTPM does not require
a hardware Trusted Platform Module chip.

Read the following topics next:

n Virtual Trusted Platform Module Overview

n Create a Virtual Machine with a Virtual Trusted Platform Module

n Enable Virtual Trusted Platform Module for an Existing Virtual Machine

n Remove Virtual Trusted Platform Module from a Virtual Machine

n Identify Virtual Trusted Platform Module Enabled Virtual Machines

n View Virtual Trusted Platform Module Device Certificates

n Export and Replace Virtual Trusted Platform Module Device Certificates

Virtual Trusted Platform Module Overview

A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical
Trusted Platform Module 2.0 chip. A vTPM acts as any other virtual device.

Introduction to vTPMs
vTPMs provide hardware-based, security-related functions such as random number generation,
attestation, key generation, and more. When added to a virtual machine, a vTPM enables the
guest operating system to create and store keys that are private. These keys are not exposed
to the guest operating system itself. Therefore, the virtual machine attack surface is reduced.
Usually, compromising the guest operating system compromises its secrets, but enabling a
vTPM greatly reduces this risk. These keys can be used only by the guest operating system
for encryption or signing. With an attached vTPM, a third party can remotely attest to (validate)
the identity of the firmware and the guest operating system.

VMware by Broadcom 191

vSphere Security

You can add a vTPM to either a new or an existing virtual machine. A vTPM depends on virtual
machine encryption to secure vital TPM data. When you configure a vTPM, the virtual machine
files are encrypted but not the disks. You can choose to add encryption explicitly for the virtual
machine and its disks.

When you back up a virtual machine enabled with a vTPM, the backup must include all virtual
machine data, including the *.nvram file. If your backup does not include the *.nvram file,
you cannot restore a virtual machine with a vTPM. Also, because the VM home files of a vTPM-
enabled virtual machine are encrypted, ensure that the encryption keys are available at the time
of a restore.

A vTPM does not require a physical Trusted Platform Module (TPM) 2.0 chip to be present on the
ESXi host. However, if you want to perform host attestation, an external entity, such as a TPM 2.0
physical chip, is required. See Securing ESXi Hosts with Trusted Platform Module.

Note By default, no storage policy is associated with a virtual machine that has been enabled
with a vTPM. Only the virtual machine files (VM Home) are encrypted. If you prefer, you can
choose to add encryption explicitly for the virtual machine and its disks, but the virtual machine
files would have already been encrypted.

Requirements for vTPM

To use a vTPM, your vSphere environment must meet these requirements:

n Virtual machine requirements:

n EFI firmware

n Hardware version 14 or later

n Component requirements:

n vCenter Server 6.7 or later for Windows virtual machines.

n Virtual machine encryption (to encrypt the virtual machine home files).

n Key provider configured for vCenter Server. See Set up the Key Management Server
Cluster.

n Guest OS support:

n Windows Server 2008 and later

n Windows 7 and later

Differences Between a Hardware TPM and a Virtual TPM

You use a hardware Trusted Platform Module (TPM) to provide secure storage of credentials or
keys. A vTPM performs the same functions as a TPM, but it performs cryptographic coprocessor
capabilities in software. A vTPM uses the .nvram file, which is encrypted using virtual machine
encryption, as its secure storage.

VMware by Broadcom 192

vSphere Security

A hardware TPM includes a preloaded key called the Endorsement Key (EK). The EK has a private
and public key. The EK provides the TPM with a unique identity. For a vTPM, this key is provided
either by the VMware Certificate Authority (VMCA) or by a third-party Certificate Authority (CA).
After the vTPM uses a key, it is typically not changed because doing so invalidates sensitive
information stored in the vTPM. The vTPM does not contact the third-party CA at any time.

Create a Virtual Machine with a Virtual Trusted Platform

Module
You can add a Virtual Trusted Platform Module (vTPM) to a virtual machine to provide enhanced
security to the guest operating system. You must set up the KMS before you can add a vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual
TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual
machine and the guest OS it hosts.

Prerequisites

n Ensure your vSphere environment is configured for virtual machine encryption. See Set up
the Key Management Server Cluster.

n The guest OS you use can be Windows Server 2008 and later, and Windows 7 and later.

n The ESXi hosts running in your environment must be ESXi 6.7 or later.

n The virtual machine must use EFI firmware.

n Verify that you have the required privileges:

n Cryptographic operations.Clone

n Cryptographic operations.Encrypt

n Cryptographic operations.Encrypt new

n Cryptographic operations.Migrate

n Cryptographic operations.Register VM

n Cryptographic operations.Register host

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select an object in the inventory that is a valid parent object of a virtual machine, for
example, an ESXi host or a cluster.

VMware by Broadcom 193

vSphere Security

3 Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual
machine.

Option Action

Select a creation type Create a new virtual machine.

Select a name and folder Specify a name and target location.

Select a compute resource Specify an object for which you have privileges to create a virtual machine.
See Prerequisites and Required Privileges for Encryption Tasks.

Select storage Select a compatible datastore.

Select compatibility Select ESXi 6.7 and later.

Select a guest OS Select Windows Server 2016 (64 bit) or Windows 10 (64 bit) for use as the
guest OS.

Customize hardware Click Add New Device and select Trusted Platform Module.
You can further customize the hardware, for example, by changing disk size
or CPU.

Ready to complete Review the information and click Finish.

Results

The vTPM-enabled virtual machine appears in your inventory as specified.

Enable Virtual Trusted Platform Module for an Existing

Virtual Machine
You can add a Virtual Trusted Platform Module (vTPM) to an existing virtual machine to provide
enhanced security to the guest operating system. You must set up the KMS before you can add a
vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual
TPM is compatible with TPM 2.0, and creates a TPM-enabled virtual chip for use by the virtual
machine and the guest OS it hosts.

Prerequisites

n Ensure your vSphere environment is configured for virtual machine encryption. See Set up
the Key Management Server Cluster.

n The guest OS you use can be Windows Server 2008 and later, and Windows 7 and later.

n Verify that the virtual machine is turned off.

n The ESXi hosts running in your environment must be ESXi 6.7 or later.

n The virtual machine must use EFI firmware.

n Verify that you have the required privileges:

n Cryptographic operations.Clone

VMware by Broadcom 194

vSphere Security

n Cryptographic operations.Encrypt

n Cryptographic operations.Encrypt new

n Cryptographic operations.Register VM

n Virtual machine.Configuration.Add or remove device

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Right-click the virtual machine in the inventory that you want to modify and select Edit
Settings.

3 In the Edit Settings dialog box, click Add New Device and select Trusted Platform Module.

4 Click OK.

The virtual machine Summary tab now includes Virtual Trusted Platform Module in the VM
Hardware pane.

Remove Virtual Trusted Platform Module from a Virtual

Machine
You can remove Virtual Trusted Platform Module (vTPM) security from a virtual machine.

Removing a vTPM device causes all encrypted information on the virtual machine to become
unrecoverable. Before removing a vTPM from a virtual machine, disable any applications in the
Guest OS that use the vTPM device, such as BitLocker. Failure to do so can cause the virtual
machine not to boot. Also, you cannot remove a vTPM from a virtual machine that contains
snapshots.

Prerequisites

n Ensure that the virtual machine is powered off.

n Verify that you have the required privileges: Virtual machine.Configuration.Add or remove
device and Cryptographic operations.Decrypt

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Right-click the virtual machine in the inventory that you want to modify and select Edit
Settings.

3 In the Edit Settings dialog box, locate the Trusted Platform Module entry in the Virtual
Hardware tab.

4 Move your pointer over the device and click the Remove icon.

This icon appears only for the virtual hardware that you can safely remove.

VMware by Broadcom 195

vSphere Security

5 Click Delete to confirm you want to remove the device.

The vTPM device is marked for removal.

6 Click OK.

Verify that the Virtual Trusted Platform Module entry no longer appears in the virtual machine
Summary tab in the VM Hardware pane.

Identify Virtual Trusted Platform Module Enabled Virtual

Machines
You can identify which of your virtual machines are enabled to use a Virtual Trusted Platform
Module (vTPM).

You can generate a list of all virtual machines in your inventory showing virtual machine name,
operating system, and vTPM status. You can also export this list to a CSV file for use in
compliance audits.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select a vCenter Server instance, a host, or a cluster.

3 Click the VMs tab and click Virtual Machines.

4 Click the menu bar for any virtual machine column, select Show/Hide Columns, and select
TPM.

The TPM column displays present for all virtual machines on which TPM is enabled. Virtual
machines without a TPM are listed as not present.

5 You can export the contents of an inventory list view to a CSV file.

a Click Export at the bottom-right corner of a list view.

The Export List Contents dialog box opens and lists the available options for inclusion in
the CSV file.

b Select whether you want all rows or your current selection of rows to be listed in the CSV
file.

c From the available options, select the columns you want listed in the CSV file.

d Click Export.

The CSV file is generated and available for download.

View Virtual Trusted Platform Module Device Certificates

Virtual Trusted Platform Module (vTPM) devices are pre-configured with default certificates,
which you can review.

VMware by Broadcom 196

vSphere Security

Prerequisites

You must have a vTPM-enabled virtual machine in your environment.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select an object in the inventory that is a valid parent object of a virtual machine, for
example, an ESXi host or a cluster.

3 Click VMs and click Virtual Machines.

4 Select the vTPM-enabled virtual machine whose certificate information you want to view.

If necessary, click the menu bar for any virtual machine column, select Show/Hide Columns,
and select TPM to display virtual machines with a TPM "Present."

5 Click the Configure tab.

6 Under TPM, select Certificates.

7 Select the certificate and view its information.

8 (Optional) To export the certificate information, click Export.

The certificate is saved to disk.

What to do next

You can replace the default certificate with a certificate issued by a third-party certificate
authority (CA). See Export and Replace Virtual Trusted Platform Module Device Certificates.

Export and Replace Virtual Trusted Platform Module Device

Certificates
You can replace the default certificate that comes with a Virtual Trusted Platform Module (vTPM)
device.

Prerequisites

You must have a vTPM-enabled virtual machine in your environment.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select an object in the inventory that is a valid parent object of a virtual machine, for
example, an ESXi host or a cluster.

3 Select the vTPM-enabled virtual machine in the inventory whose certificate information you
want to replace.

4 Click the Configure tab.

5 Under TPM select Signing Requests.

VMware by Broadcom 197

vSphere Security

6 Select a certificate.

7 To export the certificate information, click Export.

The certificate is saved to disk.

8 Get a certificate issued by a third-party certificate authority (CA) against the certificate
signing request (CSR) you exported.

You can use any CA that you might have in your IT environment.

9 When you have the new certificate, replace the existing certificate.

a Right-click the virtual machine in the inventory whose certificate you want to replace and
select Edit Settings.

b In the Edit Settings dialog box, expand Security Devices, then expand Trusted Platform
Module.

The certificates appear.

c Click Replace for the certificate you want to replace.

The File Upload dialog box appears.

d On your local machine, locate the new certificate and upload it.

The new certificate replaces the default certificate that came with your vTPM device.

e The certificate name is updated in the virtual machine Summary tab under the Virtual
Trusted Platform Module list.

VMware by Broadcom 198

Securing Windows Guest
Operating Systems with
Virtualization-based Security
9
Starting with vSphere 6.7, you can enable Microsoft virtualization-based security (VBS) on
supported Windows guest operating systems.

About Virtualization-based Security

Microsoft VBS, a feature of Windows 10 and Windows Server 2016 operating systems, uses
hardware and software virtualization to enhance system security by creating an isolated,
hypervisor-restricted, specialized subsystem.

VBS permits you to use the following Windows security features to harden your system and
isolate key system and user secrets from being compromised:

n Credential Guard: Aims to isolate and harden key system and user secrets against
compromise.

n Device Guard: Provides a set of features designed to work together to prevent and eliminate
malware from running on a Windows system.

n Configurable Code Integrity: Ensures that only trusted code runs from the boot loader
onwards.

See the topic on virtualization-based security in the Microsoft documentation for more
information.

After you enable VBS for a virtual machine through vCenter Server, you enable VBS within the
Windows guest operating system.

Read the following topics next:

n Virtualization-based Security Best Practices

n Enable Virtualization-based Security on a Virtual Machine

n Enable Virtualization-based Security on an Existing Virtual Machine

n Enable Virtualization-based Security on the Guest Operating System

n Disable Virtualization-based Security

n Identify VBS-Enabled Virtual Machines

VMware by Broadcom 199

vSphere Security

Virtualization-based Security Best Practices

Follow best practices for virtualization-based security (VBS) to maximize security and
manageability of your Windows guest operating system environment.

Avoid problems by following these best practices.

VBS Hardware
Use the following Intel hardware for VBS:

n Haswell CPU or later. For best performance, use the Skylake-EP CPU or later.

n The Ivy Bridge CPU is acceptable.

n The Sandy Bridge CPU might cause some slow performance.

Not all VBS functionality is available on AMD CPUs. For more information, see the VMware KB
article at http://kb.vmware.com/kb/54009.

Windows Guest OS Compatibility

VBS is supported for Windows 10 and Windows Server 2016 and later virtual machines,
although Windows Server 2016 versions 1607 and 1703 require patches. Check the Microsoft
documentation for ESXi host hardware compatibility.

VBS in Windows guest OSs RS1, RS2, and RS3 requires HyperV to be enabled in the guest OS.
See VMware vSphere Release Notes for more information.

Unsupported VMware Features on VBS

The following features are not supported in a virtual machine when VBS is enabled:

n Fault tolerance

n PCI passthrough

n Hot add of CPU or memory

Installation and Upgrade Caveats with VBS

Before you configure VBS, understand the following installation and upgrade caveats:

n New virtual machines configured for Windows 10 and Windows Server 2016 and later on
hardware versions less than version 14 are created using Legacy BIOS by default. You must
reinstall the guest operating system after changing the virtual machine's firmware type from
Legacy BIOS to UEFI.

n If you plan to migrate your virtual machines from previous vSphere releases to vSphere 6.7
or later, and enable VBS on your virtual machines, use UEFI to avoid having to reinstall the
operating system.

VMware by Broadcom 200

vSphere Security

Enable Virtualization-based Security on a Virtual Machine

You can enable Microsoft virtualization-based security (VBS) for supported Windows guest
operating systems at the same time you create a virtual machine.

Enabling VBS is a process that involves first enabling VBS in the virtual machine then enabling
VBS in the Windows guest OS.

Prerequisites

Intel hosts are recommended. See Virtualization-based Security Best Practices for acceptable
CPUs.

Create a virtual machine that uses hardware version 14 or later and one of the following
supported guest operating systems:

n Windows 10 (64 bit) or later releases

n Windows Server 2016 (64 bit) or later releases

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select an object in the inventory that is a valid parent object of a virtual machine, for
example, an ESXi host or a cluster.

3 Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual
machine.

Option Action

Select a creation type Create a virtual machine.

Select a name and folder Specify a name and target location.

Select a compute resource Specify an object for which you have privileges to create virtual machines.

Select storage In the VM storage policy, select the storage policy. Select a compatible
datastore.

Select compatibility Ensure that ESXi 6.7 and later is selected.

Select a guest OS Select the Windows guest operating system option that best corresponds to
operating system release.
Select the Enable Windows Virtualization Based Security check box.

Customize hardware Customize the hardware, for example, by changing disk size or CPU.

Ready to complete Review the information and click Finish.

Results

Once the virtual machine is created, confirm that its Summary tab displays "VBS true" in the
Guest OS description.

VMware by Broadcom 201

vSphere Security

What to do next

See Enable Virtualization-based Security on the Guest Operating System.

Enable Virtualization-based Security on an Existing Virtual

Machine
You can enable Microsoft virtualization-based security (VBS) on existing virtual machines for
supported Windows guest operating systems.

Enabling VBS is a process that involves first enabling VBS in the virtual machine then enabling
VBS in the guest OS.

Note New virtual machines configured for Windows 10, Windows Server 2016, and Windows
Server 2019 on hardware versions less than version 14 are created using Legacy BIOS by default.
If you change the virtual machine's firmware type from Legacy BIOS to UEFI, you must reinstall
the guest operating system.

Prerequisites

Intel hosts are recommended. See Virtualization-based Security Best Practices for acceptable
CPUs.

The virtual machine must have been created using hardware version 14 or later, UEFI firmware,
and one of the following supported guest operating systems:

n Windows 10 (64 bit) or later releases

n Windows Server 2016 (64 bit) or later releases

Procedure

1 In the vSphere Client, browse to the virtual machine.

2 Right-click the virtual machine and select Edit Settings.

3 Click the VM Options tab.

4 Check the Enable check box for Virtualization Based Security.

5 Click OK.

Results

Confirm that the virtual machine's Summary tab displays "VBS true" in the Guest OS description.

What to do next

See Enable Virtualization-based Security on the Guest Operating System.

VMware by Broadcom 202

vSphere Security

Enable Virtualization-based Security on the Guest Operating

System
You can enable Microsoft virtualization-based security (VBS) for supported Windows guest
operating systems.

You enable VBS from within the Windows Guest OS. Windows configures and enforces VBS
through a Group Policy Object (GPO). The GPO gives you the ability to turn off and on the
various services, such as Secure Boot, Device Guard, and Credential Guard, that VBS offers.
Certain Windows versions also require you to perform the additional step of enabling the Hyper-
V platform.

See Microsoft's documentation about deploying Device Guard to enable virtualization-based

security for details.

Prerequisites

n Ensure that virtualization-based security has been enabled on the virtual machine.

Procedure

1 In Microsoft Windows, edit the group policy to turn on VBS and choose other VBS-related
security options.

2 (Optional) For Microsoft Windows versions less than Redstone 4, in the Windows Features
control panel, enable the Hyper-V platform.

3 Reboot the guest operating system.

Disable Virtualization-based Security

If you no longer use virtualization-based security (VBS) with a virtual machine, you can
disable VBS. When you disable VBS for the virtual machine, the Windows VBS options remain
unchanged but might induce performance issues. Before disabling VBS on the virtual machine,
disable VBS options within Windows.

Prerequisites

Ensure that the virtual machine is powered off.

Procedure

1 In the vSphere Client, browse to the VBS-enabled virtual machine.

See Identify VBS-Enabled Virtual Machines for help in locating VBS-enabled virtual machines.

2 Right-click the virtual machine and select Edit Settings.

3 Click VM Options.

4 Deselect the Enable check box for Virtualization Based Security.

A message reminds you to disable VBS in the guest OS.

VMware by Broadcom 203

vSphere Security

5 Click OK.

6 Verify that the virtual machine's Summary tab no longer displays "VBS true" in the Guest OS
description.

Identify VBS-Enabled Virtual Machines

You can identify which of your virtual machines have VBS enabled, for reporting and compliance
purposes.

Procedure

1 Connect to vCenter Server by using the vSphere Client.

2 Select a vCenter Server instance, a data center, or a host in the inventory.

3 Click the VMs tab and click Virtual Machines.

4 In the list of virtual machines, click the down arrow in a column header to show/hide columns,
and select the VBS check box.

The VBS column appears.

5 Scan for Present in the VBS column.

VMware by Broadcom 204

Securing vSphere Networking
10
Securing vSphere Networking is an essential part of protecting your environment. You secure
different vSphere components in different ways. See the vSphere Networking documentation for
detailed information about networking in the vSphere environment.

Read the following topics next:

n Introduction to vSphere Network Security

n Securing the Network With Firewalls

n Secure the Physical Switch

n Securing Standard Switch Ports with Security Policies

n Securing vSphere Standard Switches

n Standard Switch Protection and VLANs

n Secure vSphere Distributed Switches and Distributed Port Groups

n Securing Virtual Machines with VLANs

n Creating Multiple Networks Within a Single ESXi Host

n Internet Protocol Security

n Ensure Proper SNMP Configuration

n vSphere Networking Security Best Practices

Introduction to vSphere Network Security

Network security in the vSphere environment shares many characteristics of securing a physical
network environment, but also includes some characteristics that apply only to virtual machines.

Firewalls
Add firewall protection to your virtual network by installing and configuring host-based firewalls
on some or all its VMs.

VMware by Broadcom 205

vSphere Security

For efficiency, you can set up private virtual machine Ethernet networks or virtual networks. With
virtual networks, you install a host-based firewall on a VM at the head of the virtual network. This
firewall serves as a protective buffer between the physical network adapter and the remaining
VMs in the virtual network.

Host-based firewalls can slow performance. Balance your security needs against performance
goals before you install host-based firewalls on VMs elsewhere in the virtual network.

See Securing the Network With Firewalls.

Segmentation
Keep different virtual machine zones within a host on different network segments. If you isolate
each virtual machine zone on its own network segment, you minimize the risk of data leakage
from one zone to the next. Segmentation prevents various threats, including Address Resolution
Protocol (ARP) spoofing. With ARP spoofing, an attacker manipulates the ARP table to remap
MAC and IP addresses, and gains access to network traffic to and from a host. Attackers use ARP
spoofing to generate man in the middle (MITM) attacks, perform denial of service (DoS) attacks,
hijack the target system, and otherwise disrupt the virtual network.

Planning segmentation carefully lowers the chances of packet transmissions between virtual
machine zones. Segmentation therefore prevents sniffing attacks that require sending network
traffic to the victim. Also, an attacker cannot use a nonsecure service in one virtual machine zone
to access other virtual machine zones in the host. You can implement segmentation by using one
of two approaches.

n Use separate physical network adapters for virtual machine zones to ensure that the zones
are isolated. Maintaining separate physical network adapters for virtual machine zones is
probably the most secure method. After the initial segment creation. This approach is less
prone to misconfiguration.

n Set up virtual local area networks (VLANs) to help safeguard your network. VLANs provide
almost all the security benefits inherent in implementing physically separate networks
without the hardware overhead. VLANs can save you the cost of deploying and maintaining
additional devices, cabling, and so on. See Securing Virtual Machines with VLANs.

Preventing Unauthorized Access

Requirements for securing VMs are often the same as requirements for securing physical
machines.

n If a virtual machine network is connected to a physical network, it can be subject to breaches

just like a network that consists of physical machines.

n Even if you do not connect a VM to the physical network, the VM can be attacked by other
VMs.

VMware by Broadcom 206

vSphere Security

VMs are isolated from each other. One VM cannot read or write another VM’s memory, access
its data, use its applications, and so forth. However, within the network, any VM or group of
VMs can still be the target of unauthorized access from other VMs. Protect your VMs from such
unauthorized access.

For additional information about protecting VMs, see the NIST document titled " Secure Virtual
Network Configuration for Virtual Machine (VM) Protection" at:

https://csrc.nist.gov/publications/detail/sp/800-125b/final

Securing the Network With Firewalls

Security administrators use firewalls to safeguard the network or selected components in the
network from intrusion.

Firewalls control access to devices within their perimeter by closing all ports except for ports that
the administrator explicitly or implicitly designates as authorized. The ports that administrators
open allow traffic between devices on different sides of the firewall.

Important The ESXi firewall in ESXi 5.5 and later does not allow per-network filtering of vMotion
traffic. Therefore, you must install rules on your external firewall to ensure that no incoming
connections can be made to the vMotion socket.

In a virtual machine environment, you can plan the layout for firewalls between components.

n Firewalls between physical machines such as vCenter Server systems and ESXi hosts.

n Firewalls between one virtual machine and another, for example, between a virtual machine
acting as an external Web server and a virtual machine connected to your company’s internal
network.

n Firewalls between a physical machine and a virtual machine, such as when you place a
firewall between a physical network adapter card and a virtual machine.

How you use firewalls in your ESXi configuration is based on how you plan to use the network
and how secure any given component has to be. For example, if you create a virtual network
where each virtual machine is dedicated to running a different benchmark test suite for the
same department, the risk of unwanted access from one virtual machine to the next is minimal.
Therefore, a configuration where firewalls are present between the virtual machines is not
necessary. However, to prevent interruption of a test run from an outside host, you can configure
a firewall at the entry point of the virtual network to protect the entire set of virtual machines.

For a diagram of firewall ports, see VMware Knowledge Base article 2131180.

Firewalls for Configurations With vCenter Server

If you access ESXi hosts through vCenter Server, you typically protect vCenter Server using a
firewall.

VMware by Broadcom 207

vSphere Security

Firewalls must be present at entry points. A firewall might lie between the clients and vCenter
Server or vCenter Server and the clients can both be behind a firewall.

For the list of all supported ports and protocols in VMware products, including vSphere and
vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search
ports by VMware product, create a customized list of ports, and print or save port lists.

Networks configured with vCenter Server can receive communications through the vSphere Web
Client, other UI clients, or clients that use the vSphere API. During normal operation, vCenter
Server listens for data from its managed hosts and clients on designated ports. vCenter Server
also assumes that its managed hosts listen for data from vCenter Server on designated ports. If
a firewall is present between any of these elements, you must ensure that the firewall has open
ports to support data transfer.

You might also include firewalls at other access points in the network, depending on network
usage and on the level of security that clients require. Select the locations for your firewalls
based on the security risks for your network configuration. The following firewall locations are
commonly used.

n Between the vSphere Web Client or a third-party network-management client and vCenter
Server.

n If your users access virtual machines through a Web browser, between the Web browser and
the ESXi host.

n If your users access virtual machines through the vSphere Web Client, between the vSphere
Web Client and the ESXi host. This connection is in addition to the connection between the
vSphere Web Client and vCenter Server, and it requires a different port.

n Between vCenter Server and the ESXi hosts.

n Between the ESXi hosts in your network. Although traffic between hosts is usually considered
trusted, you can add firewalls between them if you are concerned about security breaches
from machine to machine.

If you add firewalls between ESXi hosts and plan to migrate virtual machines between them,
open ports in any firewall that divides the source host from the target hosts.

n Between the ESXi hosts and network storage such as NFS or iSCSI storage. These ports are
not specific to VMware. Configure them according to the specifications for your network.

Connecting to vCenter Server Through a Firewall

Open TCP port 443 in the firewall to enable vCenter Server to receive data. By default vCenter
Server uses TCP port 443 to listen for data from its clients. If you have a firewall between vCenter
Server and its clients, you must configure a connection through which vCenter Server can receive
data from the clients.

Firewall configuration depends on what is used at your site, ask your local firewall system
administrator for information. How you open ports depends on whether you use a vCenter
Server Appliance or a vCenter Server Windows installation.

VMware by Broadcom 208

vSphere Security

Connecting ESXi Hosts Through Firewalls

If you have a firewall between you ESXi hosts and vCenter Server, ensure that the managed
hosts can receive data.

To configure a connection for receiving data, open ports for traffic from services such as
vSphere High Availability, vMotion, and vSphere Fault Tolerance. See ESXi Firewall Configuration
for a discussion of configuration files, vSphere Web Client access, and firewall commands. See
Incoming and Outgoing Firewall Ports for ESXi Hosts for a list of ports.

Firewalls for Configurations Without vCenter Server

If your environment does not include vCenter Server, clients can connect directly to the ESXi
network.

You can connect to a standalone ESXi host in several ways.

n VMware Host Client

n One of the vSphere command-line interfaces

n vSphere Web Services SDK or vSphere Automation SDKs

n Third-party clients

The firewall requirements for standalone hosts are similar to requirements when a vCenter Server
is present.

n Use a firewall to protect your ESXi layer or, depending on your configuration, your clients,
and the ESXi layer. This firewall provides basic protection for your network.

n Licensing in this type of configuration is part of the ESXi package that you install on each of
the hosts. Because licensing is resident to ESXi, a separate License Server with a firewall is
not required.

You can configure firewall ports using ESXCLI or using the VMware Host Client. See vSphere
Single Host Management - VMware Host Client.

Connecting to the Virtual Machine Console Through a Firewall

Certain ports must be open for user and administrator communication with the virtual machine
console. Which ports must be open depends on the type of virtual machine console, and on
whether you connect through vCenter Server with the vSphere Web Client or directly to the ESXi
host from the VMware Host Client.

Connecting to a Browser-Based Virtual Machine Console Through the vSphere

Web Client
When you are connecting with the vSphere Web Client, you always connect to the vCenter
Server system that manages the ESXi host, and access the virtual machine console from there.

VMware by Broadcom 209

vSphere Security

If you are using the vSphere Web Client and connecting to a browser-based virtual machine
console, the following access must be possible:

n The firewall must allow vSphere Web Client to access vCenter Server on port 9443.

n The firewall must allow vCenter Server to access the ESXi host on port 902.

Connecting to a VMware Remote Console Through the vSphere Web Client

If you are using the vSphere Web Client and connecting to a VMware Remote Console (VMRC),
the following access must be possible:

n The firewall must allow vSphere Web Client to access vCenter Server on port 9443.

n The firewall must allow the standalone virtual machine console to access vCenter Server on
port 9443 and to access the ESXi host on port 902 for VMRC versions before 11.0, and port
443 for VMRC version 11.0 and greater. For more information about VMRC version 11.0 and
ESXi port requirements, see the VMware knowledge base article at https://kb.vmware.com/s/
article/76672.

Connecting to ESXi Hosts Directly with the VMware Host Client

You can use the VMware Host Client virtual machine console if you connect directly to an ESXi
host.

Note Do not use the VMware Host Client to connect directly to hosts that are managed by
a vCenter Server system. If you make changes to such hosts from the VMware Host Client,
instability in your environment results.

The firewall must allow access to the ESXi host on ports 443 and 902

The VMware Host Client uses port 902 to provide a connection for guest operating system MKS
activities on virtual machines. It is through this port that users interact with the guest operating
systems and applications of the virtual machine. VMware does not support configuring a different
port for this function.

Secure the Physical Switch

Secure the physical switch on each ESXi host to prevent attackers from gaining access to the
host and its virtual machines.

For best protection of your hosts, ensure that physical switch ports are configured with spanning
tree disabled and ensure that the non-negotiate option is configured for trunk links between
external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.

Procedure

1 Log in to the physical switch and ensure that spanning tree protocol is disabled or that Port
Fast is configured for all physical switch ports that are connected to ESXi hosts.

VMware by Broadcom 210

vSphere Security

2 For virtual machines that perform bridging or routing, check periodically that the first
upstream physical switch port is configured with BPDU Guard and Port Fast disabled and
with spanning tree protocol enabled.

In vSphere 5.1 and later, to prevent the physical switch from potential Denial of Service (DoS)
attacks, you can turn on the guest BPDU filter on the ESXi hosts.

3 Log in to the physical switch and ensure that Dynamic Trunking Protocol (DTP) is not enabled
on the physical switch ports that are connected to the ESXi hosts.

4 Routinely check physical switch ports to ensure that they are properly configured as trunk
ports if connected to virtual switch VLAN trunking ports.

Securing Standard Switch Ports with Security Policies

The VMkernel port group or virtual machine port group on a standard switch has a configurable
security policy. The security policy determines how strongly you enforce protection against
impersonation and interception attacks on VMs.

Just like physical network adapters, virtual machine network adapters can impersonate another
VM. Impersonation is a security risk.

n A VM can send frames that appear to be from a different machine so that it can receive
network frames that are intended for that machine.

n A virtual machine network adapter can be configured so that it receives frames targeted for
other machines

When you add a VMkernel port group or virtual machine port group to a standard switch,
ESXi configures a security policy for the ports in the group. You can use this security policy to
ensure that the host prevents the guest operating systems of its VMs from impersonating other
machines on the network. The guest operating system that might attempt impersonation does
not detect that the impersonation was prevented.

The security policy determines how strongly you enforce protection against impersonation and
interception attacks on VMs. To correctly use the settings in the security profile, see the Security
Policy section in the vSphere Networking publication. This section explains:

n How VM network adapters control transmissions.

n How attacks are staged at this level

Securing vSphere Standard Switches

You can secure standard switch traffic against Layer 2 attacks by restricting some of the MAC
address modes of the VM network adapters.

Each VM network adapter has an initial MAC address and an effective MAC address.

Initial MAC address

VMware by Broadcom 211

vSphere Security

The initial MAC address is assigned when the adapter is created. Although the initial MAC
address can be reconfigured from outside the guest operating system, it cannot be changed
by the guest operating system.

Effective MAC address

Each adapter has an effective MAC address that filters out incoming network traffic with
a destination MAC address that is different from the effective MAC address. The guest
operating system is responsible for setting the effective MAC address and typically matches
the effective MAC address to the initial MAC address.

Upon creating a VM network adapter, the effective MAC address and initial MAC address are the
same. The guest operating system can alter the effective MAC address to another value at any
time. If an operating system changes the effective MAC address, its network adapter receives
network traffic that is destined for the new MAC address.

When sending packets through a network adapter, the guest operating system typically places
its own adapter effective MAC address in the source MAC address field of the Ethernet frames.
It places the MAC address for the receiving network adapter in the destination MAC address
field. The receiving adapter accepts packets only if the destination MAC address in the packet
matches its own effective MAC address.

An operating system can send frames with an impersonated source MAC address. An operating
system can therefore impersonate a network adapter that the receiving network authorizes, and
stage malicious attacks on the devices in a network.

Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a
security policy on port groups or ports.

The security policy on distributed port groups and ports includes the following options:

n MAC address changes (see MAC Address Changes)

n Promiscuous mode (see Promiscuous Mode Operation)

n Forged transmits (see Forged Transmits)

You can view and change the default settings by selecting the virtual switch associated with the
host from the vSphere Client. See vSphere Networking documentation.

MAC Address Changes

The security policy of a virtual switch includes a MAC address changes option. This option affects
traffic that a virtual machine receives.

When the Mac address changes option is set to Accept, ESXi accepts requests to change the
effective MAC address to a different address than the initial MAC address.

VMware by Broadcom 212

vSphere Security

When the Mac address changes option is set to Reject, ESXi does not honor requests to change
the effective MAC address to a different address than the initial MAC address. This setting
protects the host against MAC impersonation. The port that the virtual machine adapter used to
send the request is disabled and the virtual machine adapter does not receive any more frames
until the effective MAC address matches the initial MAC address. The guest operating system
does not detect that the MAC address change request was not honored.

Note The iSCSI initiator relies on being able to get MAC address changes from certain types of
storage. If you are using ESXi iSCSI with iSCSI storage, set the MAC address changes option to
Accept.

In some situations, you might have a legitimate need for more than one adapter to have the same
MAC address on a network—for example, if you are using Microsoft Network Load Balancing in
unicast mode. When Microsoft Network Load Balancing is used in the standard multicast mode,
adapters do not share MAC addresses.

Forged Transmits
The Forged transmits option affects traffic that is transmitted from a virtual machine.

When the Forged transmits option is set to Accept, ESXi does not compare source and effective
MAC addresses.

To protect against MAC impersonation, you can set the Forged transmits option to Reject. If
you do, the host compares the source MAC address being transmitted by the guest operating
system with the effective MAC address for its virtual machine adapter to see if they match. If the
addresses do not match, the ESXi host drops the packet.

The guest operating system does not detect that its virtual machine adapter cannot send
packets by using the impersonated MAC address. The ESXi host intercepts any packets with
impersonated addresses before they are delivered, and the guest operating system might
assume that the packets are dropped.

Promiscuous Mode Operation

Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so
that the guest operating system receives all traffic observed on the wire. By default, the virtual
machine adapter cannot operate in promiscuous mode.

Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of
operation, because any adapter in promiscuous mode has access to the packets even if some of
the packets are received only by a particular network adapter. This means that an administrator
or root user within a virtual machine can potentially view traffic destined for other guest or host
operating systems.

VMware by Broadcom 213

vSphere Security

See the topic on configuring the security policy for a vSphere Standard Switch or Standard Port
Group in the vSphere Networking documentation for information about configuring the virtual
machine adapter for promiscuous mode.

Note In some situations, you might have a legitimate reason to configure a standard or a
distributed virtual switch to operate in promiscuous mode, for example, if you are running
network intrusion detection software or a packet sniffer.

Standard Switch Protection and VLANs

VMware standard switches provide safeguards against certain threats to VLAN security. Because
of the way that standard switches are designed, they protect VLANs against a variety of attacks,
many of which involve VLAN hopping.

Having this protection does not guarantee that your virtual machine configuration is invulnerable
to other types of attacks. For example, standard switches do not protect the physical network
against these attacks; they protect only the virtual network.

Standard switches and VLANs can protect against the following types of attacks.

MAC flooding

Floods a switch with packets that contain MAC addresses tagged as having come from
different sources. Many switches use a content-addressable memory table to learn and store
the source address for each packet. When the table is full, the switch can enter a fully open
state in which every incoming packet is broadcast on all ports, letting the attacker see all of
the switch’s traffic. This state might result in packet leakage across VLANs.

Although VMware standard switches store a MAC address table, they do not get the MAC
addresses from observable traffic and are not vulnerable to this type of attack.

802.1q and ISL tagging attacks

Force a switch to redirect frames from one VLAN to another by tricking the switch into acting
as a trunk and broadcasting the traffic to other VLANs.

VMware standard switches do not perform the dynamic trunking required for this type of
attack and, therefore, are not vulnerable.

Double-encapsulation attacks

Occur when an attacker creates a double-encapsulated packet in which the VLAN identifier
in the inner tag is different from the VLAN identifier in the outer tag. For backward
compatibility, native VLANs strip the outer tag from transmitted packets unless configured
to do otherwise. When a native VLAN switch strips the outer tag, only the inner tag is left,
and that inner tag routes the packet to a different VLAN than the one identified in the
now-missing outer tag.

VMware by Broadcom 214

vSphere Security

VMware standard switches drop any double-encapsulated frames that a virtual machine
attempts to send on a port configured for a specific VLAN. Therefore, they are not vulnerable
to this type of attack.

Multicast brute-force attacks

Involve sending large numbers of multicast frames to a known VLAN almost simultaneously
to overload the switch so that it mistakenly allows some of the frames to broadcast to other
VLANs.

VMware standard switches do not allow frames to leave their correct broadcast domain
(VLAN) and are not vulnerable to this type of attack.

Spanning-tree attacks

Target Spanning-Tree Protocol (STP), which is used to control bridging between parts of the
LAN. The attacker sends Bridge Protocol Data Unit (BPDU) packets that attempt to change
the network topology, establishing themselves as the root bridge. As the root bridge, the
attacker can sniff the contents of transmitted frames.

VMware standard switches do not support STP and are not vulnerable to this type of attack.

Random frame attacks

Involve sending large numbers of packets in which the source and destination addresses stay
the same, but in which fields are randomly changed in length, type, or content. The goal of
this attack is to force packets to be mistakenly rerouted to a different VLAN.

VMware standard switches are not vulnerable to this type of attack.

Because new security threats develop over time, do not consider this an exhaustive list of
attacks. Regularly check VMware security resources on the Web to learn about security, recent
security alerts, and VMware security tactics.

Secure vSphere Distributed Switches and Distributed Port

Groups
Administrators have several options for securing vSphere Distributed Switches in their vSphere
environment.

The same rules apply for VLANs in a vSphere Distributed Switch as they do in a standard switch.
For more information, see Standard Switch Protection and VLANs.

Procedure

1 For distributed port groups with static binding, disable the Auto Expand feature.

Auto Expand is enabled by default in vSphere 5.1 and later.

To disable Auto Expand, configure the autoExpand property under the distributed port group
with the vSphere Web Services SDK or with a command-line interface. See the vSphere Web
Services SDK documentation.

VMware by Broadcom 215

vSphere Security

2 Ensure that all private VLAN IDs of any vSphere Distributed Switch are fully documented.

3 If you are using VLAN tagging on a dvPortgroup, VLAN IDs must correspond to the IDs on
external VLAN-aware upstream switches. If VLAN IDs are not tracked correctly, mistaken
reuse of IDs might allow unintended traffic. Similarly, wrong or missing VLAN IDs might lead
to traffic not passing between physical and virtual machines.

4 Ensure that no unused ports exist on a virtual port group associated with a vSphere
Distributed Switch.

5 Label all vSphere Distributed Switches.

vSphere Distributed Switches associated with an ESXi host require a text box for the name of
the switch. This label serves as a functional descriptor for the switch, just like the host name
associated with a physical switch. The label on the vSphere Distributed Switch indicates the
function or the IP subnet of the switch. For example, you can label the switch as internal to
indicate that it is only for internal networking on a virtual machine’s private virtual switch. No
traffic goes over physical network adapters.

6 Disable network health check for your vSphere Distributed Switches if you are not actively
using it.

Network health check is disabled by default. Once enabled, the health check packets contain
information about the host, switch, and port that an attacker can potentially use. Use network
health check only for troubleshooting, and turn it off when troubleshooting is finished.

7 Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a
security policy on port groups or ports.

The security policy on distributed port groups and ports includes the following options:

n MAC address changes (see MAC Address Changes)

n Promiscuous mode (see Promiscuous Mode Operation)

n Forged transmits (see Forged Transmits)

You can view and change the current settings by selecting Manage Distributed Port Groups
from the right-button menu of the distributed switch and selecting Security in the wizard. See
the vSphere Networking documentation.

Securing Virtual Machines with VLANs

The network can be one of the most vulnerable parts of any system. Your virtual machine
network requires as much protection as your physical network. Using VLANs can improve
networking security in your environment.

VLANs are an IEEE standard networking scheme with specific tagging methods that allow routing
of packets to only those ports that are part of the VLAN. When properly configured, VLANs
provide a dependable means for you to protect a set of virtual machines from accidental or
malicious intrusions.

VMware by Broadcom 216

vSphere Security

VLANs let you segment a physical network so that two machines in the network are unable
to transmit packets back and forth unless they are part of the same VLAN. For example,
accounting records and transactions are among a company’s most sensitive internal information.
In a company whose sales, shipping, and accounting employees all use virtual machines in the
same physical network, you might protect the virtual machines for the accounting department by
setting up VLANs.

Figure 10-1. Sample VLAN Layout

Host 1
Standard Switch

VM0 VM1 VM2

VLAN A

Router Broadcast
Host 2
VM3 VM4 VM5 Domain A

Standard Switch

Standard Switch
Switch 1

VLAN B
VM6 VM7 VM8
Broadcast
Host 3 Domain B
Standard Switch

VM9 VM10 VM11

Switch 2
Host 4 Multiple VLANs
Standard Switch
on the same
virtual switch
VM12 VM13 VM14
VLAN VLAN VLAN Broadcast
B A B Domain A and B

In this configuration, all employees in the accounting department use virtual machines in VLAN A
and the employees in sales use virtual machines in VLAN B.

The router forwards packets containing accounting data to the switches. These packets are
tagged for distribution to VLAN A only. Therefore, the data is confined to Broadcast Domain A
and cannot be routed to Broadcast Domain B unless the router is configured to do so.

This VLAN configuration prevents the sales force from intercepting packets destined for the
accounting department. It also prevents the accounting department from receiving packets
intended for the sales group. The virtual machines serviced by a single virtual switch can be
in different VLANs.

VMware by Broadcom 217

vSphere Security

Security Considerations for VLANs

The way you set up VLANs to secure parts of a network depends on factors such as the guest
operating system and the way your network equipment is configured.

ESXi features a complete IEEE 802.1q-compliant VLAN implementation. VMware cannot make
specific recommendations on how to set up VLANs, but there are factors to consider when using
a VLAN deployment as part of your security enforcement policy.

Secure VLANs
Administrators have several options for securing the VLANs in their vSphere environment.

Procedure

1 Ensure that port groups are not configured to VLAN values that are reserved by upstream
physical switches

Do not set VLAN IDs to values reserved for the physical switch.

2 Ensure that port groups are not configured to VLAN 4095 unless you are using for Virtual
Guest Tagging (VGT).

Three types of VLAN tagging exist in vSphere:

n External Switch Tagging (EST)

n Virtual Switch Tagging (VST) - The virtual switch tags with the configured VLAN ID the
traffic that is incoming to the attached virtual machines and removes the VLAN tag from
the traffic that is leaving them. To set up VST mode, assign a VLAN ID between 1 and
4095.

n Virtual Guest Tagging (VGT) - Virtual machines handle VLAN traffic. To activate VGT
mode, set the VLAN ID to 4095. On a distributed switch, you can also allow virtual
machine traffic based on its VLAN by using the VLAN Trunking option.

On a standard switch you can configure VLAN networking mode at switch or port group
level, and on a distributed switch at distributed port group or port level.

3 Ensure that all VLANs on each virtual switch are fully documented and that each virtual
switch has all required VLANs and only required VLANs.

Creating Multiple Networks Within a Single ESXi Host

The ESXi system is designed so that you can connect some groups of virtual machines to the
internal network, others to the external network, and still others to both—all on the same host.
This capability is an outgrowth of basic virtual machine isolation coupled with a well-planned use
of virtual networking features.

VMware by Broadcom 218

vSphere Security

Figure 10-2. External Networks, Internal Networks, and a DMZ Configured on a Single ESXi Host
ESXi

External Network Internal Network DMZ

VM 2

internal
user

VM 3 VM 6

internal firewall
user server

VM 4 VM 7

internal Web
user server

VM 1 VM 5 VM 8

FTP internal firewall

server user server

physical network
adapters

External Internal External Internal

Network 1 Network 2 Network 2 Network 1

In the figure, the system administrator configured a host into three distinct virtual machine zones:
FTP server, internal virtual machines, and DMZ. Each zone serves a unique function.

FTP server

Virtual Machine 1 is configured with FTP software and acts as a holding area for data sent to
and from outside resources such as forms and collateral localized by a vendor.

This virtual machine is associated with an external network only. It has its own virtual switch
and physical network adapter that connect it to External Network 1. This network is dedicated
to servers that the company uses to receive data from outside sources. For example, the
company uses External Network 1 to receive FTP traffic from vendors and allow vendors
access to data stored on externally available servers though FTP. In addition to servicing
Virtual Machine 1, External Network 1 services FTP servers configured on different ESXi hosts
throughout the site.

Because Virtual Machine 1 does not share a virtual switch or physical network adapter with
any virtual machines in the host, the other resident virtual machines cannot transmit packets
to or receive packets from the Virtual Machine 1 network. This restriction prevents sniffing
attacks, which require sending network traffic to the victim. More importantly, an attacker
cannot use the natural vulnerability of FTP to access any of the host’s other virtual machines.

Internal virtual machines

Virtual Machines 2 through 5 are reserved for internal use. These virtual machines process
and store company-private data such as medical records, legal settlements, and fraud

VMware by Broadcom 219

vSphere Security

investigations. As a result, the system administrators must ensure the highest level of
protection for these virtual machines.
These virtual machines connect to Internal Network 2 through their own virtual switch and
network adapter. Internal Network 2 is reserved for internal use by personnel such as claims
processors, in-house lawyers, or adjustors.

Virtual Machines 2 through 5 can communicate with one another through the virtual switch
and with internal virtual machines elsewhere on Internal Network 2 through the physical
network adapter. They cannot communicate with externally facing machines. As with the FTP
server, these virtual machines cannot send packets to or receive packets from the other
virtual machines’ networks. Similarly, the host’s other virtual machines cannot send packets to
or receive packets from Virtual Machines 2 through 5.

DMZ

Virtual Machines 6 through 8 are configured as a DMZ that the marketing group uses to
publish the company’s external website.

This group of virtual machines is associated with External Network 2 and Internal Network 1.
The company uses External Network 2 to support the Web servers that use the marketing
and financial department to host the corporate website and other Web facilities that it hosts
to outside users. Internal Network 1 is the conduit that the marketing department uses to
publish its content to the corporate Web site, post downloads, and maintain services like user
forums.
Because these networks are separate from External Network 1 and Internal Network 2, and
the virtual machines have no shared points of contact (switches or adapters), there is no risk
of attack to or from the FTP server or the internal virtual machine group.

By capitalizing on virtual machine isolation, correctly configuring virtual switches, and maintaining
network separation, the system administrator can house all three virtual machine zones in the
same ESXi host and be confident that there will be no data or resource breaches.

The company enforces isolation among the virtual machine groups by using multiple internal and
external networks and making sure that the virtual switches and physical network adapters for
each group are separate from those of other groups.

Because none of the virtual switches straddle virtual machine zones, the system administrator
succeeds in eliminating the risk of packet leakage from one zone to another. A virtual switch, by
design, cannot leak packets directly to another virtual switch. The only way for packets to travel
from one virtual switch to another is under the following circumstances:

n The virtual switches are connected to the same physical LAN.

n The virtual switches connect to a common virtual machine, which might be used to transmit
packets.

Neither of these conditions occur in the sample configuration. If system administrators want to
verify that no common virtual switch paths exist, they can check for possible shared points of
contact by reviewing the network switch layout in the vSphere Client.

VMware by Broadcom 220

vSphere Security

To safeguard the virtual machines’ resources, the system administrator lowers the risk of DoS
and DDoS attacks by configuring a resource reservation and a limit for each virtual machine. The
system administrator further protects the ESXi host and virtual machines by installing software
firewalls at the front and back ends of the DMZ, ensuring that the host is behind a physical
firewall, and configuring the networked storage resources so that each has its own virtual switch.

Internet Protocol Security

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at a host.
ESXi hosts support IPsec using IPv6.

When you set up IPsec on a host, you enable authentication and encryption of incoming and
outgoing packets. When and how IP traffic is encrypted depends on how you set up the system's
security associations and security policies.

A security association determines how the system encrypts traffic. When you create a security
association, you specify the source and destination, encryption parameters, and a name for the
security association.

A security policy determines when the system should encrypt traffic. The security policy includes
source and destination information, the protocol and direction of traffic to be encrypted, the
mode (transport or tunnel) and the security association to use.

List Available Security Associations

ESXi can provide a list of all security associations available for use by security policies. The
list includes both user created security associations and any security associations the VMkernel
installed using Internet Key Exchange.

You can get a list of available security associations using the esxcli vSphere CLI command.

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sa list.

Results

ESXi displays a list of all available security associations.

Add an IPsec Security Association

Add a security association to specify encryption parameters for associated IP traffic.

You can add a security association using the esxcli vSphere CLI command.

VMware by Broadcom 221

vSphere Security

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sa add with one
or more of the following options.

Option Description

--sa-source= source address Required. Specify the source address.

--sa-destination= destination Required. Specify the destination address.

address

--sa-mode= mode Required. Specify the mode, either transport or tunnel.

--sa-spi= security parameter index Required. Specify the security parameter index. The security parameter
index identifies the security association to the host. It must be a hexadecimal
with a 0x prefix. Each security association you create must have a unique
combination of protocol and security parameter index.

--encryption-algorithm= Required. Specify the encryption algorithm using one of the following
encryption algorithm parameters.
n 3des-cbc
n aes128-cbc
n null ( provides no encryption)

--encryption-key= encryption key Required when you specify an encryption algorithm. Specify the encryption
key. You can enter keys as ASCII text or as a hexadecimal with a 0x prefix.

--integrity-algorithm= Required. Specify the authentication algorithm, either hmac-sha1 or hmac-

authentication algorithm sha2-256.

--integrity-key= authentication Required. Specify the authentication key. You can enter keys as ASCII text or
key as a hexadecimal with a 0x prefix.

--sa-name=name Required. Provide a name for the security association.

Example: New Security Association Command

The following example contains extra line breaks for readability.

esxcli network ip ipsec sa add

--sa-source 3ffe:501:ffff:0::a
--sa-destination 3ffe:501:ffff:0001:0000:0000:0000:0001
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
--encryption-key 0x6970763672656164796c6f676f336465736362636f757432
--integrity-algorithm hmac-sha1
--integrity-key 0x6970763672656164796c6f67736861316f757432
--sa-name sa1

Remove an IPsec Security Association

You can remove a security association using the ESXCLI vSphere CLI command.

VMware by Broadcom 222

vSphere Security

Prerequisites

Verify that the security association you want to use is not currently in use. If you try to remove a
security association that is in use, the removal operation fails.

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sa remove
--sa-name security_association_name

List Available IPsec Security Policies

You can list available security policies using the ESXCLI vSphere CLI command.

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sp list

Results

The host displays a list of all available security policies.

Create an IPSec Security Policy

Create a security policy to determine when to use the authentication and encryption parameters
set in a security association. You can add a security policy using the ESXCLI vSphere CLI
command.

Prerequisites

Before creating a security policy, add a security association with the appropriate authentication
and encryption parameters as described in Add an IPsec Security Association.

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sp add with one
or more of the following options.

Option Description

--sp-source= source address Required. Specify the source IP address and prefix length.

--sp-destination= destination Required. Specify the destination address and prefix length.
address

--source-port= port Required. Specify the source port. The source port must be a number
between 0 and 65535.

--destination-port= port Required. Specify the destination port. The source port must be a number
between 0 and 65535.

VMware by Broadcom 223

vSphere Security

Option Description

--upper-layer-protocol= Specify the upper layer protocol using one of the following parameters.
protocol n tcp
n udp
n icmp6
n any

--flow-direction= direction Specify the direction in which you want to monitor traffic using either in or
out.

--action= action Specify the action to take when traffic with the specified parameters is
encountered using one of the following parameters.
n none: Take no action
n discard: Do not allow data in or out.
n ipsec: Use the authentication and encryption information supplied in the
security association to determine whether the data comes from a trusted
source.

--sp-mode= mode Specify the mode, either tunnel or transport.

--sa-name=security association Required. Provide the name of the security association for the security
name policy to use.

--sp-name=name Required. Provide a name for the security policy.

Example: New Security Policy Command

The following example includes extra line breaks for readability.

esxcli network ip ipsec add

--sp-source=2001:db8:1::/64
--sp-destination=2002:db8:1::/64
--source-port=23
--destination-port=25
--upper-layer-protocol=tcp
--flow-direction=out
--action=ipsec
--sp-mode=transport
--sa-name=sa1
--sp-name=sp1

Remove an IPsec Security Policy

You can remove a security policy from the ESXi host using the ESXCLI vSphere CLI command.

Prerequisites

Verify that the security policy you want to use is not currently in use. If you try to remove a
security policy that is in use, the removal operation fails.

VMware by Broadcom 224

vSphere Security

Procedure

u At the command prompt, enter the command esxcli network ip ipsec sp remove
--sa-name security policy name.

To remove all security policies, enter the command esxcli network ip ipsec sp remove
--remove-all.

Ensure Proper SNMP Configuration

If SNMP is not properly configured, monitoring information can be sent to a malicious host. The
malicious host can then use this information to plan an attack.

SNMP must be configured on each ESXi host. You can use vCLI, PowerCLI, or the vSphere Web
Services SDK for configuration.

See the Monitoring and Performance publication for detailed setup information for SNMP 3.

Procedure

1 Run the following command to determine whether SNMP is currently used.

esxcli system snmp get

2 To enable SNMP, run the following command.

esxcli system snmp set --enable true

3 To disable SNMP, run the following command.

esxcli system snmp set --enable false

vSphere Networking Security Best Practices

Following networking security best practices helps ensure the integrity of your vSphere
deployment.

General Networking Security Recommendations

Following general network security recommendations is the first step in securing your networking
environment. You can then move on to special areas, such as securing the network with firewalls
or using IPsec.

n Spanning Tree Protocol (STP) detects and prevents loops from forming in the network
topology. VMware virtual switches prevent loops in other ways, but do not support STP
directly. When network topology changes occur, some time is required (30–50 seconds)
while the network relearns the topology. During that time, no traffic is allowed to pass. To
avoid these problems, network vendors have created features to enable switch ports to
continue forwarding traffic. For more information, see the VMware knowledge base article
at https://kb.vmware.com/kb/1003804. Consult your network vendor documentation for the
proper network and networking hardware configurations.

VMware by Broadcom 225

vSphere Security

n Ensure that Netflow traffic for a Distributed Virtual Switch is only sent to authorized collector
IP addresses. Netflow exports are not encrypted and can contain information about the
virtual network. This information increases the potential for sensitive information to be viewed
and captured in transit by attackers. If Netflow export is required, verify that all Netflow
target IP addresses are correct.

n Ensure that only authorized administrators have access to virtual networking components by
using the role-based access controls. For example, give virtual machine administrators only
access to port groups in which their virtual machines reside. Give network administrators
access to all virtual networking components but no access to virtual machines. Limiting
access reduces the risk of misconfiguration, whether accidental or malicious, and enforces
key security concepts of separation of duties and least privilege.

n Ensure that port groups are not configured to the value of the native VLAN. Physical switches
are often configured with a native VLAN, and that native VLAN is often VLAN 1 by default.
ESXi does not have a native VLAN. Frames with VLAN specified in the port group have a
tag, but frames with VLAN not specified in the port group are not tagged. This can cause a
problem because virtual machines that are tagged with a 1 end up belonging to native VLAN
of the physical switch.

For example, frames on VLAN 1 from a Cisco physical switch are untagged because VLAN
1 is the native VLAN on that physical switch. However, frames from the ESXi host that are
specified as VLAN 1 are tagged with a 1. As a result, traffic from the ESXi host that is destined
for the native VLAN is not routed correctly because it is tagged with a 1 instead of being
untagged. Traffic from the physical switch that is coming from the native VLAN is not visible
because it is not tagged. If the ESXi virtual switch port group uses the native VLAN ID, traffic
from virtual machines on that port is not visible to the native VLAN on the switch because the
switch is expecting untagged traffic.

n Ensure that port groups are not configured to VLAN values reserved by upstream physical
switches. Physical switches reserve certain VLAN IDs for internal purposes and often disallow
traffic configured to these values. For example, Cisco Catalyst switches typically reserve
VLANs 1001–1024 and 4094. Using a reserved VLAN might result in a denial of service on the
network.

n Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging
(VGT). Setting a port group to VLAN 4095 activates VGT mode. In this mode, the virtual
switch passes all network frames to the virtual machine without modifying the VLAN tags,
leaving it to the virtual machine to deal with them.

n Restrict port-level configuration overrides on a distributed virtual switch. Port-level

configuration overrides are disabled by default. When overrides are enabled, you can use
different security settings for a virtual machine than the port-group level settings. Certain
virtual machines require unique configurations, but monitoring is essential. If overrides are not
monitored, anyone who gains access to a virtual machine with a less secure distributed virtual
switch configuration might attempt to exploit that access.

VMware by Broadcom 226

vSphere Security

n Ensure that distributed virtual switch port mirror traffic is sent only to authorized collector
ports or VLANs. A vSphere Distributed Switch can mirror traffic from one port to another
to allow packet capture devices to collect specific traffic flows. Port mirroring sends a copy
of all specified traffic in unencrypted format. This mirrored traffic contains the full data in
the packets captured and can result in total compromise of that data if misdirected. If port
mirroring is required, verify that all port mirror destination VLAN, port, and uplink IDs are
correct.

Labeling Networking Components

Identifying the different components of your networking architecture is critical and helps ensure
that no errors are introduced as your network grows.

Follow these best practices:

n Ensure that port groups are configured with a clear network label. These labels serve as a
functional descriptor for the port group and help you identify each port group's function as
the network becomes more complex.

n Ensure that each vSphere Distributed Switch has a clear network label that indicates the
function or IP subnet of the switch. This label serves as a functional descriptor for the switch,
just as physical switches require a host name. For example, you can label the switch as
internal to show that it is for internal networking. You cannot change the label for a standard
virtual switch.

Document and Check the vSphere VLAN Environment

Check your VLAN environment regularly to avoid addressing problems. Fully document the
VLAN environment and ensure that VLAN IDs are used only once. Your documentation can help
with troubleshooting and is essential when you want to expand the environment.

Procedure

1 Ensure that all vSwitch and VLANS IDs are fully documented

If you are using VLAN tagging on a virtual switch, the IDs must correspond to the IDs on
external VLAN-aware upstream switches. If VLAN IDs are not tracked completely, mistaken
reuse of IDs might allow for traffic between the wrong physical and virtual machines.
Similarly, if VLAN IDs are wrong or missing, traffic between physical and virtual machines
might be blocked where you want traffic to pass.

2 Ensure that VLAN IDs for all distributed virtual port groups (dvPortgroup instances) are fully
documented.

If you are using VLAN tagging on a dvPortgroup the IDs must correspond to the IDs on
external VLAN-aware upstream switches. If VLAN IDs are not tracked completely, mistaken
reuse of IDs might allow for traffic between the wrong physical and virtual machines.
Similarly, if VLAN IDs are wrong or missing, traffic between physical and virtual machines
might be blocked where you want traffic to pass.

VMware by Broadcom 227

vSphere Security

3 Ensure that private VLAN IDs for all distributed virtual switches are fully documented.

Private VLANs (PVLANs) for distributed virtual switches require primary and secondary VLAN
IDs. These IDs must correspond to the IDs on external PVLAN-aware upstream switches. If
VLAN IDs are not tracked completely, mistaken reuse of IDs might allow for traffic between
the wrong physical and virtual machines. Similarly, if PVLAN IDs are wrong or missing, traffic
between physical and virtual machines might be blocked where you want traffic to pass.

4 Verify that VLAN trunk links are connected only to physical switch ports that function as
trunk links.

When connecting a virtual switch to a VLAN trunk port, you must properly configure both
the virtual switch and the physical switch at the uplink port. If the physical switch is not
properly configured, frames with the VLAN 802.1q header are forwarded to a switch that not
expecting their arrival.

Adopting Network Isolation Practices

Network isolation practices significantly bolster network security in your vSphere environment.

Isolate the Management Network

The vSphere management network provides access to the vSphere management interface on
each component. Services running on the management interface provide an opportunity for an
attacker to gain privileged access to the systems. Remote attacks are likely to begin with gaining
access to this network. If an attacker gains access to the management network, it provides the
staging ground for further intrusion.

Strictly control access to management network by protecting it at the security level of the
most secure VM running on an ESXi host or cluster. No matter how the management network
is restricted, administrators must have access to this network to configure the ESXi hosts and
vCenter Server system.

Place the vSphere management port group in a dedicated VLAN on a common standard switch.
Production (VM) traffic can share the standard switch if the vSphere management port group's
VLAN is not used by production VMs.

Check that the network segment is not routed, except to networks where other management-
related entities are found. Routing a network segment might make sense for vSphere Replication.
In particular, make sure that production VM traffic cannot be routed to this network.

Strictly control access to management functionality by using one of the following approaches.

n For especially sensitive environments, configure a controlled gateway or other controlled

method to access the management network. For example, require that administrators
connect to the management network through a VPN. Allow access to the management
network only to trusted administrators.

n Configure jump boxes that run management clients.

VMware by Broadcom 228

vSphere Security

Isolate Storage Traffic

Ensure that IP-based storage traffic is isolated. IP-based storage includes iSCSI and NFS. VMs
might share virtual switches and VLANs with the IP-based storage configurations. This type of
configuration might expose IP-based storage traffic to unauthorized VM users.

IP-based storage frequently is not encrypted. Anyone with access to this network can view
IP-based storage traffic. To restrict unauthorized users from viewing IP-based storage traffic,
logically separate the IP-based storage network traffic from the production traffic. Configure
the IP-based storage adapters on separate VLANs or network segments from the VMkernel
management network to limit unauthorized users from viewing the traffic.

Isolate vMotion Traffic

vMotion migration information is transmitted in plain text. Anyone with access to the network
over which this information flows can view it. Potential attackers can intercept vMotion traffic to
obtain the memory contents of a VM. They might also stage a MiTM attack in which the contents
are modified during migration.

Separate vMotion traffic from production traffic on an isolated network. Set up the network to
be nonroutable, that is, make sure that no layer-3 router is spanning this and other networks, to
prevent outside access to the network.

Use a dedicated VLAN on a common standard switch for the vMotion port group. Production
(VM) traffic can use the same standard switch if the vMotion port group’s VLAN is not used by
production VMs.

Isolate vSAN Traffic

When configuring your vSAN network, isolate vSAN traffic on its own Layer 2 network segment.
You can perform this isolation by using dedicated switches or ports, or by using a VLAN.

Use Virtual Switches with the vSphere Network Appliance API Only If
Required
Do not configure your host to send network information to a virtual machine unless you are
using products that use the vSphere Network Appliance API (DvFilter). If the vSphere Network
Appliance API is enabled, an attacker might attempt to connect a virtual machine to the filter.
This connection might provide access to the network of other virtual machines on the host.

If you are using a product that uses this API, verify that the host is configured correctly.
See the sections on DvFilter in Developing and Deploying vSphere Solutions, vServices,
and ESX Agents. If your host is set up to use the API, make sure that the value of the
Net.DVFilterBindIpAddress parameter matches the product that uses the API.

Procedure

1 Browse to the host in the vSphere Client inventory.

2 Click Configure.

VMware by Broadcom 229

vSphere Security

3 Under System, click Advanced System Settings.

4 Scroll down to Net.DVFilterBindIpAddress and verify that the parameter has an empty
value.

The order of parameters is not strictly alphabetical. Type DVFilter in the Filter text box to
display all related parameters.

5 Verify the setting.

n If you are not using DvFilter settings, make sure that the value is blank.

n If you are using DvFilter settings, make sure that the value of the parameter is correct.
The value must match the value that the product that uses the DvFilter is using.

VMware by Broadcom 230

Best Practices Involving Multiple
vSphere Components 11
Some security best practices, such as setting up NTP in your environment, affect more than one
vSphere component. Consider these recommendations when configuring your environment.

See Chapter 3 Securing ESXi Hosts and Chapter 5 Securing Virtual Machines for related
information.

Read the following topics next:

n Synchronizing Clocks on the vSphere Network

n Storage Security Best Practices

n Verify That Sending Host Performance Data to Guests Is Disabled

n Setting Timeouts for the ESXi Shell and vSphere Web Client

Synchronizing Clocks on the vSphere Network

Verify that all components on the vSphere network have their clocks synchronized. If the clocks
on the physical machines in your vSphere network are not synchronized, SSL certificates and
SAML Tokens, which are time-sensitive, might not be recognized as valid in communications
between network machines.

Unsynchronized clocks can result in authentication problems, which can cause the installation to
fail or prevent the vCenter Server Appliance vmware-vpxd service from starting.

Time inconsistencies in vSphere can cause firstboot to fail at different services depending on
where in the environment time is not accurate and when the time is synchronized. Problems most
commonly occur when the target ESXi host for the destination vCenter Server Appliance is not
synchronized with NTP. Similarly, issues can arise if the destination vCenter Server Appliance
migrates to an ESXi host set to a different time due to fully automated DRS.

To avoid time synchronization issues, ensure that the following is correct before installing,
migrating, or upgrading a vCenter Server Appliance.

n The target ESXi host where the destination vCenter Server Appliance is to be deployed is
synchronized to NTP.

n The ESXi host running the source vCenter Server Appliance is synchronized to NTP.

VMware by Broadcom 231

vSphere Security

n When upgrading or migrating, if the vCenter Server Appliance is connected to an external

Platform Services Controller, ensure the ESXi host running the external Platform Services
Controller is synchronized to NTP.

n If you are upgrading or migrating, verify that the source vCenter Server or vCenter Server
Appliance and external Platform Services Controller have the correct time.

Verify that any Windows host machine on which vCenter Server runs is synchronized with the
Network Time Server (NTP) server. See Knowledge Base article KB 1318.

To synchronize ESXi clocks with an NTP server, you can use the VMware Host Client. For
information about editing the time configuration of an ESXi host, see vSphere Single Host
Management.
To learn how to change time synchronization settings for vCenter Server Appliance, see
"Configuring Time Synchronization Settings in the vCenter Server Appliance" in vCenter Server
Appliance Configuration.
To learn how to edit time configuration for a host, see "Edit Time Configuration for a Host" in
vCenter Server and Host Management.

What to read next

n Synchronize ESXi Clocks with a Network Time Server

Before you install vCenter Server or deploy the vCenter Server Appliance, make sure all
machines on your vSphere network have their clocks synchronized.

n Configuring Time Synchronization Settings in the vCenter Server Appliance

You can change the time synchronization settings in the vCenter Server Appliance after
deployment.

Synchronize ESXi Clocks with a Network Time Server

Before you install vCenter Server or deploy the vCenter Server Appliance, make sure all
machines on your vSphere network have their clocks synchronized.

This task explains how to set up NTP from the VMware Host Client. You can instead use the
vicfg-ntp vCLI command. See the vSphere Command-Line Interface Reference.

Procedure

1 Start the VMware Host Client, and connect to the ESXi host.

2 Click Manage.

3 Under System, click Time & date, and click Edit settings.

4 Select Use Network Time Protocol (enable NTP client).

5 In the NTP servers text box, enter the IP address or fully qualified domain name of one or
more NTP servers to synchronize with.

6 (Optional) Set the startup policy and service status.

VMware by Broadcom 232

vSphere Security

7 Click Save.

The host synchronizes with the NTP server.

Configuring Time Synchronization Settings in the vCenter Server

Appliance
You can change the time synchronization settings in the vCenter Server Appliance after
deployment.

When you deploy the vCenter Server Appliance, you can choose the time synchronization
method to be either by using an NTP server or by using VMware Tools. In case the time settings
in your vSphere network change, you can edit the vCenter Server Appliance and configure the
time synchronization settings by using the commands in the appliance shell.

When you enable periodic time synchronization, VMware Tools sets the time of the guest
operating system to be the same as the time of the host.

After time synchronization occurs, VMware Tools checks once every minute to determine
whether the clocks on the guest operating system and the host still match. If not, the clock
on the guest operating system is synchronized to match the clock on the host.

Native time synchronization software, such as Network Time Protocol (NTP), is typically more
accurate than VMware Tools periodic time synchronization and is therefore preferred. You can
use only one form of periodic time synchronization in the vCenter Server Appliance. If you decide
to use native time synchronization software, vCenter Server Appliance VMware Tools periodic
time synchronization is disabled, and the reverse.

Use VMware Tools Time Synchronization

You can set up the vCenter Server Appliance to use VMware Tools time synchronization.

Procedure

1 Access the appliance shell and log in as a user who has the administrator or super
administrator role.

The default user with super administrator role is root.

2 Run the command to enable VMware Tools time synchronization.

timesync.set --mode host

3 (Optional) Run the command to verify that you successfully applied the VMware Tools time
synchronization.

timesync.get

The command returns that the time synchronization is in host mode.

Results

The time of the appliance is synchronized with the time of the ESXi host.

VMware by Broadcom 233

vSphere Security

Add or Replace NTP Servers in the vCenter Server Appliance Configuration

To set up the vCenter Server Appliance to use NTP-based time synchronization, you must add
the NTP servers to the vCenter Server Appliance configuration.

Procedure

1 Access the appliance shell and log in as a user who has the administrator or super
administrator role.

The default user with super administrator role is root.

2 Add NTP servers to the vCenter Server configuration by running the following ntp.set
command.

ntp.set --servers IP-addresses-or-host-names

In this command, IP-addresses-or-host-names is a comma-separated list of IP addresses or

host names of the NTP servers.
This command removes the current NTP servers (if any) and adds the new NTP servers to the
configuration. If the time synchronization is based on an NTP server, then the NTP daemon is
restarted to reload the new NTP servers. Otherwise, this command replaces the current NTP
servers in the NTP configuration with the new NTP servers you specify.

3 (Optional) To verify that you successfully applied the new NTP configuration settings, run the
following command.

ntp.get

The command returns a space-separated list of the servers configured for NTP
synchronization. If the NTP synchronization is enabled, the command returns that the NTP
configuration is in Up status. If the NTP synchronization is disabled, the command returns that
the NTP configuration is in Down status.

4 (Optional) To verify if the NTP server is reachable, run the following command.

ntp.test --servers IP-addresses-or-host-names

The command returns the status of the NTP servers.

What to do next

If the NTP synchronization is disabled, you can configure the time synchronization settings in
the vCenter Server Appliance to be based on an NTP server. See Synchronize the Time in the
vCenter Server Appliance with an NTP Server.

Synchronize the Time in the vCenter Server Appliance with an NTP Server
You can configure the time synchronization settings in the vCenter Server Appliance to be based
on an NTP server.

VMware by Broadcom 234

vSphere Security

Prerequisites

Set up one or more Network Time Protocol (NTP) servers in the vCenter Server Appliance
configuration. See Add or Replace NTP Servers in the vCenter Server Appliance Configuration.

Procedure

1 Access the appliance shell and log in as a user who has the administrator or super
administrator role.

The default user with super administrator role is root.

2 Run the command to enable NTP-based time synchronization.

timesync.set --mode NTP

3 (Optional) Run the command to verify that you successfully applied the NTP synchronization.

timesync.get

The command returns that the time synchronization is in NTP mode.

Storage Security Best Practices

Follow best practices for storage security, as outlined by your storage security provider. You can
also take advantage of CHAP and mutual CHAP to secure iSCSI storage, mask and zone SAN
resources, and configure Kerberos credentials for NFS 4.1.

See also the Administering VMware vSAN documentation.

Securing iSCSI Storage

The storage you configure for a host might include one or more storage area networks (SANs)
that use iSCSI. When you configure iSCSI on a host, you can take measures to minimize security
risks.

iSCSI supports accessing SCSI devices and exchanging data by using TCP/IP over a network
port rather than through a direct connection to a SCSI device. An iSCSI transaction encapsulates
blocks of raw SCSI data in iSCSI records and transmits the data to the requesting device or user.

iSCSI SANs support efficient use of the existing Ethernet infrastructure to provide hosts access
to storage resources that they can dynamically share. iSCSI SANs are an economical storage
solution for environments that rely on a common storage pool to serve many users. As with any
networked system, your iSCSI SANs can be subject to security breaches.

Note The requirements and procedures for securing an iSCSI SAN are similar for hardware iSCSI
adapters associated with hosts and for iSCSI configured directly through the host.

VMware by Broadcom 235

vSphere Security

Securing iSCSI Devices

To secure iSCSI devices, require that the ESXi host, or initiator, can authenticate to the iSCSI
device, or target, whenever the host attempts to access data on the target LUN.

Authentication ensures that the initiator has the right to access a target. You grant this right
when you configure authentication on the iSCSI device.

ESXi does not support Secure Remote Protocol (SRP), or public-key authentication methods for
iSCSI. You can use Kerberos only with NFS 4.1.

ESXi supports both CHAP and Mutual CHAP authentication. The vSphere Storage documentation
explains how to select the best authentication method for your iSCSI device and how to set up
CHAP.

Ensure uniqueness of CHAP secrets. Set up a different mutual authentication secret for each
host. If possible, set up a different secret for each client that to the ESXi host. Unique secrets
ensure that an attacker cannot create another arbitrary host and authenticate to the storage
device even if one host is compromised. With a shared secret, compromise of one host might
allow an attacker to authenticate to the storage device.

Protecting an iSCSI SAN

When you plan your iSCSI configuration, take measures to improve the overall security of the
iSCSI SAN. Your iSCSI configuration is only as secure as your IP network, so by enforcing good
security standards when you set up your network, you help safeguard your iSCSI storage.

The following are some specific suggestions for enforcing good security standards.

Protect Transmitted Data

A primary security risk in iSCSI SANs is that an attacker might sniff transmitted storage data.

Take additional measures to prevent attackers from easily seeing iSCSI data. Neither the
hardware iSCSI adapter nor ESXi iSCSI initiator encrypts the data that they transmit to and from
the targets, making the data more vulnerable to sniffing attacks.

Allowing your virtual machines to share standard switches and VLANs with your iSCSI
configuration potentially exposes iSCSI traffic to misuse by a virtual machine attacker. To help
ensure that intruders cannot listen to iSCSI transmissions, make sure that none of your virtual
machines can see the iSCSI storage network.

If you use a hardware iSCSI adapter, you can accomplish this by making sure that the iSCSI
adapter and ESXi physical network adapter are not inadvertently connected outside the host by
virtue of sharing a switch or some other means. If you configure iSCSI directly through the ESXi
host, you can accomplish this by configuring iSCSI storage through a different standard switch
than the one used by your virtual machines.

VMware by Broadcom 236

vSphere Security

In addition to protecting the iSCSI SAN by giving it a dedicated standard switch, you can
configure your iSCSI SAN on its own VLAN to improve performance and security. Placing your
iSCSI configuration on a separate VLAN ensures that no devices other than the iSCSI adapter
have visibility into transmissions within the iSCSI SAN. Also, network congestion from other
sources cannot interfere with iSCSI traffic.

Secure iSCSI Ports

When you run iSCSI devices, ESXi does not open any ports that listen for network connections.
This measure reduces the chances that an intruder can break into ESXi through spare ports and
gain control over the host. Therefore, running iSCSI does not present any additional security risks
at the ESXi end of the connection.

Any iSCSI target device that you run must have one or more open TCP ports to listen for iSCSI
connections. If any security vulnerabilities exist in the iSCSI device software, your data can be
at risk through no fault of ESXi. To lower this risk, install all security patches that your storage
equipment manufacturer provides and limit the devices connected to the iSCSI network.

Masking and Zoning SAN Resources

You can use zoning and LUN masking to separate SAN activity and restrict access to storage
devices.

You can protect access to storage in your vSphere environment by using zoning and LUN
masking with your SAN resources. For example, you might manage zones defined for testing
independently within the SAN so they do not interfere with activity in the production zones.
Similarly, you might set up different zones for different departments.

When you set up zones, take into account any host groups that are set up on the SAN device.

Zoning and masking capabilities for each SAN switch and disk array and the tools for managing
LUN masking are vendor specific.

See your SAN vendor's documentation and the vSphere Storage documentation.

Using Kerberos for NFS 4.1

With NFS version 4.1, ESXi supports the Kerberos authentication mechanism.

The RPCSEC_GSS Kerberos mechanism is an authentication service. It allows an NFS 4.1 client
installed on ESXi to prove its identity to an NFS server before mounting an NFS share. The
Kerberos security uses cryptography to work across an insecure network connection.

The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i,
that offer different levels of security.

n Kerberos for authentication only (krb5) supports identity verification.

n Kerberos for authentication and data integrity (krb5i), in addition to identity verification,
provides data integrity services. These services help to protect the NFS traffic from
tampering by checking data packets for any potential modifications.

VMware by Broadcom 237

vSphere Security

Kerberos supports cryptographic algorithms that prevent unauthorized users from gaining
access to NFS traffic. The NFS 4.1 client on ESXi attempts to use either the AES256-CTS-HMAC-
SHA1-96 or AES128-CTS-HMAC-SHA1-96 algorithm to access a share on the NAS server. Before
using your NFS 4.1 datastores, make sure that AES256-CTS-HMAC-SHA1-96 or AES128-CTS-
HMAC-SHA1-96 are enabled on the NAS server.

The following table compares Kerberos security levels that ESXi supports.

Table 11-1. Types of Kerberos Security

ESXi 6.0 ESXi 6.5 and later

Kerberos for authentication Integrity checksum for RPC Yes with DES Yes with AES
only (krb5) header

Integrity checksum for RPC No No

data

Kerberos for authentication Integrity checksum for RPC No krb5i Yes with AES
and data integrity (krb5i) header

Integrity checksum for RPC Yes with AES

data

When you use Kerberos authentication, the following considerations apply:

n ESXi uses Kerberos with the Active Directory domain.

n As a vSphere administrator, you specify Active Directory credentials to provide access to

NFS 4.1 Kerberos datastores for an NFS user. A single set of credentials is used to access all
Kerberos datastores mounted on that host.

n When multiple ESXi hosts share the NFS 4.1 datastore, you must use the same Active
Directory credentials for all hosts that access the shared datastore. To automate the
assignment process, set the user in host profiles and apply the profile to all ESXi hosts.

n You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS 4.1
datastore shared by multiple hosts.

See the vSphere Storage documentation for step-by-step instructions.

Verify That Sending Host Performance Data to Guests Is

Disabled
vSphere includes virtual machine performance counters on Windows operating systems where
VMware Tools is installed. Performance counters allow virtual machine owners to do accurate
performance analysis within the guest operating system. By default, vSphere does not expose
host information to the guest virtual machine.

VMware by Broadcom 238

vSphere Security

By default, the capability to send host performance data to a virtual machine is disabled. This
default setting prevents a virtual machine from obtaining detailed information about the physical
host. If a security breach of the virtual machine occurs, the setting does not make host data
available to the attacker.

Note The procedure below illustrates the basic process. Consider using one of the vSphere
command-line interfaces (vCLI, PowerCLI, and so on) for performing this task on all hosts
simultaneously.

Procedure

1 On the ESXi system that hosts the virtual machine, browse to the VMX file.

Virtual machine configuration files are located in the /vmfs/volumes/datastore directory,

where datastore is the name of the storage device where the virtual machine files are stored.

2 In the VMX file, verify that the following parameter is set.

tools.guestlib.enableHostInfo=FALSE

3 Save and close the file.

Results

You cannot retrieve performance information about the host from inside the guest virtual
machine.

Setting Timeouts for the ESXi Shell and vSphere Web Client
To prevent intruders from using an idle session, be sure to set timeouts for the ESXi Shell and
vSphere Web Client.

ESXi Shell Timeout

For the ESXi Shell, you can set the following timeouts from the vSphere Web Client and from the
Direct Console User Interface (DCUI).

Availability Timeout

The availability timeout setting is the amount of time that can elapse before you must log in
after the ESXi Shell is enabled. After the timeout period, the service is disabled and users are
not allowed to log in.

Idle Timeout

The idle timeout is the amount of time that can elapse before the user is logged out of an idle
interactive sessions. Changes to the idle timeout apply the next time a user logs in to the ESXi
Shell. Changes do not affect existing sessions.

VMware by Broadcom 239

vSphere Security

vSphere Web Client Timeout

vSphere Web Client sessions terminate after 120 minutes by default. You can change this default
in the webclient.properties file, as discussed in the vCenter Server and Host Management
documentation.

VMware by Broadcom 240

Managing TLS Protocol
Configuration with the TLS
Configurator Utility
12
Starting with vSphere 6.7, only TLS 1.2 is enabled by default. TLS 1.0 and TLS 1.1 are disabled
by default. Whether you do a fresh install, upgrade, or migration, vSphere 6.7 disables TLS 1.0
and TLS 1.1. You can use the TLS Configurator utility to enable older versions of the protocol
temporarily on vSphere 6.7 systems. You can then disable the older less secure versions after all
connections use TLS 1.2.

Note Starting with vSphere 6.7, the TLS Configurator utility is included in the product. You no
longer download it separately.

Before you perform a reconfiguration, consider your environment. Depending on your

environmental requirements and software versions, you might need to re-enable TLS 1.0 and
TLS 1.1, in addition to TLS 1.2, to maintain interoperability. For VMware products, consult VMware
Knowledge Base article 2145796 for a list of VMware products that support TLS 1.2. For third-
party integration, consult your vendor's documentation.

Read the following topics next:

n Ports That Support Disabling TLS Versions

n Enabling or Disabling TLS Versions in vSphere

n Perform an Optional Manual Backup

n Enable or Disable TLS Versions on vCenter Server Systems

n Enable or Disable TLS Versions on ESXi Hosts

n Enable or Disable TLS Versions on External Platform Services Controller Systems

n Scan vCenter Server for Enabled TLS Protocols

n Revert TLS Configuration Changes

n Enable or Disable TLS Versions on vSphere Update Manager on Windows

Ports That Support Disabling TLS Versions

When you run the TLS Configurator utility in the vSphere environment, you can disable TLS
across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You
can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.

VMware by Broadcom 241

vSphere Security

vCenter Server and ESXi use ports that can be enabled or disabled for TLS protocols. The TLS
Configuration utility scan option displays which versions of TLS are enabled for each service. See
Scan vCenter Server for Enabled TLS Protocols.

For the list of all supported ports and protocols in VMware products, including vSphere and
vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search
ports by VMware product, create a customized list of ports, and print or save port lists.

Notes and Caveats

n You can reconfigure the following services only on the vCenter Server Appliance.

n VMware Syslog Collector

n VMware Appliance Management Interface

n vSphere Update Manager Service

n On vCenter Server on Windows, you reconfigure the TLS for Update Manager ports by
editing configuration files. See Enable or Disable TLS Versions on vSphere Update Manager
on Windows.

n Starting with vSphere 6.7, you can use TLS 1.2 to encrypt the connection between vCenter
Server and an external Microsoft SQL Server. You cannot use a TLS 1.2 only connection to an
external Oracle database. See VMware Knowledge Base article 2149745.

n Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is
running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft
TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.

n If you change the TLS protocols, you must restart the ESXi host to apply the changes. You
must restart the host even if you apply the changes through cluster configuration by using
host profiles. You can choose to restart the host immediately, or postpone the restart to a
more convenient time.

Enabling or Disabling TLS Versions in vSphere

Disabling TLS versions is a multi-phase process. Disabling TLS versions in the right order ensures
that your environment stays up and running during the process.

1 If your environment includes vSphere Update Manager on Windows, and vSphere Update
Manager is on a separate system, disable protocols explicitly by editing configuration files.
See Enable or Disable TLS Versions on vSphere Update Manager on Windows.

vSphere Update Manager on the vCenter Server Appliance is always included with the
vCenter Server system and the script updates the corresponding port.

2 Run the utility on vCenter Server.

3 Run the utility on each ESXi host that is managed by the vCenter Server. You can perform this
task for each host or for all hosts in a cluster.

VMware by Broadcom 242

vSphere Security

4 If your environment uses one or more Platform Services Controller instances, run the utility on
each instance.

Prerequisites

You have two choices for using TLS in your environment.

n Disable TLS 1.0, and enable TLS 1.1 and TLS 1.2.

n Disable TLS 1.0 and TLS 1.1, and enable TLS 1.2.

Perform an Optional Manual Backup

The TLS Configuration utility performs a backup each time the script modifies vCenter Server,
Platform Services Controller, or vSphere Update Manager on the vCenter Server Appliance. If you
need a backup to a specific directory, you can perform a manual backup.

Backup of the ESXi configuration is not supported.

For vCenter Server or Platform Services Controller, the default directory differs for Windows and
the appliance.

OS Backup Directory

Windows c:\users\current_user\appdata\local\temp\yearmonthdayTtime

Linux /tmp/yearmonthdayTtime

Procedure

1 Change directory to VcTlsReconfigurator.

OS Command

Windows cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator

Linux cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

2 To make a backup to a specific directory, run the following command.

OS Command

Windows directory_path\VcTlsReconfigurator> reconfigureVc backup

-d backup_directory_path

Linux directory_path/VcTlsReconfigurator> ./reconfigureVc

backup -d backup_directory_path

VMware by Broadcom 243

vSphere Security

3 Verify that the backup was successful.

A successful backup looks similar to the following example. The order of services displayed
might be different each time you run the reconfigureVc backup command, due to the way
the command runs.

vCenter Transport Layer Security reconfigurator, version=6.7.0, build=8070195

For more information refer to the following article: https://kb.vmware.com/kb/2147469
Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log".
================= Backing up vCenter Server TLS configuration ==================
Using backup directory: /tmp/20180422T224804
Backing up: vmware-sps
Backing up: vmdird
Backing up: vmware-rbd-watchdog
Backing up: vmware-vpxd
Backing up: vmware-updatemgr
Backing up: vmcam
Backing up: vsphere-client
Backing up: vami-lighttp
Backing up: rsyslog
Backing up: vmware-rhttpproxy
Backing up: vmware-stsd

4 (Optional) If you later have to perform a restore, you can run the following command.

reconfigureVc restore -d optional_custom_backup_directory_path

Enable or Disable TLS Versions on vCenter Server Systems

You can use the TLS Configuration utility to enable or disable TLS versions on vCenter Server
systems with an external Platform Services Controller and on vCenter Server systems with an
embedded Platform Services Controller. As part of the process, you can disable TLS 1.0, and
enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

Prerequisites

Ensure that the hosts and services that the vCenter Server manages can communicate using
a version of TLS that remains enabled. For products that communicate only using TLS 1.0,
connectivity becomes unavailable.

Procedure

1 Log in to the vCenter Server system with the user name and password for
[email protected], or as another member of the vCenter Single Sign-On
Administrators group who can run scripts.

VMware by Broadcom 244

vSphere Security

2 Go to the directory where the script is located.

OS Command

Windows cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator

Linux cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

3 Run the command, depending on your operating system and on which version of TLS you
want to use.

n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2, run the following command.

OS Command

Windows directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2

Linux directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2

n To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2, run the following command.

OS Command

Windows directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2

Linux directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2

4 If your environment includes other vCenter Server systems, repeat the process on each
vCenter Server system.

5 Repeat the configuration on each ESXi host and each Platform Services Controller.

Enable or Disable TLS Versions on ESXi Hosts

You can use the TLS Configuration utility to enable or disable TLS versions on an ESXi host. As
part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable
TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

For ESXi hosts, you use a different utility than for the other components of your vSphere
environment. The utility is release-specific, and cannot be used on a previous release.

You can write a script to configure multiple hosts.

Prerequisites

Ensure that any products or services associated with the ESXi host can communicate using TLS
1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

VMware by Broadcom 245

vSphere Security

Procedure

1 Log in to the vCenter Server system with the user name and password of the vCenter Single
Sign-On user who can run scripts.

2 Go to the directory where the script is located.

OS Command

Windows cd %VMWARE_CIS_HOME%\TlsReconfigurator\EsxTlsReconfigurator

Linux cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator

3 For an ESXi host that is part of a cluster, run one of the following commands.

n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the
following command.

OS Command

Windows reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p

TLSv1.1 TLSv1.2

Linux ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p

TLSv1.1 TLSv1.2

n To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the
following command.

OS Command

Windows reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p

TLSv1.2

Linux ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p

TLSv1.2

4 For an individual host that is not part of a cluster, run one of the following commands.

n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the
following command.

OS Command

Windows reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p

TLSv1.1 TLSv1.2

Linux ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p

TLSv1.1 TLSv1.2

VMware by Broadcom 246

vSphere Security

n To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the
following command.

OS Command

Windows reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p

TLSv1.2

Linux ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p

TLSv1.2

Note To reconfigure a standalone ESXi host, log into a vCenter Server system and run
the reconfigureEsx command with the ESXiHost -h HOST -u ESXi_USER options. For the
HOST option, you can specify the IP address or FQDN of a single ESXi host, or a list of
host IP addresses or FQDNs. For example, logging in to a vCenter Server and running the
following command enables both TLS 1.1 and TLS 1.2 on two ESXi hosts:

./reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2

Alternatively, to reconfigure a standalone ESXi host, you can log into the host and modify
the UserVars.ESXiVPsDisabledProtocols advanced setting. See the topic titled
"Configure Advanced TLS/SSL Key Options" in the vSphere Single Host Management -
VMware Host Client documentation for more information.

5 Reboot the ESXi host to complete the TLS protocol changes.

Enable or Disable TLS Versions on External Platform

Services Controller Systems
If your environment includes one or more Platform Services Controller systems, you can use the
TLS Configuration utility to change which versions of TLS are supported.

If your environment uses only an embedded Platform Services Controller, you previously
completed this task during the vCenter Server process. See Enable or Disable TLS Versions on
vCenter Server Systems.

Note Proceed with this task only after you confirm that each vCenter Server system is running a
compatible version of TLS.

As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can
disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

VMware by Broadcom 247

vSphere Security

Prerequisites

Ensure that the applications, hosts, and services that connect to the Platform Services Controller
are eligible or configured to communicate by using a version of TLS that remains enabled.
Because the Platform Services Controller handles authentication and certificate management,
consider carefully which services might be affected. For services that communicate only using
unsupported protocols, connectivity becomes unavailable.

Procedure

1 Log in to the Platform Services Controller as a user who can run scripts and go to the
directory where the script is located.

OS Command

Windows cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator

Linux cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator

2 You can perform the task on Platform Services Controller on Windows or on the Platform
Services Controller appliance.

n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2, run the following command.

OS Command

Windows directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2

Linux directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2

n To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2, run the following command.

OS Command

Windows directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2

Linux directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2

3 If your environment includes other Platform Services Controller systems, repeat the process.

Scan vCenter Server for Enabled TLS Protocols

After you enable or disable TLS versions on vCenter Server, you can use the TLS Configuration
utility to view your changes.

The TLS Configuration utility scan option displays which versions of TLS are enabled for each
service.

VMware by Broadcom 248

vSphere Security

Procedure

1 Log in to the vCenter Server system.

OS Procedure

Windows a Log in as a user with Administrator privileges.

b Go to the VcTlsReconfigurator directory.

cd %VMWARE_CIS_HOME%
\TlsReconfigurator\VcTlsReconfigurator

Linux a Connect to the appliance using SSH and log in as a user who has
privileges to run scripts.
b If the Bash shell is not currently enabled, run the following commands.

shell.set --enabled true

shell

c Go to the VcTlsReconfigurator directory.

cd /usr/lib/vmware-TlsReconfigurator/
VcTlsReconfigurator

2 To display which services have TLS enabled, and the ports used, run the following command.

reconfigureVc scan

Revert TLS Configuration Changes

You can use the TLS Configuration utility to revert configuration changes. When you revert the
changes, the system enables protocols that you disabled using TLS Configurator utility.

You can only perform a recovery if you previously backed up the configuration.

Perform recovery in this order.

1 vSphere Update Manager.

If your environment runs a separate vSphere Update Manager instance on a Windows

system, you must update vSphere Update Manager first.

2 vCenter Server.

3 Platform Services Controller.

Prerequisites

Before reverting changes, use the vCenter Server Appliance interface to perform a backup of the
Windows machine or appliance.

Procedure

1 Connect to the Windows machine or the appliance.

VMware by Broadcom 249

vSphere Security

2 Log in to the system where you want to revert changes.

Option Description

Windows a Log in as a user with Administrator privileges.

b Go to the VcTlsReconfigurator directory.

cd %VMWARE_CIS_HOME%
\TlsReconfigurator\VcTlsReconfigurator

Linux a Connect to the appliance using SSH and log in as a user who has
privileges to run scripts.
b If the Bash shell is not currently enabled, run the following commands.

shell.set --enabled true

shell

c Go to the VcTlsReconfigurator directory.

cd /usr/lib/vmware-TlsReconfigurator/
VcTlsReconfigurator

3 Review the previous backup.

Option Description

Windows C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-
TlsReconfigurator\VcTlsReconfigurator.log

The output looks like the following example.

c:\users\username\appdata\local\temp\20161108T161539
c:\users\username\appdata\local\temp\20161108T171539

Linux grep "backup directory" /var/log/vmware/vSphere-

TlsReconfigurator/VcTlsReconfigurator.log

The output looks like the following example.

2016-11-17T17:29:20.950Z INFO Using backup

directory: /tmp/20161117T172920
2016-11-17T17:32:59.019Z INFO Using backup
directory: /tmp/20161117T173259

VMware by Broadcom 250

vSphere Security

4 Run one of the following commands to perform a restore.

Option Description

Windows reconfigureVc restore -d Directory_path_from_previous_step

For example:

reconfigureVc restore -d
c:\users\username\appdata\local\temp\20161108T171539

Linux reconfigureVc restore -d Directory_path_from_previous_step

For example:

reconfigureVc restore -d /tmp/20161117T172920

5 Repeat the procedure on any other vCenter Server instances.

6 Repeat the procedure on any other Platform Services Controller instances.

Enable or Disable TLS Versions on vSphere Update Manager

on Windows
In vSphere Update Manager 6.7, TLS 1.2 is enabled by default. TLS 1.0 and TLS 1.1 are disabled by
default. You can enable TLS version 1.0 and TLS version 1.1, but you cannot disable TLS version
1.2.

You can manage the TLS protocol configuration for other services by using the TLS Configuration
Utility. For vSphere Update Manager on Windows, however, you must reconfigure the TLS
protocol manually.

Modifying the TLS protocol configuration might involve any of the following tasks.

n Disabling TLS version 1.0 while leaving TLS version 1.1 and TLS version 1.2 enabled.

n Disabling TLS version 1.0 and TLS version 1.1 while leaving TLS version 1.2 enabled.

n Re-enabling a disabled TLS protocol version.

Disable Earlier TLS Versions for Update Manager Port 9087

You can disable earlier versions of TLS for port 9087 by modifying the jetty-vum-ssl.xml
configuration file. The process is different for Port 8084.

Note Before you disable a TLS version, make sure that none of the services that communicate
with vSphere Update Manager use that version.

Prerequisites

Stop the vSphere Update Manager service. See the Installing and Administering VMware vSphere
Update Manager documentation.

VMware by Broadcom 251

vSphere Security

Procedure

1 Stop the vSphere Update Manager service.

2 Navigate to the Update Manager installation directory, which is different for vSphere 6.0 and
vSphere 6.5 and later.

Version Location

vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager

vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager

3 Make a backup of the jetty-vum-ssl.xml file and open the file.

4 Disable earlier versions of TLS by changing the file.

Option Description

Disable TLS 1.0. Leave TLS 1.1 and <Set name="ExcludeProtocols">

TLS 1.2 enabled. <Array type="java.lang.String">
<Item>TLSv1</Item>
</Array>
</Set>

Disable TLS 1.0 and TLS 1.1. Leave <Set name="ExcludeProtocols">

TLS 1.2 enabled. <Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>

5 Save the file.

6 Restart the vSphere Update Manager service.

Disable Earlier TLS Versions for Update Manager Port 8084

You can disable earlier versions of TLS for port 8084 by modifying the vci-
integrity.xmlconfiguration file. The process is different for Port 9087.

Note Before you disable a TLS version, make sure that none of the services that communicate
with vSphere Update Manager use that version.

Prerequisites

Stop the vSphere Update Manager service. See the Installing and Administering VMware vSphere
Update Manager documentation.

Procedure

1 Stop the vSphere Update Manager service.

VMware by Broadcom 252

vSphere Security

2 Navigate to the Update Manager installation directory, which is different for 6.0 and 6.5 and
later.

Version Location

vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager

vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager

3 Make a backup of the vci-integrity.xml file and open the file.

4 Edit the vci-integrity.xml file and add a <protocols> tag.

<vmacore>
<ssl>
<handshakeTimeoutMs>120000</handshakeTimeoutMS>
<protocols>protocols_value</protocols>
</ssl>
</vmacore>

5 Depending on the TLS version that you want to enable, use one of the following values in the
<protocols> tag.

TLS Versions to Enable Use...

All tls1.0,tls1.1,tls1.2.

Only TLSv1.1 and TLSv.1.2 tls.1.1,tls1.2.

Only TLSv1.2 tls1.2, or do not include a protocols tag. Because the default is TLS 1.2, no protocols
tag is present to start with in vmacore.

6 (Optional) Starting from vSphere 6.0 Update 2, you might have an <sslOptions> tag.

If so, remove the <sslOptions> tag.

7 Save the vci-integrity.xml file.

8 Restart the vSphere Update Manager service.

Reenable Disabled TLS Versions for Update Manager Port 9087

If you disable a version of TLS for Update Manager Port 9087 and you encounter problems, you
can reenable the version. The process is different for reenabling port 8084.

Reenabling an earlier version of TLS has security implications.

Procedure

1 Stop the vSphere Update Manager service.

VMware by Broadcom 253

vSphere Security

2 Navigate to the Update Manager installation directory which is different for 6.0 and 6.5 and
later.

Version Location

vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager

vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager

3 Make a backup of the jetty-vum-ssl.xml file and open the file.

4 Remove the TLS tag that corresponds to the TLS protocol version that you want to enable.

For example, remove <Item>TLSv1.1</Item> in the jetty-vum-ssl.xml file to enable

TLSv1.1.

5 Save the file.

6 Restart the vSphere Update Manager service.

Reenable Disabled TLS Versions for Update Manager Port 8084

If you disable a version of TLS for Update Manager Port 8084 and you encounter problems, you
can reenable the version. The process is different for port 9087.

Reenabling an earlier version of TLS has security implications.

Procedure

1 Stop the vSphere Update Manager service.

2 Navigate to the Update Manager installation directory, which is different for 6.0 and 6.5 and
later.

Version Location

vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager

vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager

3 Make a backup of the vci-integrity.xml file and open the file.

4 Edit the <protocols> tag.

<vmacore>
<ssl>
<handshakeTimeoutMs>120000</handshakeTimeoutMS>
<protocols>protocols_value</protocols>
</ssl>
</vmacore>

VMware by Broadcom 254

vSphere Security

5 Depending on the TLS version that you want to enable, use one of the following values in the
<protocols> tag.

TLS Versions to Enable Use...

All tls1.0,tls1.1,tls1.2.

Only TLSv1.1 and TLSv.1.2 tls.1.1,tls1.2.

Only TLSv1.2 tls1.2, or do not include a protocols tag. Because the default is TLS 1.2, no protocols
tag is present to start with in vmacore.

6 Save the vci-integrity.xml file.

7 Restart the vSphere Update Manager service.

VMware by Broadcom 255

Defined Privileges
13
The following tables list the default privileges that, when selected for a role, can be paired with a
user and assigned to an object.

When setting permissions, verify all the object types are set with appropriate privileges for
each particular action. Some operations require access permission at the root folder or parent
folder in addition to access to the object being manipulated. Some operations require access or
performance permission at a parent folder and a related object.

vCenter Server extensions might define additional privileges not listed here. Refer to the
documentation for the extension for more information on those privileges.

Read the following topics next:

n Alarms Privileges

n Auto Deploy and Image Profile Privileges

n Certificates Privileges

n Content Library Privileges

n Cryptographic Operations Privileges

n Datacenter Privileges

n Datastore Privileges

n Datastore Cluster Privileges

n Distributed Switch Privileges

n ESX Agent Manager Privileges

n Extension Privileges

n External Stats Provider Privileges

n Folder Privileges

n Global Privileges

n Health Update Provider Privileges

n Host CIM Privileges

n Host Configuration Privileges

VMware by Broadcom 256

vSphere Security

n Host Inventory

n Host Local Operations Privileges

n Host vSphere Replication Privileges

n Host Profile Privileges

n Network Privileges

n Performance Privileges

n Permissions Privileges

n Profile-driven Storage Privileges

n Resource Privileges

n Scheduled Task Privileges

n Sessions Privileges

n Storage Views Privileges

n Tasks Privileges

n Transfer Service Privileges

n Virtual Machine Configuration Privileges

n Virtual Machine Guest Operations Privileges

n Virtual Machine Interaction Privileges

n Virtual Machine Inventory Privileges

n Virtual Machine Provisioning Privileges

n Virtual Machine Service Configuration Privileges

n Virtual Machine Snapshot Management Privileges

n Virtual Machine vSphere Replication Privileges

n dvPort Group Privileges

n vApp Privileges

n vServices Privileges

n vSphere Tagging Privileges

Alarms Privileges
Alarms privileges control the ability to create, modify, and respond to alarms on inventory
objects.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 257

vSphere Security

Table 13-1. Alarms Privileges

Privilege Name Description Required On

Alarms.Acknowledge alarm Allows suppression of all alarm actions Object on which an alarm is defined
on all triggered alarms.

Alarms.Create alarm Allows creation of a new alarm. Object on which an alarm is defined
When creating alarms with a custom
action, privilege to perform the action is
verified when the user creates the alarm.

Alarms.Disable alarm action Allows stopping an alarm action from Object on which an alarm is defined
occurring after an alarm has been
triggered. This does not disable the
alarm.

Alarms.Modify alarm Allows changing the properties of an Object on which an alarm is defined
alarm.

Alarms.Remove alarm Allows deletion of an alarm. Object on which an alarm is defined

Alarms.Set alarm status Allows changing the status of the Object on which an alarm is defined
configured event alarm. The status can
change to Normal, Warning, or Alert.

Auto Deploy and Image Profile Privileges

Auto Deploy privileges control who can perform different tasks on Auto Deploy rules, and who
can associate a host. Auto Deploy privileges also allow you to control who can create or edit an
image profile.

The table describes privileges that determine who can manage Auto Deploy rules and rule sets
and who can create and edit image profiles. See vCenter Server Installation and Setup.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-2. Auto Deploy Privileges

Privilege Name Description Required On

Auto Deploy.Host.AssociateMachine Allows users to associate a host with a vCenter Server

machine.

Auto Deploy.Image Profile.Create Allows creation of image profiles. vCenter Server

Auto Deploy.Image Profile.Edit Allows editing of image profiles. vCenter Server

Auto Deploy.Rule.Create Allows creation of Auto Deploy rules. vCenter Server

Auto Deploy.Rule.Delete Allows deletion of Auto Deploy rules. vCenter Server

Auto Deploy.Rule.Edit Allows editing of Auto Deploy rules. vCenter Server

VMware by Broadcom 258

vSphere Security

Table 13-2. Auto Deploy Privileges (continued)

Privilege Name Description Required On

Auto Deploy.RuleSet.Activate Allows activation of Auto Deploy rule vCenter Server

sets.

Auto Deploy.RuleSet.Edit Allows editing of Auto Deploy rule vCenter Server

sets.

Certificates Privileges
Certificates privileges control which users can manage ESXi certificates.

This privilege determines who can perform certificate management for ESXi hosts. See
Required Privileges for Certificate Management Operations in the Platform Services Controller
Administration documentation for information on vCenter Server certificate management.
You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-3. Host Certificates Privileges

Privilege Name Description Required On

Certificates.Manage Allows certificate management for ESXi hosts. vCenter Server

Certificates

Content Library Privileges

Content Libraries provide simple and effective management for virtual machine templates and
vApps. Content library privileges control who can view or manage different aspects of content
libraries.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-4. Content Library Privileges

Privilege Name Description Required On

Content library.Add Allows addition of items in a library. Library

library item

Content library.Create Allows creation of a library subscription. Library

a subscription for a
published library

Content library.Create Allows creation of local libraries on the specified vCenter Server vCenter Server
local library system.

Content library.Create Allows creation of subscribed libraries. vCenter Server

subscribed library

VMware by Broadcom 259

vSphere Security

Table 13-4. Content Library Privileges (continued)

Privilege Name Description Required On

Content library.Delete Allows deletion of library items. Library. Set this

library item permission to
propagate to all library
items.

Content library.Delete Allows deletion of a local library. Library

local library

Content library.Delete Allows deletion of a subscribed library. Library

subscribed library

Content library.Delete Allows deletion of a subscription to a library. Library

subscription of a
published library

Content Allows download of files from the content library. Library

library.Download files

Content library.Evict Allows eviction of items. The content of a subscribed library Library. Set this
library item can be cached or not cached. If the content is cached, you can permission to
release a library item by evicting it if you have this privilege. propagate to all library
items.

Content library.Evict Allows eviction of a subscribed library. The content of a Library

subscribed library subscribed library can be cached or not cached. If the content is
cached, you can release a library by evicting it if you have this
privilege.

Content library.Import Allows a user to import a library item if the source file URL Library
Storage starts with ds:// or file://. This privilege is disabled for
content library administrator by default. Because an import from
a storage URL implies import of content, enable this privilege
only if necessary and if now security concern exists for the user
who will perform the import.

Content library.Probe This privilege allows solution users and APIs to probe a Library
subscription information remote library's subscription info including URL, SSL certificate,
and password. The resulting structure describes whether the
subscription configuration is successful or whether there are
problems such as SSL errors.

Content library.Publish Allows publication of library items to subscribers. Library. Set this
a library item to its permission to
subscribers propagate to all library
items.

Content library.Publish a Allows publication of libraries to subscribers. Library

library to its subscribers

Content library.Read Allows reading of content library storage. Library

storage

Content library.Sync Allows synchronization of library items. Library. Set this

library item permission to
propagate to all library
items.

VMware by Broadcom 260

vSphere Security

Table 13-4. Content Library Privileges (continued)

Privilege Name Description Required On

Content library.Sync Allows synchronization of subscribed libraries. Library

subscribed library

Content library.Type Allows a solution user or API to introspect the type support Library
introspection plugins for the content library service.

Content library.Update Allows you to update the configuration settings. Library

configuration settings No vSphere Web Client user interface elements are associated
with this privilege.

Content library.Update Allows you to upload content into the content library. Also Library
files allows you to remove files from a library item.

Content library.Update Allows updates to the content library. Library

library

Content library.Update Allows updates to library items. Library. Set this

library item permission to
propagate to all library
items.

Content library.Update Allows updates of local libraries. Library

local library

Content library.Update Allows you to update the properties of a subscribed library. Library
subscribed library

Content library.Update Allows updates of subscription parameters. Users can update Library
subscription of a parameters such as the subscribed library's vCenter Server
published library instance specification and placement of its virtual machine
template items.

Content library.View Allows you to view the configuration settings. Library

configuration settings No vSphere Web Client user interface elements are associated
with this privilege.

Cryptographic Operations Privileges

Cryptographic operations privileges control who can perform which type of cryptographic
operation on which type of object.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 261

vSphere Security

Table 13-5. Cryptographic Operations Privileges

Privilege Name Description Required On

Cryptographic operations.Direct Access
Allows users access to encrypted Virtual machine, host,
resources. For example, users or datastore
can export virtual machines, have
NFC access to virtual machines,
and so on.

Cryptographic operations.Add disk Allows users to add a disk to an Virtual machine

encrypted virtual machine.

Cryptographic operations.Clone Allows users to clone an Virtual machine

encrypted virtual machine.

Cryptographic operations.Decrypt Allows users to decrypt a virtual Virtual machine

machine or disk.

Cryptographic operations.Encrypt Allows users to encrypt a virtual Virtual machine

machine or a virtual machine disk.

Cryptographic operations.Encrypt new Allows users to encrypt a virtual Virtual machine folder
machine during virtual machine
creation or a disk during disk
creation.

Cryptographic operations.Manage encryption policies
Allows users to manage virtual vCenter Server root
machine storage policies with folder
encryption IO filters. By default,
virtual machines that use the
Encryption storage policy do not
use other storage policies.

Cryptographic operations.Manage key servers Allows users to manage the vCenter Server
Key Management Server for system.
the vCenter Server system.
Management tasks include adding
and removing KMS instances, and
establishing a trust relationship
with the KMS.

Cryptographic operations.Manage keys
Allows users to perform key vCenter Server root
management operations. These folder
operations are not supported
from the vSphere Web Client
but can be performed by using
crypto-util or the API.

Cryptographic operations.Migrate Allows users to migrate an Virtual machine

encrypted virtual machine to a
different ESXi host. Supports
migration with or without vMotion
and storage vMotion. Does not
support migration to a different
vCenter Server instance.

VMware by Broadcom 262

vSphere Security

Table 13-5. Cryptographic Operations Privileges (continued)

Privilege Name Description Required On

Cryptographic operations.Recrypt Allows users to recrypt virtual Virtual machine

machines or disks with a different
key. This privilege is required for
both deep and shallow recrypt
operations.

Cryptographic operations.Register VM Allows users to register an Virtual machine folder

encrypted virtual machine with an
ESXi host.

Cryptographic operations.Register host Allows users to enable encryption Host folder for
on a host. You can enable standalone hosts,
encryption on a host explicitly, cluster for hosts in
or the virtual machine creation cluster
process can enable it.

Datacenter Privileges
Datacenter privileges control the ability to create and edit data centers in the vSphere Web
Client inventory.

All data center privileges are used in vCenter Server only. The Create datacenter privilege is
defined on data center folders or the root object. All other data center privileges are pair with
data centers, data center folders, or the root object.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-6. Datacenter Privileges

Privilege Name Description Required On

Datacenter.Create datacenter Allows creation of new data center. Data center folder or
root object

Datacenter.Move datacenter Allows moving a data center. Data center, source

Privilege must be present at both the source and destination
and destination.

Datacenter.Network protocol profile Allows configuration of the network profile Data center
configuration for a data center.

Datacenter.Query IP pool allocation Allows configuration of a pool of IP Data center

addresses.

Datacenter.Reconfigure datacenter Allows reconfiguration of a data center. Data center

Datacenter.Release IP allocation Allows releasing the assigned IP allocation for Data center
a data center.

VMware by Broadcom 263

vSphere Security

Table 13-6. Datacenter Privileges (continued)

Privilege Name Description Required On

Datacenter.Remove datacenter Allows removal of a data center. Data center plus

In order to have permission to perform parent object
this operation, you must have this privilege
assigned to both the object and its parent
object.

Datacenter.Rename datacenter Allows changing the name of a data center. Data center

Datastore Privileges
Datastore privileges control the ability to browse, manage, and allocate space on datastores.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-7. Datastore Privileges

Privilege Name Description Required On

Datastore.Allocate space Allows allocating space on a datastore for a virtual machine, Data stores
snapshot, clone, or virtual disk.

Datastore.Browse datastore Allows browsing files on a datastore. Data stores

Datastore.Configure Allows configuration of a datastore. Data stores

datastore

Datastore.Low level file Allows performing read, write, delete, and rename operations Data stores
operations in the datastore browser.

Datastore.Move datastore Allows moving a datastore between folders. Datastore, source and
Privileges must be present at both the source and destination
destination.

Datastore.Remove datastore Allows removal of a datastore. Data stores

This privilege is deprecated.
To have permission to perform this operation, a user or
group must have this privilege assigned in both the object
and its parent object.

Datastore.Remove file Allows deletion of files in the datastore. Data stores

This privilege is deprecated. Assign the Low level file
operations privilege.

Datastore.Rename datastore Allows renaming a datastore. Data stores

Datastore.Update virtual Allows updating file paths to virtual machine files on a Data stores
machine files datastore after the datastore has been resignatured.

Datastore.Update virtual Allows updating virtual machine metadata associated with a Data stores
machine metadata datastore.

VMware by Broadcom 264

vSphere Security

Datastore Cluster Privileges

Datastore cluster privileges control the configuration of datastore clusters for Storage DRS.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-8. Datastore Cluster Privileges

Privilege Name Description Required On

Datastore Allows creation of and configuration of settings for datastore Datastore clusters
cluster.Configure a clusters for Storage DRS.
datatstore cluster

Distributed Switch Privileges

Distributed Switch privileges control the ability to perform tasks related to the management of
Distributed Switch instances.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-9. vSphere Distributed Switch Privileges

Privilege Name Description Required On

Distributed switch.Create Allows creation of a distributed switch. Data centers,

Network folders

Distributed switch.Delete Allows removal of a distributed switch. Distributed switches

To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its parent
object.

Distributed switch.Host Allows changing the host members of a distributed switch. Distributed switches
operation

Distributed switch.Modify Allows changing the configuration of a distributed switch. Distributed switches

Distributed switch.Move Allows moving a vSphere Distributed Switch to another folder. Distributed switches

Distributed Allow changing the resource settings for a vSphere Distributed Distributed switches
switch.Network I/O Switch.
control operation

Distributed switch.Policy Allows changing the policy of a vSphere Distributed Switch. Distributed switches
operation

Distributed switch .Port Allow changing the configuration of a port in a vSphere Distributed switches
configuration operation Distributed Switch.

VMware by Broadcom 265

vSphere Security

Table 13-9. vSphere Distributed Switch Privileges (continued)

Privilege Name Description Required On

Distributed switch.Port Allows changing the setting of a port in a vSphere Distributed Distributed switches
setting operation Switch.

Distributed Allows changing the VSPAN configuration of a vSphere Distributed switches

switch.VSPAN operation Distributed Switch.

ESX Agent Manager Privileges

ESX Agent Manager privileges control operations related to ESX Agent Manager and agent
virtual machines. The ESX Agent Manager is a service that lets you install management virtual
machines, which are tied to a host and not affected by VMware DRS or other services that
migrate virtual machines.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-10. ESX Agent Manager

Privilege Name Description Required On

ESX Agent Allows deployment of an agent virtual machine on a host or Virtual machines
Manager.Config cluster.

ESX Agent Allows modifications to an agent virtual machine such as powering Virtual machines
Manager.Modify off or deleting the virtual machine.

ESX Agent View.View Allows viewing of an agent virtual machine. Virtual machines

Extension Privileges
Extension privileges control the ability to install and manage extensions.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-11. Extension Privileges

Privilege Name Description Required On

Extension.Register Allows registration of an extension (plug-in). Root vCenter Server

extension

Extension.Unregister Allows unregistering an extension (plug-in). Root vCenter Server

extension

Extension.Update Allows updates to an extension (plug-in). Root vCenter Server

extension

VMware by Broadcom 266

vSphere Security

External Stats Provider Privileges

External stats provider privileges control the ability to notify vCenter Server of Proactive
Distributed Resource Scheduler (DRS) statistics.

These privileges apply to an API that is VMware-internal only.

Folder Privileges
Folder privileges control the ability to create and manage folders.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-12. Folder Privileges

Privilege Name Description Required On

Folder.Create folder Allows creation of a new folder. Folders

Folder.Delete folder Allows deletion of a folder. Folders

To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its
parent object.

Folder.Move folder Allows moving a folder. Folders

Privilege must be present at both the source and destination.

Folder.Rename folder Allows changing the name of a folder. Folders

Global Privileges
Global privileges control global tasks related to tasks, scripts, and extensions.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-13. Global Privileges

Privilege Name Description Required On

Global.Act as vCenter Allows preparation or initiation of a vMotion send operation or a Root vCenter Server
Server vMotion receive operation.

Global.Cancel task Allows cancellation of a running or queued task. Inventory object

related to the task

Global.Capacity planning Allows enabling the use of capacity planning for planning Root vCenter Server
consolidation of physical machines to virtual machines.

VMware by Broadcom 267

vSphere Security

Table 13-13. Global Privileges (continued)

Privilege Name Description Required On

Global.Diagnostics Allows retrieval of a list of diagnostic files, log header, binary Root vCenter Server
files, or diagnostic bundle.
To avoid potential security breaches, limit this privilege to the
vCenter Server Administrator role.

Global.Disable methods Allows servers for vCenter Server extensions to disable certain Root vCenter Server
operations on objects managed by vCenter Server.

Global.Enable methods Allows servers for vCenter Server extensions to enable certain Root vCenter Server
operations on objects managed byvCenter Server.

Global.Global tag Allows adding or removing global tags. Root host or vCenter
Server

Global.Health Allows viewing the health of vCenter Server components. Root vCenter Server

Global.Licenses Allows viewing installed licenses and adding or removing Root host or vCenter
licenses. Server

Global.Log event Allows logging a user-defined event against a particular Any object
managed entity.

Global.Manage custom Allows adding, removing, or renaming custom field definitions. Root vCenter Server
attributes

Global.Proxy Allows access to an internal interface for adding or removing Root vCenter Server
endpoints to or from the proxy.

Global.Script action Allows scheduling a scripted action in conjunction with an alarm. Any object

Global.Service managers Allows use of the resxtop command in the vSphere CLI. Root host or vCenter
Server

Global.Set custom Allows viewing, creating, or removing custom attributes for a Any object
attribute managed object.

Global.Settings Allows reading and modifying runtime vCenter Server Root vCenter Server
configuration settings.

Global.System tag Allows adding or removing system tags. Root vCenter Server

Health Update Provider Privileges

Health update provider privileges control the ability for hardware vendors to notify vCenter
Server of Proactive HA events.

These privileges apply to an API that is VMware-internal only.

Host CIM Privileges

Host CIM privileges control the use of CIM for host health monitoring.

VMware by Broadcom 268

vSphere Security

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-14. Host CIM Privileges

Privilege Name Description Required On

Host.CIM.CIM Interaction Allow a client to obtain a ticket to use for CIM services. Hosts

Host Configuration Privileges

Host configuration privileges control the ability to configure hosts.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-15. Host Configuration Privileges

Privilege Name Description Required On

Host.Configuration.Advanced Allows setting advanced host configuration options. Hosts

Settings

Host.Configuration.Authenticati Allows configuring Active Directory authentication Hosts

on Store stores.

Host.Configuration.Change Allows changes to PciPassthru settings for a host. Hosts

PciPassthru settings

Host.Configuration.Change Allows changes to SNMP settings for a host. Hosts

SNMP settings

Host.Configuration.Change date Allows changes to date and time settings on the host. Hosts
and time settings

Host.Configuration.Change Allows setting of lockdown mode on ESXi hosts. Hosts

settings

Host.Configuration.Connection Allows changes to the connection status of a host Hosts

(connected or disconnected).

Host.Configuration.Firmware Allows updates to the ESXi host's firmware. Hosts

Host.Configuration.Hyperthread Allows enabling and disabling hyperthreading in a host Hosts

ing CPU scheduler.

Host.Configuration.Image Allows changes to the image associated with a host.

configuration

Host.Configuration.Maintenance Allows putting the host in and out of maintenance mode Hosts
and shutting down and restarting the host.

Host.Configuration.Memory Allows modifications to the host configuration. Hosts

configuration

Host.Configuration.Network Allows configuration of network, firewall, and vMotion Hosts

configuration network.

VMware by Broadcom 269

vSphere Security

Table 13-15. Host Configuration Privileges (continued)

Privilege Name Description Required On

Host.Configuration.Power Allows configuration of host power management Hosts

settings.

Host.Configuration.Query patch Allows querying for installable patches and installing Hosts
patches on the host.

Host.Configuration.Security Allows configuration of Internet services, such as SSH, Hosts

profile and firewall Telnet, SNMP, and of the host firewall.

Host.Configuration.Storage Allows VMFS datastore and diagnostic partition Hosts

partition configuration management. Users with this privilege can scan for new
storage devices and manage iSCSI.

Host.Configuration.System Allows extensions to manipulate the file system on the Hosts

Management host.

Host.Configuration.System Allows updates to the configuration of the system Hosts

resources resource hierarchy.

Host.Configuration.Virtual Allows changes to the auto-start and auto-stop order of Hosts

machine autostart configuration virtual machines on a single host.

Host Inventory
Host inventory privileges control adding hosts to the inventory, adding hosts to clusters, and
moving hosts in the inventory.

The table describes the privileges required to add and move hosts and clusters in the inventory.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-16. Host Inventory Privileges

Privilege Name Description Required On

Host.Inventory.Add host Allows addition of a host to an existing cluster. Clusters

to cluster

Host.Inventory.Add Allows addition of a standalone host. Host folders

standalone host

Host.Inventory.Create Allows creation of a new cluster. Host folders

cluster

Host.Inventory.Modify Allows changing the properties of a cluster. Clusters

cluster

Host.Inventory.Move Allows moving a cluster or standalone host between folders. Clusters

cluster or standalone Privilege must be present at both the source and destination.
host

Host.Inventory.Move Allows moving a set of existing hosts into or out of a cluster. Clusters
host Privilege must be present at both the source and destination.

VMware by Broadcom 270

vSphere Security

Table 13-16. Host Inventory Privileges (continued)

Privilege Name Description Required On

Host.Inventory.Remove Allows deletion of a cluster or standalone host. Clusters, Hosts

cluster To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its
parent object.

Host.Inventory.Remove Allows removal of a host. Hosts plus parent

host To have permission to perform this operation, a user or group object
must have this privilege assigned in both the object and its
parent object.

Host.Inventory.Rename Allows renaming a a cluster. Clusters

cluster

Host Local Operations Privileges

Host local operations privileges control actions performed when the VMware Host Client is
connected directly to a host.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-17. Host Local Operations Privileges

Privilege Name Description Required On

Host.Local Allows installation and removal of vCenter agents, such as vpxa Root host
operations.Add host to and aam, on a host.
vCenter

Host.Local Allows creation of a new virtual machine from scratch on a disk Root host
operations.Create virtual without registering it on the host.
machine

Host.Local Allows deletion of a virtual machine on disk. Supported for Root host
operations.Delete virtual registered and unregistered virtual machines.
machine

Host.Local Allows management of local accounts on a host. Root host

operations.Manage user
groups

Host.Local Allows reconfiguring a virtual machine. Root host

operations.Reconfigure
virtual machine

Host vSphere Replication Privileges

Host vSphere replication privileges control the use of virtual machine replication by VMware
vCenter Site Recovery Manager™ for a host.

VMware by Broadcom 271

vSphere Security

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-18. Host vSphere Replication Privileges

Privilege Name Description Required On

Host.vSphere Allows management of virtual machine replication on this host. Hosts

Replication.Manage
Replication

Host Profile Privileges

Host Profile privileges control operations related to creating and modifying host profiles.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-19. Host Profile Privileges

Privilege Name Description Required On

Host profile.Clear Allows clearing of profile related information. Root vCenter Server

Host profile.Create Allows creation of a host profile. Root vCenter Server

Host profile.Delete Allows deletion of a host profile. Root vCenter Server

Host profile.Edit Allows editing a host profile. Root vCenter Server

Host profile.Export Allows exporting a host profile Root vCenter Server

Host profile.View Allows viewing a host profile. Root vCenter Server

Network Privileges
Network privileges control tasks related to network management.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-20. Network Privileges

Privilege Name Description Required On

Network.Assign network Allows assigning a network to a virtual machine. Networks, Virtual

Machines

Network.Configure Allows configuring a network. Networks, Virtual

Machines

VMware by Broadcom 272

vSphere Security

Table 13-20. Network Privileges (continued)

Privilege Name Description Required On

Network.Move network Allows moving a network between folders. Networks

Privilege must be present at both the source and destination.

Network.Remove Allows removal of a network. Networks

This privilege is deprecated.
To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its parent
object.

Performance Privileges
Performance privileges control modifying performance statistics settings.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-21. Performance Privileges

Privilege Name Description Required On

Performance.Modify Allows creating, removing, and updating performance data Root vCenter Server
intervals collection intervals.

Permissions Privileges
Permissions privileges control the assigning of roles and permissions.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-22. Permissions Privileges

Privilege Name Description Required On

Permissions.Modify Allows defining one or more permission rules on an entity, or Any object plus
permission updating rules if rules are already present for the given user or parent object
group on the entity.
To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its
parent object.

Permissions.Modify Allows modifying a privilege's group or description.

privilege No vSphere Web Client user interface elements are associated
with this privilege.

VMware by Broadcom 273

vSphere Security

Table 13-22. Permissions Privileges (continued)

Privilege Name Description Required On

Permissions.Modify role Allows updating a role's name and the privileges that are Any object
associated with the role.

Permissions.Reassign Allows reassigning all permissions of a role to another role. Any object
role permissions

Profile-driven Storage Privileges

Profile-driven storage privileges control operations related to storage profiles.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-23. Profile-driven Storage Privileges

Privilege Name Description Required On

Profile-driven storage.Profile- Allows changes to be made to storage Root vCenter Server

driven storage update profiles, such as creating and updating
storage capabilities and virtual machine storage
profiles.

Profile-driven storage.Profile- Allows viewing of defined storage capabilities Root vCenter Server
driven storage view and storage profiles.

Resource Privileges
Resource privileges control the creation and management of resource pools, as well as the
migration of virtual machines.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-24. Resource Privileges

Privilege Name Description Required On

Resource.Apply recommendation Allows accepting a suggestion by the server to Clusters

perform a migration with vMotion.

Resource.Assign vApp to resource Allows assignment of a vApp to a resource pool. Resource pools
pool

Resource.Assign virtual machine to Allows assignment of a virtual machine to a Resource pools

resource pool resource pool.

Resource.Create resource pool Allows creation of resource pools. Resource pools,

clusters

VMware by Broadcom 274

vSphere Security

Table 13-24. Resource Privileges (continued)

Privilege Name Description Required On

Resource.Migrate powered off virtual Allows migration of a powered off virtual machine Virtual machines
machine to a different resource pool or host.

Resource.Migrate powered on virtual Allows migration with vMotion of a powered on

machine virtual machine to a different resource pool or host.

Resource.Modify resource pool Allows changes to the allocations of a resource Resource pools
pool.

Resource.Move resource pool Allows moving a resource pool. Resource pools

Privilege must be present at both the source and
destination.

Resource.Query vMotion Allows querying the general vMotion compatibility Root vCenter Server
of a virtual machine with a set of hosts.

Resource.Remove resource pool Allows deletion of a resource pool. Resource pools

To have permission to perform this operation, a
user or group must have this privilege assigned in
both the object and its parent object.

Resource.Rename resource pool Allows renaming of a resource pool. Resource pools

Scheduled Task Privileges

Scheduled task privileges control creation, editing, and removal of scheduled tasks.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-25. Scheduled Task Privileges

Privilege Name Description Required On

Scheduled task.Create Allows scheduling of a task. Required in addition to the Any object
tasks privileges to perform the scheduled action at the time of
scheduling.

Scheduled task.Modify Allows reconfiguration of the scheduled task properties. Any object
task

Scheduled task.Remove Allows removal of a scheduled task from the queue. Any object
task

Scheduled task.Run task Allows running the scheduled task immediately. Any object
Creating and running a scheduled task also requires permission
to perform the associated action.

VMware by Broadcom 275

vSphere Security

Sessions Privileges
Sessions privileges control the ability of extensions to open sessions on the vCenter Server
system.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Note Assign Sessions privileges only to administrators or trusted users.

Table 13-26. Session Privileges

Privilege Name Description Required On

Sessions.Impersonate Allows impersonation of another user. This capability is used by Root vCenter Server
user extensions.

Sessions.Message Allows setting of the global login message. Root vCenter Server

Sessions.Validate session Allows verification of session validity. Root vCenter Server

Sessions.View and stop Allows viewing sessions and forcing log out of one or more Root vCenter Server
sessions logged-on users.

Storage Views Privileges

Storage Views privileges control privileges for Storage Monitoring Service APIs.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-27. Storage Views Privileges

Privilege Name Description Required On

Storage views.Configure service Allows privileged users to use all Storage Root vCenter Server
Monitoring Service APIs. Use Storage views.View
for privileges to read-only Storage Monitoring
Service APIs.

Storage views.View Allows privileged users to use read-only Storage Root vCenter Server
Monitoring Service APIs.

Tasks Privileges
Tasks privileges control the ability of extensions to create and update tasks on the vCenter
Server.

VMware by Broadcom 276

vSphere Security

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-28. Tasks Privileges

Privilege Name Description Required On

Tasks.Create task Allows an extension to create a user-defined task. Root vCenter Server
No vSphere Web Client user interface elements are associated
with this privilege.

Tasks.Update task Allows an extension to update a user-defined task. Root vCenter Server
No vSphere Web Client user interface elements are associated
with this privilege.

Transfer Service Privileges

Transfer service privileges are VMware internal. Do not use these privileges.

Virtual Machine Configuration Privileges

Virtual Machine Configuration privileges control the ability to configure virtual machine options
and devices.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-29. Virtual Machine Configuration Privileges

Privilege Name Description Required On

Virtual machine.Configuration.Acquire disk lease Allows disk lease operations for Virtual machines
a virtual machine.

Virtual machine.Configuration.Add existing disk Allows adding an existing virtual Virtual machines
disk to a virtual machine.

Virtual machine.Configuration.Add new disk Allows creation of a new virtual Virtual machines
disk to add to a virtual machine.

Virtual machine.Configuration.Add or remove device Allows addition or removal of Virtual machines

any non-disk device.

Virtual machine.Configuration.Advanced configuration Allows addition or modification Virtual machines

of advanced parameters in the
virtual machine's configuration
file.

Virtual machine.Configuration.Change CPU count Allows changing the number of Virtual machines
virtual CPUs.

Virtual machine.Configuration.Change Memory Allows changing the amount of Virtual machines

memory allocated to the virtual
machine.

VMware by Broadcom 277

vSphere Security

Table 13-29. Virtual Machine Configuration Privileges (continued)

Privilege Name Description Required On

Virtual machine.Configuration.Change Settings Allows changing general virtual Virtual machines

machine settings.

Virtual machine.Configuration.Change Swapfile Allows changing the swapfile Virtual machines

placement placement policy for a virtual
machine.

Virtual machine.Configuration.Change resource Allows changing the resource Virtual machines

configuration of a set of virtual
machine nodes in a given
resource pool.

Virtual machine.Configuration.Configure Host USB device Allows attaching a host-based Virtual machines
USB device to a virtual machine.

Virtual machine.Configuration.Configure Raw device Allows adding or removing a Virtual machines

raw disk mapping or SCSI pass
through device.
Setting this parameter overrides
any other privilege for
modifying raw devices, including
connection states.

Virtual machine.Configuration.Configure managedBy Allows an extension or solution Virtual machines

to mark a virtual machine
as being managed by that
extension or solution.

Virtual machine.Configuration.Display connection Allows configuration of virtual Virtual machines

settings machine remote console
options.

Virtual machine.Configuration.Extend virtual disk Allows expansion of the size of Virtual machines
a virtual disk.

Virtual machine.Configuration.Modify device settings Allows changing the properties Virtual machines
of an existing device.

Virtual machine.Configuration.Query Fault Tolerance Allows checking if a virtual Virtual machines

compatibility machine is compatible for Fault
Tolerance.

Virtual machine.Configuration.Query unowned files Allows querying of unowned Virtual machines

files.

Virtual machine.Configuration.Reload from path Allows changing a virtual Virtual machines

machine configuration path
while preserving the identity of
the virtual machine. Solutions
such as VMware vCenter Site
Recovery Manager use this
operation to maintain virtual
machine identity during failover
and failback.

Virtual machine.Configuration.Remove disk Allows removal of a virtual disk Virtual machines

device.

VMware by Broadcom 278

vSphere Security

Table 13-29. Virtual Machine Configuration Privileges (continued)

Privilege Name Description Required On

Virtual machine.Configuration.Rename Allows renaming a virtual Virtual machines

machine or modifying the
associated notes of a virtual
machine.

Virtual machine.Configuration.Reset guest information Allows editing the guest Virtual machines
operating system information
for a virtual machine.

Virtual machine.Configuration.Set annotation Allows adding or editing a Virtual machines

virtual machine annotation.

Virtual machine.Configuration.Toggle disk change Allows enabling or disabling of Virtual machines

tracking change tracking for the virtual
machine's disks.

Virtual machine.Configuration.Toggle fork parent Allows enabling or disabling a Virtual machines

vmfork parent.

Virtual machine.Configuration.Upgrade virtual machine Allows upgrade of the virtual Virtual machines
compatibility machine’s virtual machine
compatibility version.

Virtual Machine Guest Operations Privileges

Virtual Machine Guest Operations privileges control the ability to interact with files and programs
inside a virtual machine's guest operating system with the API.

See the VMware vSphere API Reference documentation for more information on these
operations.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-30. Virtual Machine Guest Operations

Privilege Name Description Effective on Object

Virtual machine.Guest Operations.Guest Operation Alias Allows virtual machine guest Virtual machines
modification operations that involve
modifying the alias for the
virtual machine.

Virtual machine.Guest Operations.Guest Operation Alias Allows virtual machine guest Virtual machines
query operations that involve
querying the alias for the
virtual machine.

VMware by Broadcom 279

vSphere Security

Table 13-30. Virtual Machine Guest Operations (continued)

Privilege Name Description Effective on Object

Virtual machine.Guest Operations.Guest Operation Allows virtual machine guest Virtual machines
Modifications operations that involve
modifications to a guest
operating system in a
virtual machine, such as
transferring a file to the
virtual machine.
No vSphere Web Client
user interface elements
are associated with this
privilege.

Virtual machine.Guest Operations.Guest Operation Program Allows virtual machine guest Virtual machines
Execution operations that involve
executing a program in the
virtual machine.
No vSphere Web Client
user interface elements
are associated with this
privilege.

Virtual machine.Guest Operations.Guest Operation Queries Allows virtual machine Virtual machines
guest operations that
involve querying the guest
operating system, such as
listing files in the guest
operating system.
No vSphere Web Client
user interface elements
are associated with this
privilege.

Virtual Machine Interaction Privileges

Virtual Machine Interaction privileges control the ability to interact with a virtual machine console,
configure media, perform power operations, and install VMware Tools.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 280

vSphere Security

Table 13-31. Virtual Machine Interaction

Privilege Name Description Required On

Virtual machine.Interaction .Answer question Allows resolution of issues Virtual machines

with virtual machine state
transitions or runtime
errors.

Virtual machine.Interaction .Backup operation on virtual Allows performance of Virtual machines

machine backup operations on
virtual machines.

Virtual machine .Interaction .Configure CD media Allows configuration of a Virtual machines

virtual DVD or CD-ROM
device.

Virtual machine .Interaction .Configure floppy media Allows configuration of a Virtual machines
virtual floppy device.

Virtual machine .Interaction .Console interaction Allows interaction with the Virtual machines
virtual machine’s virtual
mouse, keyboard, and
screen.

Virtual machine .Interaction .Create screenshot Allows creation of a virtual Virtual machines
machine screen shot.

Virtual machine .Interaction .Defragment all disks Allows defragment Virtual machines
operations on all disks of
the virtual machine.

Virtual machine .Interaction .Device connection Allows changing the Virtual machines
connected state of
a virtual machine’s
disconnectable virtual
devices.

Virtual machine .Interaction .Drag and Drop Allows drag and drop of Virtual machines
files between a virtual
machine and a remote
client.

Virtual machine .Interaction .Guest operating system Allows management of the Virtual machines
management by VIX API virtual machine's operating
system through the VIX
API.

Virtual machine .Interaction .Inject USB HID scan codes Allows injection of USB HID Virtual machines
scan codes.

Virtual machine .Interaction .Pause or Unpause Allows pausing or Virtual machines

unpausing of the virtual
machine.

Virtual machine .Interaction .Perform wipe or shrink Allows performing wipe or Virtual machines
operations shrink operations on the
virtual machine.

VMware by Broadcom 281

vSphere Security

Table 13-31. Virtual Machine Interaction (continued)

Privilege Name Description Required On

Virtual machine .Interaction .Power Off Allows powering off Virtual machines
a powered-on virtual
machine. This operation
powers down the guest
operating system.

Virtual machine .Interaction .Power On Allows powering on Virtual machines

a powered-off virtual
machine, and resuming a
suspended virtual machine.

Virtual machine .Interaction .Record session on Virtual Allows recording a session Virtual machines
Machine on a virtual machine.

Virtual machine .Interaction .Replay session on Virtual Allows replaying of a Virtual machines
Machine recorded session on a
virtual machine.

Virtual machine .Interaction .Reset Allows resetting of a virtual Virtual machines

machine and reboots the
guest operating system.

Virtual machine .Interaction .Resume Fault Tolerance Allows resuming of fault Virtual machines
tolerance for a virtual
machine.

Virtual machine .Interaction .Suspend Allows suspending a Virtual machines

powered-on virtual
machine. This operation
puts the guest in standby
mode.

Virtual machine .Interaction .Suspend Fault Tolerance Allows suspension of fault Virtual machines
tolerance for a virtual
machine.

Virtual machine .Interaction .Test failover Allows testing of Fault Virtual machines
Tolerance failover by
making the Secondary
virtual machine the Primary
virtual machine.

Virtual machine .Interaction .Test restart Secondary VM Allows termination of a Virtual machines
Secondary virtual machine
for a virtual machine using
Fault Tolerance.

Virtual machine .Interaction .Turn Off Fault Tolerance Allows turning off Fault Virtual machines
Tolerance for a virtual
machine.

VMware by Broadcom 282

vSphere Security

Table 13-31. Virtual Machine Interaction (continued)

Privilege Name Description Required On

Virtual machine .Interaction .Turn On Fault Tolerance Allows turning on Fault Virtual machines
Tolerance for a virtual
machine.

Virtual machine .Interaction .VMware Tools install Allows mounting and Virtual machines
unmounting the VMware
Tools CD installer as a
CD-ROM for the guest
operating system.

Virtual Machine Inventory Privileges

Virtual Machine Inventory privileges control adding, moving, and removing virtual machines.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-32. Virtual Machine Inventory Privileges

Privilege Name Description Required On

Virtual Allows creation of a virtual machine based on an existing virtual Clusters, Hosts, Virtual
machine .Inventory.Crea machine or template, by cloning or deploying from a template. machine folders
te from existing

Virtual Allows creation of a virtual machine and allocation of resources Clusters, Hosts, Virtual
machine .Inventory.Crea for its execution. machine folders
te new

Virtual Allows relocating a virtual machine in the hierarchy. Virtual machines

machine .Inventory.Mov The privilege must be present at both the source and
e destination.

Virtual Allows adding an existing virtual machine to a vCenter Server or Clusters, Hosts, Virtual
machine .Inventory.Regi host inventory. machine folders
ster

Virtual Allows deletion of a virtual machine. Deletion removes the Virtual machines
machine .Inventory.Rem virtual machine's underlying files from disk.
ove To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its
parent object.

Virtual Allows unregistering a virtual machine from a vCenter Server or Virtual machines
machine .Inventory.Unre host inventory.
gister To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its
parent object.

VMware by Broadcom 283

vSphere Security

Virtual Machine Provisioning Privileges

Virtual Machine Provisioning privileges control activities related to deploying and customizing
virtual machines.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-33. Virtual Machine Provisioning Privileges

Privilege Name Description Required On

Virtual Allows opening a disk on a virtual machine for random read Virtual machines
machine .Provisioning.Allo and write access. Used mostly for remote disk mounting.
w disk access

Virtual Allows operations on files associated with a virtual machine, Virtual machines
machine .Provisioning.Allo including vmx, disks, logs, and nvram.
w file access

Virtual Allows opening a disk on a virtual machine for random read Virtual machines
machine .Provisioning.Allo access. Used mostly for remote disk mounting.
w read-only disk access

Virtual Allows read operations on files associated with a virtual Root host or vCenter
machine .Provisioning.Allo machine, including vmx, disks, logs, and nvram. Server
w virtual machine download

Virtual Allows write operations on files associated with a virtual Root host or vCenter
machine .Provisioning.Allo machine, including vmx, disks, logs, and nvram. Server
w virtual machine files
upload

Virtual Allows cloning of a template. Templates

machine .Provisioning.Clon
e template

Virtual Allows cloning of an existing virtual machine and allocation of Virtual machines
machine .Provisioning.Clon resources.
e virtual machine

Virtual Allows creation of a new template from a virtual machine. Virtual machines
machine .Provisioning.Crea
te template from virtual
machine

Virtual Allows customization of a virtual machine’s guest operating Virtual machines

machine .Provisioning.Cust system without moving the virtual machine.
omize

Virtual Allows deployment of a virtual machine from a template. Templates

machine .Provisioning.Depl
oy template

Virtual Allows marking an existing powered off virtual machine as a Virtual machines
machine .Provisioning.Mark template.
as template

VMware by Broadcom 284

vSphere Security

Table 13-33. Virtual Machine Provisioning Privileges (continued)

Privilege Name Description Required On

Virtual Allows marking an existing template as a virtual machine. Templates

machine .Provisioning.Mark
as virtual machine

Virtual Allows creation, modification, or deletion of customization Root vCenter Server

machine .Provisioning.Modi specifications.
fy customization
specification

Virtual Allows promote operations on a virtual machine's disks. Virtual machines

machine .Provisioning.Pro
mote disks

Virtual Allows reading a customization specification. Virtual machines

machine .Provisioning.Read
customization specifications

Virtual Machine Service Configuration Privileges

Virtual machine service configuration privileges control who can perform monitoring and
management task on service configuration.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-34. Virtual machine Service Configuration Privileges

Privilege Name Description

Virtual Machine. Service Allows generating and consuming notification about service status.
configuration. Allow
notifications

Virtual Machine. Service Allows querying whether any notifications are present.
configuration. Allow polling of
global event notifications

Virtual Machine. Service Allows creating, modifying, and deleting virtual machine services.
configuration. Manage service
configurations

Virtual Machine. Service Allows modification of existing virtual machine service configuration.
configuration. Modify service
configuration

Virtual Machine. Service Allows retrieval of list of virtual machine services.

configuration. Query service
configurations

Virtual Machine. Service Allows retrieval of existing virtual machine service configuration.
configuration. Read service
configuration

VMware by Broadcom 285

vSphere Security

Virtual Machine Snapshot Management Privileges

Virtual machine snapshot management privileges control the ability to take, delete, rename, and
restore snapshots.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-35. Virtual Machine State Privileges

Privilege Name Description Required On

Virtual Allows creation of a snapshot from the virtual machine’s current Virtual machines
machine .Snapshot state.
management. Create
snapshot

Virtual Allows removal of a snapshot from the snapshot history. Virtual machines
machine .Snapshot
management.Remove
Snapshot

Virtual Allows renaming a snapshot with a new name, a new Virtual machines
machine .Snapshot description, or both.
management.Rename
Snapshot

Virtual Allows setting the virtual machine to the state it was in at a given Virtual machines
machine .Snapshot snapshot.
management.Revert to
snapshot

Virtual Machine vSphere Replication Privileges

Virtual Machine vSphere replication privileges control the use of replication by VMware vCenter
Site Recovery Manager™ for virtual machines.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 286

vSphere Security

Table 13-36. Virtual Machine vSphere Replication

Privilege Name Description Required On

Virtual machine .vSphere Allows configuration of replication for the virtual machine. Virtual machines
Replication.Configure
Replication

Virtual machine .vSphere Allows triggering of full sync, online sync or offline sync on a Virtual machines
Replication.Manage replication.
Replication

Virtual machine .vSphere Allows monitoring of replication. Virtual machines

Replication.Monitor
Replication

dvPort Group Privileges

Distributed virtual port group privileges control the ability to create, delete, and modify
distributed virtual port groups.

The table describes the privileges required to create and configure distributed virtual port
groups.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-37. Distributed Virtual Port Group Privileges

Privilege Name Description Required On

dvPort group.Create Allows creation of a distributed virtual port group. Virtual port groups

dvPort group.Delete Allows deletion of distributed virtual port group. Virtual port groups
To have permission to perform this operation, a user or group
must have this privilege assigned in both the object and its parent
object.

dvPort group.Modify Allows modification of a distributed virtual port group Virtual port groups
configuration.

dvPort group.Policy Allows setting the policy of a distributed virtual port group. Virtual port groups
operation

dvPort group.Scope Allows setting the scope of a distributed virtual port group. Virtual port groups
operation

vApp Privileges
vApp privileges control operations related to deploying and configuring a vApp.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 287

vSphere Security

Table 13-38. vApp Privileges

Privilege Name Description Required On

vApp.Add virtual machine Allows adding a virtual machine to a vApp. vApps

vApp.Assign resource pool Allows assigning a resource pool to a vApp. vApps

vApp.Assign vApp Allows assigning a vApp to another vApp vApps

vApp.Clone Allows cloning of a vApp. vApps

vApp.Create Allows creation of a vApp. vApps

vApp.Delete Allows deletion a vApp. vApps

To have permission to perform this operation,
a user or group must have this privilege
assigned in both the object and its parent
object.

vApp.Export Allows export of a vApp from vSphere. vApps

vApp.Import Allows import of a vApp into vSphere. vApps

vApp.Move Allows moving a vApp to a new inventory vApps

location.

vApp.Power Off Allows power off operations on a vApp. vApps

vApp.Power On Allows power on operations on a vApp. vApps

vApp.Rename Allows renaming a vApp. vApps

vApp.Suspend Allows suspension of a vApp. vApps

vApp.Unregister Allows unregistering a vApp. vApps

To have permission to perform this operation,
a user or group must have this privilege
assigned in both the object and its parent
object.

vApp.View OVF Environment Allows viewing the OVF environment of a vApps

powered-on virtual machine within a vApp.

vApp.vApp application Allows modification of a vApp's internal vApps

configuration structure, such as product information and
properties.

vApp.vApp instance Allows modification of a vApp's instance vApps

configuration configuration, such as policies.

VMware by Broadcom 288

vSphere Security

Table 13-38. vApp Privileges (continued)

Privilege Name Description Required On

vApp.vApp managedBy Allows an extension or solution to mark a vApps

configuration vApp as being managed by that extension or
solution.
No vSphere Web Client user interface
elements are associated with this privilege.

vApp.vApp resource Allows modification of a vApp's resource vApps

configuration configuration.
To have permission to perform this operation,
a user or group must have this privilege
assigned in both the object and its parent
object.

vServices Privileges
vServices privileges control the ability to create, configure, and update vService dependencies
for virtual machines and vApps.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

Table 13-39. vServices

Privilege Name Description Required On

vService.Create Allows creation of a vService dependency for a virtual machine vApps and virtual
dependency or vApp. machines

vService.Destroy Allows removal of a vService dependency for a virtual machine vApps and virtual
dependency or vApp. machines

vService.Reconfigure Allows reconfiguration of a dependency to update the provider vApps and virtual
dependency or binding. machines
configuration

vService.Update Allows updates of a dependence to configure the name or vApps and virtual
dependency description. machines

vSphere Tagging Privileges

vSphere Tagging privileges control the ability to create and delete tags and tag categories, and
assign and remove tags on vCenter Server inventory objects.

You can set this privilege at different levels in the hierarchy. For example, if you set a privilege
at the folder level, you can propagate the privilege to one or more objects within the folder. The
object listed in the Required On column must have the privilege set, either directly or inherited.

VMware by Broadcom 289

vSphere Security

Table 13-40. vSphere Tagging Privileges

Privilege Name Description Required On

vSphere Tagging.Assign or Unassign Allows assignment or unassignment of a tag for an Any object
vSphere Tag object in the vCenter Server inventory.

vSphere Tagging.Create vSphere Tag Allows creation of a tag. Any object

vSphere Tagging.Create vSphere Tag Allows creation of a tag category. Any object
Category

vSphere Tagging.Create vSphere Tag Allows creation of a tag scope. Any object
Scope

vSphere Tagging.Delete vSphere Tag Allows deletion of a tag category. Any object

vSphere Tagging.Delete vSphere Tag Allows deletion of a tag category. Any object
Category

vSphere Tagging.Delete vSphere Tag Allows deletion of a tag scope. Any object
Scope

vSphere Tagging.Edit vSphere Tag Allows editing of a tag. Any object

vSphere Tagging.Edit vSphere Tag Allows editing of a tag category. Any object
Category

vSphere Tagging.Edit vSphere Tag Allows editing of a tag scope. Any object
Scope

vSphere Tagging.Modify UsedBy Field Allows changing the UsedBy field for a tag Any object
for Category category.

vSphere Tagging.Modify UsedBy Field Allows changing the UsedBy field for a tag. Any object
for Tag

VMware by Broadcom 290

Understanding vSphere
Hardening and Compliance 14
Organizations expect to keep their data secure by reducing the risk of data theft, cyberattack,
or unauthorized access. Organizations also must often comply with one or more regulations
from government standards to private standards, such as the National Institute of Standards and
Technology (NIST) and Defense Information Systems Agency Security Technical Implementation
Guides (DISA STIG). Ensuring that your vSphere environment is in compliance with such
standards involves understanding a broader set of considerations including people, processes,
and technology.

A high-level overview of security and compliance topics that require attention helps you plan
your compliance strategy. You also benefit from other compliance-related resources on the
VMware Web site.

Read the following topics next:

n Security Versus Compliance in the vSphere Environment

n Understanding the vSphere Security Configuration Guide

n About the National Institute of Standards and Technology

n About DISA STIGs

n About VMware Security Development Lifecycle

n Audit Logging

n Understanding Security and Compliance Next Steps

Security Versus Compliance in the vSphere Environment

The terms security and compliance are often used interchangeably. However, they are unique
and distinct concepts.

Security, often thought of as information security, is commonly defined as a set of technical,

physical, and administrative controls that you implement to provide confidentiality, integrity,
and availability. For example, you secure a host by locking down which accounts can log into
it, and by what means (SSH, direct console, and so on). Compliance, by contrast, is a set

VMware by Broadcom 291

vSphere Security

of requirements necessary to meet the minimum controls established by different regulatory

frameworks that provide limited guidance on any specific type of technology, vendor, or
configuration. For example, the Payment Card Industry (PCI) has established security guidelines
to help organizations proactively protect customer account data.

Security reduces the risk of data theft, cyberattack, or unauthorized access, while compliance
is the proof that a security control is in place, typically within a defined time line. Security is
primarily outlined in the design decisions and highlighted within the technology configurations.
Compliance is focused on mapping the correlation between security controls and specific
requirements. A compliance mapping provides a centralized view to list out many of the
required security controls. Those controls are further detailed by including each security control's
respective compliance citations as dictated by a domain such as NIST, PCI, FedRAMP, HIPAA, and
so forth.

Effective cybersecurity and compliance programs are built on three pillars: people, process, and
technology. A general misconception is that technology alone can solve all your cybersecurity
needs. Technology does play a large and important role in the development and execution of an
information security program. However, technology without process and procedures, awareness
and training, creates a vulnerability within your organization.

When defining your security and compliance strategies, keep the following in mind:

n People need general awareness and training, whereas IT staff need specific training.

n Process defines how your organization's activities, roles, and documentation are used to
mitigate risk. Processes are only effective if people follow them correctly.

n Technology can be used to prevent or reduce the impact of cybersecurity risk to your
organization. Which technology to use depends on your organization's risk acceptance level.

VMware provides Compliance Kits that contain both an Audit Guide and a Product Applicability
Guide, helping to bridge the gap between compliance and regulatory requirements and
implementation guides. For more information, see https://core.vmware.com/compliance.

Glossary of Compliance Terms

Compliance introduces specific terms and definitions that are important to understand.

VMware by Broadcom 292

vSphere Security

Table 14-1. Compliance Terms

Term Definition

CJIS Criminal Justice Information Services. In the context of

compliance, the CJIS produces a Security Policy for
how local, state, and federal criminal justice and law
enforcement agencies must take security precautions to
protect sensitive information such as fingerprints and
criminal backgrounds.

DISA STIG Defense Information Systems Agency Security Technical

Implementation Guide. The Defense Information Systems
Agency (DISA) is the entity responsible for maintaining
the security posture of the Department of Defense
(DoD) IT infrastructure. DISA accomplishes this task by
developing and using Security Technical Implementation
Guides, or "STIGs."

FedRAMP Federal Risk and Authorization Management Program.

FedRAMP is a government-wide program that provides
a standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services.

HIPAA Health Insurance Portability and Accountability Act.

Passed by Congress in 1996, HIPAA does the following:
n Gives millions of American workers and their families
the ability to transfer and continue health insurance
coverage for when they change or lose jobs
n Reduces health care fraud and abuse
n Mandates industry-wide standards for health care
information on electronic billing and other processes
n Requires the protection and confidential handling of
protected health information
The latter bullet is of most importance to vSphere
Security documentation.

NCCoE National Cybersecurity Center of Excellence. NCCoE is a

U.S government organization that produces and publicly
shares solutions to cybersecurity problems that U.S.
businesses encounter. The center forms a team of people
from cybersecurity technology companies, other federal
agencies, and academia to address each problem.

NIST National Institute of Standards and Technology. Founded

in 1901, NIST is a non-regulatory federal agency within
the U.S. Department of Commerce. NIST's mission
is to advocate for U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that increase
economic security and improve our quality of life.

PAG Product Applicability Guide. A document that provides

general guidance for organizations that are considering
a company's solutions to help them address compliance
requirements.

VMware by Broadcom 293

vSphere Security

Table 14-1. Compliance Terms (continued)

Term Definition

PCI DSS Payment Card Industry Data Security Standard. A set of

security standards designed to ensure that all companies
that accept, process, store, or transmit credit card
information maintain a secure environment.

VVD/VCF Compliance Solutions VMware Validated Design/VMware Cloud Foundation.

The VMware Validated Designs provide comprehensive
and extensively tested blueprints to build and operate
a Software-Defined Data Center. VVD/VCF compliance
solutions enable customers to meet compliance
requirements for multiple government and industry
regulations.

Understanding the vSphere Security Configuration Guide

VMware creates Security Hardening Guides that provide prescriptive guidance about deploying
and operating VMware products in a secure manner. For vSphere, this guide is called the
vSphere Security Configuration Guide (formerly known as the Hardening Guide).
The vSphere Security Configuration Guide contains security best practices for vSphere. The
vSphere Security Configuration Guide does not map directly to regulatory guidelines or
frameworks, and so is not a compliance guide. Also, the vSphere Security Configuration Guide
is not intended for use as a security checklist. Security is always a tradeoff. When you implement
security controls, you might affect usability, performance, or other operational tasks negatively.
Consider your workloads, usage patterns, organizational structure, and so on carefully before
making security changes, whether the advice is from VMware or from other industry sources. If
your organization is subject to regulatory compliance needs, see Security Versus Compliance
in the vSphere Environment or visit https://core.vmware.com/compliance. This site features
compliance kits and product audit guides to help vSphere administrators and regulatory auditors
secure and attest virtual infrastructure for regulatory frameworks, such as NIST 800-53v4, NIST
800-171, PCI DSS, HIPAA, CJIS, ISO 27001, and more.

The vSphere Security Configuration Guide does not discuss securing the following items:

n Software running inside the virtual machine, such as the Guest OS and applications

n Traffic running through the virtual machine networks

n Security of add-on products

The vSphere Security Configuration Guide is not meant to be used as a "compliance" tool. The
vSphere Security Configuration Guide does enable you to take initial steps towards compliance,
but used by itself, it does not ensure that your deployment is compliant. For more information
about compliance, see Security Versus Compliance in the vSphere Environment.

VMware by Broadcom 294

vSphere Security

Reading the vSphere Security Configuration Guide

The vSphere Security Configuration Guide is a spreadsheet that contains security-related
guidelines to assist you with modifying your vSphere security configuration. These guidelines
are group into tabs based on the affected components, with some or all of the following columns.

Table 14-2. vSphere Security Configuration Guide Spreadsheet Columns

Column Heading Description

Guideline ID A unique two-part ID to reference a security configuration or hardening

recommendation. The first part indicates the component, defined as follows:
n ESXi: ESXi hosts
n VM: Virtual machines
n vNetwork: Virtual switches

Description A short explanation of the particular recommendation.

Discussion Description of the vulnerability behind a particular recommendation.

Configuration Parameter Provides the applicable configuration parameter or filename, if any.

Desired Value The desired state or value of the recommendation. Possible values include:
n N/A
n Site Specific
n False
n True
n Enabled
n Disabled
n Not present or False

Default Value The default value set by vSphere.

Is desired value the default? States if the security setting is the default product configuration.

Action Needed The type of action to take on the particular recommendation. Actions
include:
n Update
n Audit Only
n Modify
n Add
n Remove

Setting Location in the vSphere Client Steps for checking on the value by using the vSphere Client.

Negative Functional Impact in Change Description, if any, of a potential negative impact from using the security
From Default? recommendation.

PowerCLI Command Assessment Steps for checking on the value by using PowerCLI.

PowerCLI Command Remediation Steps for setting (remediating) the value by using PowerCLI.
Example

vCLI Command Remediation Steps for setting (remediating) the value by using the vCLI commands.

PowerCLI Command Assessment Steps for checking on the value by using the PowerCLI commands.

VMware by Broadcom 295

vSphere Security

Table 14-2. vSphere Security Configuration Guide Spreadsheet Columns (continued)

Column Heading Description

PowerCLI Command Remediation Steps for setting (remediating) the value by using the PowerCLI commands.

Able to set using Host Profile Whether the setting can be accomplished by using Host Profiles (applies
only to ESXi guidelines).

Hardening If TRUE, then the guideline has only one implementation to be compliant. If
FALSE then you can satisfy the guideline implementation by more than one
configuration setting. The actual setting is often site-specific.

Site Specific Setting If TRUE, then the setting to be compliant with the guideline depends on
rules or standards that are specific to that vSphere deployment.

Audit Setting If TRUE, then the value of the listed setting might need to be modified to
satisfy site-specific rules.

Note These columns might change over time as required. For example, recent additions include
the DISA STIG ID, Hardening, and Site Specific Setting columns. Check https://blogs.vmware.com
for announcements about updates to the vSphere Secure Configuration Guide.

Do not blindly apply guidelines in the vSphere Secure Configuration Guide to your environment.
Rather, take time to evaluate each setting and make an informed decision whether you want to
apply it. At a minimum, you can use the instructions in the Assessment columns to verify the
security of your deployment.

The vSphere Secure Configuration Guide is an aid to begin implementing compliance in your
deployment. When used with the Defense Information Systems Agency (DISA) and other
compliance guidelines, the vSphere Secure Configuration Guide enables you to map vSphere
security controls to the compliance flavor per each guideline.

About the National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST) is a non-regulatory government
agency that develops technology, metrics, standards, and guidelines. Compliance with NIST
standards and guidelines has become a top priority in many industries today.

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now
part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science
laboratories. Today, NIST measurements support the smallest of technologies to the largest and
most complex of human-made creations, from nanoscale devices, up to earthquake-resistant
skyscrapers and global communication networks.

The Federal Information Security Management Act (FISMA) is a United States federal law passed
in 2002 that made it a requirement for federal agencies to develop, document, and implement
an information security and protection program. NIST plays an important role in the FISMA
implementation by producing key security standards and guidelines (for example, FIPS 199, FIPS
200, and SP 800 series).

VMware by Broadcom 296

vSphere Security

Government and private organizations use NIST 800-53 to secure information systems.
Cybersecurity and privacy controls are essential to protect organizational operations (including
mission, functions, image, and reputation), organizational assets, and individuals from a diverse
set of threats. Some of these threats include hostile cyber-attacks, natural disasters, structural
failures, and human errors. VMware has enlisted a third-party audit partner to evaluate VMware
products and solutions against the NIST 800-53 catalog of controls. For more information, visit
the NIST webpage at https://www.nist.gov/cyberframework.

About DISA STIGs

The Defense Information Systems Agency (DISA) develops and publishes Security Technical
Implementation Guides, or "STIGs." DISA STIGs provide technical guidance for hardening systems
and reducing threats.

The Defense Information Systems Agency (DISA) is the U.S. Department of Defense (DoD)
combat support agency responsible for maintaining the security posture of the DOD Information
Network (DODIN). One of the ways DISA accomplishes this task is by developing, disseminating,
and mandating the implementation of Security Technical Implementation Guides, or STIGs. In
brief, STIGs are portable, standards-based guides for hardening systems. STIGs are mandatory
for U.S. DoD IT systems and, as such, provide a vetted, secure baseline for non-DoD entities to
measure their security posture.

Vendors such as VMware submit suggested security hardening guidance to DISA for evaluation,
based on DISA protocols and feedback. Once that process is complete, the official STIG
is published on the DISA organization’s web site at https://public.cyber.mil/stigs/. VMware
provides security baselines and hardening guidance for vSphere as part of the vSphere Security
Configuration Guide. See https://core.vmware.com/security.

About VMware Security Development Lifecycle

The VMware Security Development Lifecycle (SDL) program identifies and mitigates security
risk during the development phase of VMware software products. VMware also operates the
VMware Security Response Center (VSRC) to conduct the analysis and remediation of software
security issues in VMware products.

The SDL is the software development methodology that the VMware Security Engineering,
Communication, and Response (vSECR) group, and VMware product development groups, use
to help identify and mitigate security issues. For more information about the VMware Security
Development Lifecycle, see the webpage at https://www.vmware.com/security/sdl.html.

The VSRC works with customers and the security research community to achieve the goals
of addressing security issues and providing customers with actionable security information in
a timely manner. For more information about the VMware Security Response Center, see the
webpage at https://www.vmware.com/security/vsrc.html.

VMware by Broadcom 297

vSphere Security

Audit Logging
Audit logging of network traffic, compliance alerts, firewall activity, operating system changes,
and provisioning activities is considered a best practice for maintaining the security of any IT
environment. In addition, logging is a specific requirement of many regulations and standards.

One of the first steps to take for ensuring you are aware of changes to your infrastructure is
to audit your environment. By default, vSphere includes tools that enable you to view and track
changes. For example, you can use the Tasks and Events tab in the vSphere Client on any object
in your vSphere hierarchy to see what changes have occurred. You can also use the PowerCLI
to retrieve events and tasks. Also, vRealize Log Insight offers audit logging to support collection
and retention of important system events. In addition, many third-party tools are available that
provide vCenter auditing.

Log files can provide an audit trail to help determine who or what is accessing a host, a virtual
machine, and so on. For more information, see ESXi Log File Locations.

Single Sign-On Audit Events

Single Sign-On (SSO) audit events are records of user or system actions for accessing the SSO
services.

vCenter Server 6.7 Update 2 and later improves VMware vCenter Single Sign-On auditing by
adding events for the following operations:

n User management

n Login

n Group creation

n Identity source

n Policy updates

Supported identity sources are vsphere.local, Integrated Windows Authentication (IWA), and
Active Directory over LDAP.

When a user logs in to vCenter Server through Single Sign-On, or makes changes that affect SSO,
the following audit events are written to the SSO audit log file:

n Login and Logout Attempts: Events for all the successful and failed login and logout
operations.

n Privilege Change: Event for change in a user role or permissions.

n Account Change: Event for change in the user account information, for example, user name,
password, or any additional account information.

n Security Change: Event for change in a security configuration, parameter, or policy.

n Account Enabled or Disabled: Event for when an account is enabled or disabled.

n Identity Source: Event for adding, deleting, or editing an identity source.

VMware by Broadcom 298

vSphere Security

In the vSphere Client and the vSphere Web Client, event data is displayed in the Monitor tab. See
the vSphere Monitoring and Performance documentation.

Note The ability to view events using either of the GUI clients is only enabled for the vCenter
Server Appliance.

SSO audit event data includes the following details:

n Timestamp of when the event occurred.

n User who performed the action.

n Description of the event.

n Severity of the event.

n IP address of client used to connect to vCenter Server, if available.

SSO Audit Event Log Overview

The vSphere Single-Sign On process writes audit events to the audit_events.log file in the
following locations.

Table 14-3. SSO Audit Log Location

OS Location

vCenter Server Appliance /var/log/audit/sso-events/

vCenter Server Windows C:\ProgramData\VMware\vCenterServer\runtime\VM

wareSTSService\logs\

Caution Never manually edit the audit_events.log file, as doing so might cause the audit
logging to fail.

Keep the following in mind when working with the audit_events.log file:

n The log file is archived once it reaches 50 MB.

n A maximum of 10 archive files is kept. If the limit is reached, the oldest file is purged when a
new archive is created.

n The archive files are named audit_events-<index>.log.gz, where the index is a numeral
from 1 to 10. The first archive created is index 1, and is increased with each subsequent
archive.

n The oldest events are in archive index 1. The highest indexed file is the latest archive.

Understanding Security and Compliance Next Steps

Conducting a security assessment is the first step in understanding any vulnerabilities in your
infrastructure. A security assessment is part of a security audit, which looks at both systems and
practices, including security compliance.

VMware by Broadcom 299

vSphere Security

A security assessment generally refers to scanning your organization's physical infrastructure

(firewalls, networks, hardware, and so on) to identify vulnerabilities and flaws. A security
assessment is not the same as a security audit. A security audit includes not only a review
of physical infrastructure but other areas such as policy and standard operating procedures,
including security compliance. After you have the audit, you can decide on the steps to remedy
the problems within the system.

You might ask these general questions when preparing to conduct a security audit:

1 Is our organization mandated to adhere to a compliance regulation? If so which one(s)?

2 What is our audit interval?

3 What is our internal self-assessment interval?

4 Do we have access to previous audit results and have we viewed them?

5 Do we use a third-party audit firm to help us prepare for an audit? If so, what is their level of
comfort with virtualization?

6 Do we run vulnerability scans against the systems and applications? When and how often?

7 What are our internal cybersecurity policies?

8 Is your audit logging configured according to your needs? See Audit Logging.

In the absence of specific guidance or direction on where to begin, you can jumpstart securing
your vSphere environment by:

n Keeping your environment up-to-date with the latest software and firmware patches

n Maintaining good password management and hygiene for all accounts

n Reviewing vendor-approved security recommendations

n Referring to the VMware Security Configuration Guides (see Understanding the vSphere
Security Configuration Guide)

n Using readily available and proven guidance from policy frameworks such as NIST, ISO, and
so forth

n Following guidance from regulatory compliance frameworks such as PCI, DISA, and FedRAMP

VMware by Broadcom 300