For improved security, avoid putting the vCenter Server system on any network other than a management network, and ensure that vSphere management traffic is on a restricted network. By limiting network connectivity, you limit certain types of attack.
vCenter Server requires access to a management network only. Avoid putting the vCenter Server system on other networks such as your production network or storage network, or on any network with access to the Internet. vCenter Server does not need access to the network where vMotion operates.
- All ESXi hosts.
- The vCenter Server database.
- Other vCenter Server systems (if the vCenter Server systems are part of a common vCenter Single Sign-On domain for purposes of replicating tags, permissions, and so on).
- Systems that are authorized to run management clients. For example, the vSphere Client, a Windows system where you use the PowerCLI, or any other SDK-based client.
- Infrastructure services such as DNS, Active Directory, and PTP or NTP.
- Other systems that run components that are essential to functionality of the vCenter Server system.
Use the firewall on the vCenter Server. Include IP-based access restrictions so that only necessary components can communicate with the vCenter Server system.
Evaluate the Use of Linux Clients with CLIs and SDKs
Communications between client components and a vCenter Server system or ESXi hosts are protected by SSL-based encryption by default. Linux versions of these components do not perform certificate validation. Consider restricting the use of these clients.
- ESXCLI commands
- vSphere SDK for Perl scripts
- Programs that are written using the vSphere Web Services SDK
- Restrict management network access to authorized systems only.
- Use firewalls to ensure that only authorized hosts are allowed to access vCenter Server.
- Use bastion hosts (jump-box systems) to ensure that the Linux clients are behind the "jump."
Examine vSphere Client Plug-Ins
vSphere Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use an installation that includes only authorized extensions from trusted sources.
A vCenter Server installation includes an extensibility framework for the vSphere Client. You can use this framework to extend the client with menu selections or toolbar icons. The extensions can provide access to vCenter Server add-on components or external, Web-based functionality.
Using the extensibility framework results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Client, the plug-in can run arbitrary commands with the privilege level of that administrator.
To protect against a potential compromise of your vSphere Client, examine all installed plug-ins periodically and make sure that each plug-in comes from a trusted source.
Prerequisites
You must have privileges to access the vCenter Single Sign-On service. These privileges differ from vCenter Server privileges.
Procedure
- Log in to the vSphere Client as administrator@vsphere.local or a user with vCenter Single Sign-On privileges.
- From the Home page, select Administration, then select Client Plug-Ins under Solutions.
- Examine the list of client plug-ins.