Harden ESXi hosts

To increase the protection of ESXi hosts against possible attacks and unauthorized access, consider the following options:

• Limit user privileges and access: One aspect is using the RBAC model (described in Objective 1.1) to limit user privileges. But, you also have to use a centralized authentication, limit the authorized users, restrict access to ESXi management adapter, and enforce security policies (such as password expiration and password complexity).
• Limit shell access: ESXi shell and ESXi SSH access have several privileged accesses, and permit executing several commands from the CLI. For this reason, this type of access must be closed or limited. Lockdown mode (as described later) can be effective for limiting that type of access. 
• Limit services: By default, ESXi only runs essential services, and any services that are not needed are stopped. Note that third-party services, such as some hardware vendor agents, should be limited, or at least validated.
• Limit network connections: ESXi has a built-in firewall (starting from ESXi 5.0), and, by default, it is closed on most ports. When you enable a service, it also opens the right ports. The personal firewall does not protect from DoS attacks, so keep your ESXi VMkernel interfaces on protected networks, and continue to use perimeter firewalls.
• Use secure connections: By default, most of the communications are secured by the SSL layer, and all weak ciphers are disabled (this can vary in the different builds of vSphere). Also, VMware vSphere 6.0 introduced a certification authority (described in Objective 1.3) to help with certification management.
• Update your environment: VMware Update Manager (VUM) can simplify host patching. With the VCSA, the vCenter management can also be simplified (using VAMI).
• Check the VMware Security Advisories (https://www.vmware.com/security/advisories.html): This site has a list of possible security vulnerabilities for VMware products, and related remediation or mitigation.

Also, in order to mitigate security risks in ESXi, there are some built-in security settings, as follows:

• Shell access: ESXi Shell and SSH are disabled, by default. It is usually safe to keep both ESXi Shell and SSH access disabled, preventing direct access to the ESXi CLI. Note that in this case, you can still use esxcli remotely, as well as other remote CLI tools!
• Firewall: Usually, there are a few ports open by default, and ports are automatically open on the firewall if there are some services that need specific ports. Although you can manually open ports or build custom ESXi firewall rules, try to keep the management automatic.
• Services: Following the minimum privilege approach, ESXi only runs required services, and new services are automatically started if a specific feature requires them. 
• Secure protocols: By default, weak ciphers are disabled, and communications from clients are secured by SSL. Starting with vSphere 6.5, the TLS protocol versions 1.0, 1.1, and 1.2 are enabled, by default. Also, see VMware KB 2147469 (https://kb.vmware.com/s/article/2147469)—Managing TLS protocol configuration for vSphere 6.5.
• Web server: A custom Tomcat web service is used to provide access from the web client. The service has been hardened to improve its security.
• Bugs: VMware usually releases security patches, in case of possible security issues affecting ESXi (or other components). With VUM, you can easily apply those patches.
• Secure Boot: VMware ESXi 6.5 supports secure booting, as described previously.