
alphaspirit - Fotolia
Best practices to keep your vSphere environment secure
VMware introduced a lot of new features that focused on security in vSphere 6.5. But, beyond those features, you can follow these practices to improve security.
Beyond the security features included with VMware vSphere 6.5, such as vMotion encryption and ESXi secure boot, there are a variety of other practices that can help secure both the hypervisor and individual virtual machines. Timeouts, lockdown mode and acceptance-level checks are just some procedures to look into to help bolster security in your vSphere environment.
One of the best practices for hypervisor security is enforcing the concept of least privilege -- essentially, prohibiting access to all unnecessary features and functionality to all except the fewest authorized users. For example, rather than using root user access for ESXi management, assign specific roles or tasks to specific named users or groups through vCenter Server. That improves security in your vSphere environment, because no one is accessing something they shouldn't be.
It's also a sound practice to apply aggressive timeouts to ESXi or Secure Shell (SSH) access to improve VMware vSphere security. This helps to ensure that an administrator who leaves their computer doesn't leave physical access open for an intruder. It'd be a pain to lock or power off every time you briefly left your computer.
Network communication depends on open ports in a firewall, so checking and minimizing the number of open ports can help to secure ESXi hosts from unexpected intrusion.
When even tighter security is appropriate in your vSphere environment, invoking ESXi lockdown mode will prevent ESXi host access, except through vCenter Server. VSphere supports multifactor authentication using smart cards, rather than usernames and passwords, ensuring management access relies on the possession of a physical device. And it's always prudent to implement an ESXi account lockout, which locks out an account after 10 failed logon attempts.
VMware vSphere Security can also benefit from standardization, using scripts or templates to automate common ESXi host management tasks in your vSphere environment. This minimizes manual variations, error or oversights that can open unexpected security vulnerabilities. You can also employ scripts and templates to spin up and configure standardized VMs to meet minimum security requirements.
Take advantage of acceptance levels to check the integrity of each vSphere installation bundle (VIB) package. This prevents adding a VIB to an ESXi host, unless the acceptance level of the VIB is equal or better than the host -- often prohibiting community-supported or partner-supported VIBs where malware might lurk.
There are some additional precautions that can help to secure individual virtual machines. For example, it's important to secure guest operating systems by testing and deploying OS patches and updates in a timely manner.
If you deploy antimalware, antispyware or other security tools in VMs, update these tools diligently to maintain their effectiveness in a vSphere environment. Minimize user access to VM consoles to mitigate user control over VM power management and removable devices -- cutting off common avenues of attack on VMs.