1. Built-in firewall rules:

As one of the first steps for ESXi  hardening you can start from limitation of permitted connections "To / From" the host and restricting unused transmits or blocking suspected traffics. So you may need to revision firewall rules and control what is permitted and what is not? or are their usage permanent or temporary for a specific time duration? Check your list again and for example if you always want to have permanently SSH access to your hosts, limit allowed IP addresses to only your management system IP address.

2. Using SNMP version 3:

Because of security nature of SNMP protocol on version3 in comparison with older versions 1 & 2 (based on support of encryption, authentication & hashing algorithms) it's strongly recommended to use SNMPv3. Old versions are using only a community string for SNMP communication that is clear-text data and certainly is a security breach. So for monitoring ESXi hosts, it's better to configure only SNMPv3 settings by "esxcli system snmp set --v3targets ... (I will explain how to do it in another post)

3. VIB Verification:

VIB or vSphere Installation Bundle is a package file (like a ZIP) contains of some installation files related to the ESXi. As the Kyle said there are 3 main parts of VIBs: Archive (Payload), XML (Descriptor) and a Signature file for trust level verification and you can configure it to each of 4 below mentioned acceptance level depends on your system management policies:

I.   Partner: VIB creating and testing will be done by partner and there is no VMware verification.

II.  VMware Certified: All processes will be done by VMware itself.

III. VMware Accepted: Testing will be done by partners but result verification rely on VMware.

IV. Community: All processes executed outside of VMware partner program and are not supported.

It's a good suggestion to don't trust to all community VIB packages

4. NTP configuration:

Time, Time and Time ... This is so important to remember to set it before doing every other configuration on your hosts. It's recommended to set at least one NTP server outside of your virtual infrastructure (like a router) for all of the hosts. ( I described it before on this post how to do it by CLI)

5. Versions of TLS:

It's always a real problem, Which version of TLS we should use on our managed hosts? and what version must be disabled? It's strongly recommended to use only TLS 1.2 but somehow maybe some of associated management products to the ESXi host can only communicate with older version. So before disable versions of 1.0 or 1.1, check this matter out.


Source of content inside my personal blog: Undercity of Virtualization: Security Recommendation and Hardening on Virtual Environments - Chapter I