Harden vCenter Server

Depending on your type of vCenter deployment, you may have internal or external PSC (see Objective 1.3), and you may also have Windows-based servers or Linux-based virtual appliances.

There are some generic security best practices that are valid for both versions, as follows:

• Use named accounts, and minimize permissions
• Monitor privileges of vCenter Server administrator users
• Limit vCenter Server network connectivity
• Verify certificates
• Keep the vCenter OS and services updated

By using the VSCA, from VMware for vSphere 6.5 and later, you can use the same VM hardening suggestions (see Objective 1.4). But note that the VCSA is already based on a hardened operating system (in vSphere 6.5, the VCSA is based on the VMware PhotonOS platform).

By default, on VCSA, the shell access is disabled. A remote shell with SSH can be enabled during the deployment, but note that by default this shell has a limited set of commands (but it's also easy to enable the full shell).

The PSC security best practices are quite simple:

• Check password expirations: Remember that the default SSO password lifetime is 90 days.
• Use NTP for time sync: All systems must use the same time source. Time synchronization is essential for authentication, and also for certificate validity.

For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-8C5F5839-37EC-409E-8C46-C8AD146CBC73.html).