For improved security, avoid putting the vCenter Server system on any network other than a management network, and ensure that vSphere management traffic is on a restricted network. By limiting network connectivity, you limit certain types of attack.

vCenter Server requires access to a management network only. Avoid putting the vCenter Server system on other networks such as your production network or storage network, or on any network with access to the Internet. vCenter Server does not need access to the network where vMotion operates.

vCenter Server requires network connectivity to the following systems.
  • All ESXi hosts.
  • The vCenter Server database.
  • Other vCenter Server systems (if the vCenter Server systems are part of a common vCenter Single Sign-On domain for purposes of replicating tags, permissions, and so on).
  • Systems that are authorized to run management clients. For example, the vSphere Client, a Windows system where you use the PowerCLI, or any other SDK-based client.
  • Infrastructure services such as DNS, Active Directory, and PTP or NTP.
  • Other systems that run components that are essential to functionality of the vCenter Server system.

Use the firewall on the vCenter Server. Include IP-based access restrictions so that only necessary components can communicate with the vCenter Server system.

Evaluate the Use of Linux Clients with CLIs and SDKs

Communications between client components and a vCenter Server system or ESXi hosts are protected by SSL-based encryption by default. Linux versions of these components do not perform certificate validation. Consider restricting the use of these clients.

To improve security, you can replace the VMCA-signed certificates on the vCenter Server system and on the ESXi hosts with certificates that are signed by an enterprise or third-party CA. However, certain communications with Linux clients might still be vulnerable to machine-in-the-middle attacks. The following components are vulnerable when they run on the Linux operating system.
  • ESXCLI commands
  • vSphere SDK for Perl scripts
  • Programs that are written using the vSphere Web Services SDK
You can relax the restriction against using Linux clients if you enforce proper controls.
  • Restrict management network access to authorized systems only.
  • Use firewalls to ensure that only authorized hosts are allowed to access vCenter Server.
  • Use bastion hosts (jump-box systems) to ensure that the Linux clients are behind the "jump."

Examine vSphere Client Plug-Ins

vSphere Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use an installation that includes only authorized extensions from trusted sources.

A vCenter Server installation includes an extensibility framework for the vSphere Client. You can use this framework to extend the client with menu selections or toolbar icons. The extensions can provide access to vCenter Server add-on components or external, Web-based functionality.

Using the extensibility framework results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Client, the plug-in can run arbitrary commands with the privilege level of that administrator.

To protect against a potential compromise of your vSphere Client, examine all installed plug-ins periodically and make sure that each plug-in comes from a trusted source.

Prerequisites

You must have privileges to access the vCenter Single Sign-On service. These privileges differ from vCenter Server privileges.

Procedure

  1. Log in to the vSphere Client as administrator@vsphere.local or a user with vCenter Single Sign-On privileges.
  2. From the Home page, select Administration, then select Client Plug-Ins under Solutions.
  3. Examine the list of client plug-ins.