vSphere 5.0 Hardening Guide - Public Draft

vSphere 5.0 Hardening Guide - Public Draft

This is the public draft of the vSphere 5.0 Security Hardening Guide.  It is being posted to this Community in order to provide early access to interested parties, and to gather feedback.  The final version will be made available approximately in the middle of May.

The format of this guide has changed from previous versions. The guide is being released as a Excel spreadsheet only.  The guideline metadata from earlier guides has been greatly expanded and standardized.  A companion document comparing the 5.0 guidelines with the 4.1 guidelines is also being posted in this Community.  For additional information, please see the Intro tab of the spreadsheet.

Please provide your feedback in the comments field, or send a message to me directly if you do not wish to communicate publically.

UPDATE: the release for this guide has been pushed back to early June



The Excel spreadsheet format is interesting - what I didn't see was an easy way to reference a particular recommendation, HCM01 etc as per the old DOC style. The IDs, while descriptive, don't lend themselves well to this. Also coming from the 4.0 / 4.1 guides means no continuity in the references and if we start making them up, we end up with divergent codes across multiple customers very easily!


The Intro Tab of this spreadsheet describes the new way to reference recommendations.  Just pre-pend the ID field with the Component to get a unique string.  For example, "vcenter-restrict-certificate-access" would be the reference to this recommendation.

The companion document that I also posted goes over the correspondence between previous and new recommendations.  http://communities.vmware.com/docs/DOC-19057

1)      On the VM tab, line item 16, suggest “Use a secure protocol like SSH or Telnets…” vice “Use a secure protocol like Telnets…”  I believe that SSH port forwarding can be safely used.

2)      On the ESXi tab, line item 20, Vulnerability Discussion column, third sentence, suggest “The presence of the remote user’s public key in the “authorized_keys” file” vice “The presence of the remote user’s public key in the “authroized_keys” file” (i.e., misspelling of “authorized”).

3)      On the Network tab, the format for the entire Vulnerability Discussion, Assessment Procedure, and Negative Functional Impact columns should be set to “General”. (it was displayed as "########..." by Excel)

- "Limit VM log file size and number" is missing on the VM tab

- "disable-mob" is missing on the vCenter tab

- why not include:

     > recommendations about OS hardening?

     > something like "limit access to DCUI" via iLO, DRAC, etc. permissions

     > no unused port groups (like no unused ports..)

- why are the ISO 27001 and ISO 27002 codes are removed?

Regarding ESXi Communications enable-nfc-ssl (HCM06):

Is it still the case that vCenter may refer clients such as the vSphere Client or VDDK users to an NFC service that is not encrypted by default?  (I understand, but haven't had an opportunity to confirm, that only OVF Exports work a little differently and are secure by default).  The "vulnerability discussion" mentions only the clone and migrate operations, which are ESXi host-to-host communications.  Is it appropriate to harden ESXi host-to-vSphere client communications related to virtual disk functionality this way, or is there additional guidance?

Regarding vCenter Client restrict-linux-clients (VCL01):

Is this guidance intended to apply fully to the vSphere Management Appliance (VMA)?

Does a similar MITM opportunity exist with any vCenter Server Appliance connectivity?


It seems that this document does not clearly refer to the vCenter appliance - vCenter sheet includes references to Windows OS while vCenter appliance uses SLES 11.

This information is missing.

The vCenter virtual appliance is out of scope for this version of the guide.  We will consider its inclusion in future versions.

Version history
Revision #:
1 of 1
Last update:
‎04-18-2012 11:08 AM
Updated by: