These security controls provide a baseline set of vCenter Server security best practices. They are structured in a way that explains the benefits and tradeoffs of implementing the control. To make changes, you can use the vSphere Client, PowerCLI, or the vCenter Server Management Interface, depending on the control.

PowerCLI and Variables Used

Some of the PowerCLI examples used here requires that the VMware.vSphere.SsoAdmin module be installed.

The PowerCLI commands in this section use the following variables:

  • $VC="vcenter_server_name"
  • $VDS="vsphere_distributed_switch_name"
  • $VDPG="vsphere_distributed_port_group"

Set vSphere Client Inactivity Timeout

The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.

Idle vSphere Client sessions can be left open indefinitely if a user forgets to log out, thereby increasing the risk of unauthorized privileged access.

Values
Installation Default Value: 120 minutes
Baseline Suggested Value: 15 minutes
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A (No public API available)
PowerCLI Command Remediation Example
N/A (No public API available)
Setting Location in the vSphere Client
Administration > Client Configuration > Session timeout

Set Failed Login Attempts Interval

The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.

By limiting the number of failed login attempts, the risk of unauthorized access using user password guessing, otherwise known as brute-forcing, is reduced.

Values
Installation Default Value: 180
Baseline Suggested Value: 900
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-SsoLockoutPolicy | Select FailedAttemptIntervalSec
PowerCLI Command Remediation Example
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -FailedAttemptIntervalSec 900
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Lockout Policy

Configure the vSphere SSO Lockout Policy Maximum Attempts

The vCenter Server must lock an account after a specified number of failed login attempts.

Repeated failed logins for an account can signal security issues. To limit brute force attempts, lock the account after a certain threshold, balancing between avoiding automatic connection retries and potential denial-of-service attacks.

Values
Installation Default Value: 5
Baseline Suggested Value: 5
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-SsoLockoutPolicy | Select MaxFailedAttempts
PowerCLI Command Remediation Example
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -MaxFailedAttempts 5
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Lockout Policy

Configure the vSphere SSO Lockout Policy Unlock Time

The vCenter Server must unlock accounts after a specified timeout period.

Repeated failed logins can suggest security threats. vCenter Server accounts should not automatically unlock when they have been locked due to multiple login failures. Ensure that you have your administrator@vsphere.local information and that it is valid.

Values
Installation Default Value: 300
Baseline Suggested Value: 0
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
There is the opportunity for denial-of-service when accounts do not automatically unlock.
PowerCLI Command Assessment
Get-SsoLockoutPolicy | Select AutoUnlockIntervalSec
PowerCLI Command Remediation Example
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -AutoUnlockIntervalSec 0
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Lockout Policy

Enforce Password Complexity

The vCenter Server must enforce password complexity.

Modern best practices for passwords (see NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.

Password strength and complexity rules apply to accounts created in vSphere SSO, including administrator@vsphere.local (or, if you specified a different domain during installation, administrator@mydomain). These rules do not apply to Active Directory users when vCenter Server is joined to a domain, because AD enforces those password policies.

Values
Installation Default Value:

Maximum Length: 20

Minimum Length: 8

At least 1 special

At least 2 alphabetic

At least 1 uppercase

At least 1 lowercase

At least 1 numeric

3 identical adjacent

Baseline Suggested Value:

Maximum Length: 64

Minimum Length: 15

At least 1 special

At least 2 alphabetic

At least 1 uppercase

At least 1 lowercase

At least 1 numeric

3 identical adjacent

Recommended Action
Modify the installation default values.
Potential Functional Impact if Default Value Is Changed
Other products and services within the VMware ecosystem might not expect changes to password complexity requirements and could fail installation.
PowerCLI Command Assessment
Get-SsoPasswordPolicy
PowerCLI Command Remediation Example
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinLength 15 -MaxLength 64 -MinNumericCount 1 -MinSpecialCharCount 1 -MinAlphabeticCount 2 -MinUppercaseCount 1 -MinLowercaseCount 1 -MaxIdenticalAdjacentCharacters 3
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Password Policy

Configure the Maximum Number of Days Between Password Changes

The vCenter Server must be configured with an appropriate maximum password age.

Modern best practices for passwords (see NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.

Values
Installation Default Value: 90
Baseline Suggested Value: 99999
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-SsoPasswordPolicy | Select PasswordLifetimeDays
PowerCLI Command Remediation Example
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -PasswordLifetimeDays 9999
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Password Policy

Restrict Password Reuse

Configure the password history setting to restrict the reuse of passwords on the vCenter Server.

Password complexity guidelines sometimes cause users to reuse older passwords. Configuring the password history setting on the vCenter Server can help prevent this situation.

Values
Installation Default Value: 5
Baseline Suggested Value: 5
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-SsoPasswordPolicy | Select ProhibitedPreviousPasswordsCount
PowerCLI Command Remediation Example
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -ProhibitedPreviousPasswordsCount 5
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Local Accounts > Password Policy

Configure the Login Banner Text for SSH Access

Configure the vCenter Server login banner text for access using SSH.

vCenter Server allows a login message, which deters intruders and communicates obligations to authorized users. This configuration establishes the text displayed when a client connects using SSH. The default text leaks information to attackers about system configuration and should be changed.

Values

Installation Default Value: VMware vCenter Server version

Type: vCenter Server with an embedded Platform Services Controller

Baseline Suggested Value: Consult your organization's legal advisers for text that is applicable to your environment.

Example text: Authorized users only. Actual or attempted unauthorized use of this system is prohibited and may result in criminal, civil, security, or administrative proceedings and/or penalties. Use of this information system indicates consent to monitoring and recording, without notice or permission. Users have no expectation of privacy in any use of this system. Any information stored on, or transiting this system, or obtained by monitoring and/or recording, may be disclosed to law enforcement and/or used in accordance with Federal law, State statute, and organization policy. If you are not an authorized user of this system, exit the system at this time.

Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-AdvancedSetting -Entity $VC -Name etc.issue
PowerCLI Command Remediation Example
Get-AdvancedSetting -Entity $VC -Name etc.issue | Set-AdvancedSetting -Value "Authorized users only. Actual or attempted unauthorized use of this system is prohibited and may result in criminal, civil, security, or administrative proceedings and/or penalties. Use of this information system indicates consent to monitoring and recording, without notice or permission. Users have no expectation of privacy in any use of this system. Any information stored on, or transiting this system, or obtained by monitoring and/or recording, may be disclosed to law enforcement and/or used in accordance with Federal law, State statute, and organization policy. If you are not an authorized user of this system, exit the system at this time."
Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Login Message

Set Task and Retention Interval

The vCenter Server must have task and event retention set to an appropriate interval.

vCenter Server retains task and event data, which ages out to save storage space. The age is configurable. This only impacts local storage of event data on the vCenter Server Appliance.

Values
Installation Default Value: 30
Baseline Suggested Value: 30
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A (No public API available)
PowerCLI Command Remediation Example
N/A (No public API available)
Setting Location in the vSphere Client
N/A

Activate Remote Logging

Activate remote logging of vCenter Server events.

Remote logging to a central host enhances the security of vCenter Server by storing logs securely. Remote logging simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record. The vpxd.event.syslog.enabled setting activates remote logging.

Values
Installation Default Value: True
Baseline Suggested Value: True
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-AdvancedSetting -Entity $VC -Name vpxd.event.syslog.enabled
PowerCLI Command Remediation Example
Get-AdvancedSetting -Entity $VC -Name vpxd.event.syslog.enabled | Set-AdvancedSetting -Value true
Setting Location in the vSphere Client
Select vCenter Server > Configure > Advanced Settings

Activate FIPS

The vCenter Server must activate FIPS-validated cryptography.

FIPS cryptography makes a number of changes to the system to remove weaker ciphers. Activating FIPS causes vCenter Server to restart.

Values
Installation Default Value: False
Baseline Suggested Value: True
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
FIPS cryptography makes a number of changes to the system to remove weaker ciphers. Enabling FIPS causes vCenter Server to restart.
PowerCLI Command Assessment
Invoke-GetSystemGlobalFips
PowerCLI Command Remediation Example
$spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true
Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec
Setting Location in the vSphere Client
See Activate and Deactivate FIPS on the vCenter Server Appliance.

Configure Audit Records

The vCenter Server must produce audit records that contain information to establish what type of events occurred.

It is important to ensure that sufficient information is present in audit logs for diagnostics and forensics purposes. The config.log.level setting configures audit records.

Values
Installation Default Value: Info
Baseline Suggested Value: Info
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-AdvancedSetting -Entity $VC -Name config.log.level
PowerCLI Command Remediation Example
Get-AdvancedSetting -Entity $VC -Name config.log.level | Set-AdvancedSetting -Value info
Setting Location in the vSphere Client
vCenter Server Host > Configure > Advanced Settings

Deactivate MAC Learning

All distributed switch port groups must deactivate MAC Learning unless used intentionally.

MAC Learning enables a distributed switch to provide network connectivity to systems where more than one MAC address is used on a vNIC. This can be useful in special cases like nested virtualization (running ESXi inside ESXi, for example). MAC learning also supports unknown unicast flooding. Normally, when a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is activated by default, but only if MAC learning is enabled. Deactivate MAC Learning unless it is in use intentionally for a known workload that requires it.

Values
Installation Default Value: Disabled
Baseline Suggested Value: Disabled
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
Some workloads do legitimately use these network tactics and are negatively affected by the defaults and desired state.
PowerCLI Command Assessment
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled
PowerCLI Command Remediation Example
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View 
$ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec
$ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$ConfigSpec.DefaultPortConfig.MacManagementPolicy = New-Object VMware.Vim.DVSMacManagementPolicy
$ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy = New-Object VMware.Vim.DVSMacLearningPolicy
$ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy.Enabled = $false
$ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion
$VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Setting Location in the vSphere Client
N/A. MAC Learning can be enabled on a Distributed Virtual Port group using the vSphere API. See vSphere Web Services API Reference for more information.

Configure the Login Message Banner Details

Configure the vCenter Server login banner details for the vSphere Client.

vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration sets the detailed text from the vSphere Client login page message.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Consult your organization's legal advisers for text that is applicable to your environment.

An example text: Authorized users only. Actual or attempted unauthorized use of this system is prohibited and may result in criminal, civil, security, or administrative proceedings and/or penalties. Use of this information system indicates consent to monitoring and recording, without notice or permission. Users have no expectation of privacy in any use of this system. Any information stored on, or transiting this system, or obtained by monitoring and/or recording, may be disclosed to law enforcement and/or used in accordance with Federal law, State statute, and organization policy. If you are not an authorized user of this system, exit the system at this time.

Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A (No public API available)

You can configure the login message by running the following command in an appliance shell:

/opt/vmware/bin/sso-config.sh -set_login_banner -title login_banner_title logonBannerFile
Remember to deactivate the shell again when you are done.
PowerCLI Command Remediation Example
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_login_banner -title login_banner_title logonBannerFile

Remember to deactivate the shell again when you are done.

Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Login Message > Edit

Activate the Login Banner

Activate the vCenter Server login banner for the vSphere Client.

vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration activates the display of the message on the vSphere Client login page.

Values
Installation Default Value: False
Baseline Suggested Value: True
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile

Remember to deactivate the shell again when you are done.

PowerCLI Command Remediation Example
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile

Remember to deactivate the shell again when you are done.

Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Login Message > Edit

Configure the Login Banner Text

Configure the vCenter Server login banner text for the vSphere Client.

vCenter Server provides the ability to display a login message. Usages of the login message include informing intruders that their activities are illegal, and conveying to authorized users the expectations and obligations they must meet and agree to while using the system. This configuration establishes the text displayed on the vSphere Client login page.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Consult your organization's legal advisers for specific text.

Example text: Use of this system indicates awareness of, and consent to, the organizational policies governing this system.

Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile

Remember to deactivate the shell again when you are done.

PowerCLI Command Remediation Example
N/A (No public API available)
You can configure the login message by running the following command in an appliance shell:
/opt/vmware/bin/sso-config.sh -set_logon_banner -title logon_banner_title logonBannerFile

Remember to deactivate the shell again when you are done.

Setting Location in the vSphere Client
Administration > Single Sign On > Configuration > Login Message > Edit

Separate Authentication and Authorization for Administrators

The vCenter Server must separate authentication and authorization for administrators.

Combining authentication and authorization, as services such as Active Directory do, risks infrastructure breaches if compromised. Thus, for vCenter Server, ensure that you segregate authentication and authorization for administrators. Consider using local SSO groups for authorization to better manage risk where feasible.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Not configured
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
Provisioning vCenter Server access required interaction with vCenter Server SSO. Automation is possible with PowerCLI.
PowerCLI Command Assessment
N/A (No public API available)
PowerCLI Command Remediation Example
N/A (No public API available)
Setting Location in the vSphere Client
N/A

Set the Forged Transmits Policy to Reject

Set all distributed switches and their port groups to reject forged transmits.

A virtual machine can impersonate network adapters by changing MAC addresses, posing security threats. By setting the Forged Transmits option to Reject on all distributed switches and port groups, ESXi verifies MAC addresses and prevents such impersonation.

Values
Installation Default Value: Reject
Baseline Suggested Value: Reject
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
Some workloads do legitimately use these network tactics and are affected negatively by default setting.
PowerCLI Command Assessment
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
PowerCLI Command Remediation Example
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Set the MAC Address Changes Policy to Reject

Set the MAC Address Changes policy to Reject on both the vSphere Standard Switch and its port groups.

Allowing virtual machines to change MAC addresses poses security risks, enabling potential network adapter impersonation. Rejecting MAC changes on all distributed switches and port groups prevents this, but might impact certain applications like Microsoft Clustering or MAC address-dependent licensing. Make exceptions to this security guidance as necessary.

Values
Installation Default Value: Reject
Baseline Suggested Value: Reject
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
Some workloads do legitimately use these network tactics and are affected negatively by the a setting of Reject.
PowerCLI Command Assessment
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
PowerCLI Command Assessment
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Set the Promiscuous Mode Policy to Reject

Set the Promiscuous Mode policy to Reject on both the vSphere Standard Switch and its port groups.

Activating promiscuous mode on a port group allows all connected virtual machines to read all network packets, posing a potential security risk. Although allowing promiscuous mode is sometimes necessary for debugging or monitoring, the default setting of Reject is recommended. Make exceptions for specific port groups as required.

Values
Installation Default Value: Reject
Baseline Suggested Value: Reject
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
Some workloads do legitimately use these network tactics and are affected negatively by the setting of Reject.
PowerCLI Command Assessment
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy
PowerCLI Command Remediation Example
Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Reset Port Configuration When Virtual Machines Are Disconnected

The vCenter Server must reset port configuration when virtual machines are disconnected.

When a virtual machine is disconnected from the virtual switch port, it is desirable to reset the port configuration, so that another virtual machine that attaches has a port in a known state.

Values
Installation Default Value: Activated
Baseline Suggested Value: Activated
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.Policy | Select-Object -ExpandProperty PortConfigResetAtDisconnect
PowerCLI Command Remediation Example
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View 
$ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec
$ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$ConfigSpec.Policy.PortConfigResetAtDisconnect = $true
$ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion
$VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Deactivate Cisco Discovery Protocol or Link Layer Discovery Protocol

Deactivate participation in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) on distributed switches unless used intentionally.

The vSphere Distributed Virtual Switch can engage in CDP or LLDP, potentially sharing sensitive unencrypted information, like IP addresses and system names, on the network. Thus, CDP and LLDP can aid adversaries in understanding or impersonating your environment. However, CDP and LLDP are also extremely helpful for legitimate use cases. Deactivate CDP and LLDP unless necessary for troubleshooting or configuration validation.

Values
Installation Default Value: Listen
Baseline Suggested Value: None
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
(Get-VDSwitch -Name $VDS).ExtensionData.config.LinkDiscoveryProtocolConfig | Select-Object -ExpandProperty Operation
PowerCLI Command Remediation Example
$VDview = Get-VDSwitch -Name $VDS | Get-View
$ConfigSpec = New-Object VMware.Vim.VMwareDVSConfigSpec
$ConfigSpec.LinkDiscoveryProtocolConfig = New-Object VMware.Vim.LinkDiscoveryProtocolConfig
$ConfigSpec.LinkDiscoveryProtocolConfig.Protocol = 'cdp'
$ConfigSpec.LinkDiscoveryProtocolConfig.Operation = 'none'
$ConfigSpec.ConfigVersion = $VDview.Config.ConfigVersion
$VDview.ReconfigureDvs_Task($ConfigSpec)
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Ensure That Authorized Collectors Receive NetFlow Traffic

The vCenter Server must ensure that NetFlow traffic is being sent to authorized collectors.

The vSphere Distributed Switch can export unencrypted NetFlow data, revealing details about virtual network and traffic patterns. Verify that NetFlow usage is authorized and configured correctly to prevent information leaks.

Values
Installation Default Value: Listen
Baseline Suggested Value: None
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
(Get-VDSwitch -Name $VDS).ExtensionData.config.IpfixConfig.CollectorIpAddress | Select-Object -ExpandProperty CollectorIpAddress
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value
PowerCLI Command Remediation Example
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View 
$ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec
$ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$ConfigSpec.DefaultPortConfig.IpfixEnabled = New-Object VMware.Vim.BoolPolicy
$ConfigSpec.DefaultPortConfig.IpfixEnabled.Inherited = $false
$ConfigSpec.DefaultPortConfig.IpfixEnabled.Value = $false
$ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion
$VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Configure Virtual Machine Port Security

The vCenter Server must not override port group settings at the port level on distributed switches, except to block ports.

While port-level configuration overrides might be needed for unique virtual machine setups, be sure to monitor them to prevent unauthorized use. Unmonitored overrides could allow broader access if a less secure Distributed Switch configuration is exploited.

Values
Installation Default Value:

Block Ports Override: TRUE

All Other Overrides: FALSE

Baseline Suggested Value:

Block Ports Override: TRUE

All Other Overrides: FALSE

Recommended Action
Audit the installation default setting.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.Policy
PowerCLI Command Remediation Example
$VDPGview = Get-VDPortgroup -Name $VDPG | Get-View 
$ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec
$ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$ConfigSpec.Policy.UplinkTeamingOverrideAllowed = $false
$ConfigSpec.Policy.BlockOverrideAllowed = $true
$ConfigSpec.Policy.LivePortMovingAllowed = $false
$ConfigSpec.Policy.VlanOverrideAllowed = $false
$ConfigSpec.Policy.SecurityPolicyOverrideAllowed = $false
$ConfigSpec.Policy.VendorConfigOverrideAllowed = $false
$ConfigSpec.Policy.ShapingOverrideAllowed = $false
$ConfigSpec.Policy.IpfixOverrideAllowed = $false
$ConfigSpec.Policy.TrafficFilterOverrideAllowed = $false
$ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion
$VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec)
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Remove Port Mirroring

The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.

The vSphere Distributed Switch can mirror traffic between ports, enabling traffic observation. To maintain security, any unauthorized port mirroring sessions on distributed switches must be removed.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Not configured
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
(Get-VDSwitch -Name $VDS).ExtensionData.config.VspanSession
PowerCLI Command Remediation Example
N/A
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Restrict Virtual Guest Tagging

The vCenter Server must restrict the use of Virtual Guest Tagging (VGT) on Distributed Switches.

Setting a port group to VLAN 4095 allows Virtual Guest Tagging (VGT), requiring the virtual machine to process VLAN tags. Activate VGT only for those virtual machines that are authorized and equipped to manage VLAN tags. Inappropriate use can cause service denial or unauthorized VLAN traffic interaction.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Not configured
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-VDPortgroup -Name $VDPG | Where {$_.ExtensionData.Config.Uplink -ne "True"} | Select Name,VlanConfiguration
PowerCLI Command Remediation Example
Get-VDPortgroup $VDPG | Set-VDVlanConfiguration -VlanId "New_VLAN#"
Setting Location in the vSphere Client
See the vSphere Networking documentation.

Check for VMware Maintenance on the vCenter Server Version

Ensure that the vCenter Server version has not reached VMware End of General Support status.

Values
Installation Default Value: N/A
Baseline Suggested Value: N/A
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A
PowerCLI Command Remediation Example
N/A
Setting Location in the vCenter Server Management Interface
Update

Restrict Access to SSH

The vCenter Server SSH service must be deactivated.

vCenter Server Appliance is delivered as an appliance, and intended to be managed through the vCenter Server Management Interface, the vSphere Client, and the APIs. SSH is a troubleshooting and support tool to be activated only when necessary. vCenter Server High Availability uses SSH to coordinate the replication and failover between the nodes. Use of this feature requires SSH to remain activated.

Values
Installation Default Value: Deactivated
Baseline Suggested Value: Deactivated
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
(Get-CisService -Name "com.vmware.appliance.access.ssh").get()
PowerCLI Command Remediation Example
(Get-CisService -Name "com.vmware.appliance.access.ssh").set($false)
Setting Location in the vCenter Server Management Interface
Access

Verify the root User Password Expiration

The vCenter Server root account password expiration must be configured appropriately.

Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) indicate that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and might override this recommendation.

Values
Installation Default Value: Yes
Baseline Suggested Value: No
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
Failure to reset the password before the expiration means that recovery procedures are necessary.
PowerCLI Command Assessment
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
(Get-CisService -Name "com.vmware.appliance.local_accounts.policy").get()
PowerCLI Command Remediation Example
(Get-CisService -Name "com.vmware.appliance.local_accounts.policy").set(@{max_days=9999; min_days=1; warn_days=7})
Setting Location in the vCenter Server Management Interface
Administration

Configure File-Based Backup and Recovery

Configure File-Based Backup and Recovery so that you can recover your vCenter Server Appliance and its configuration using the vCenter Server installer. Backup and restore is an important part of protecting your environment.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Configured
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A
PowerCLI Command Remediation Example
N/A
Setting Location in the vCenter Server Management Interface
Backup

Configure the Firewall to Only Allow Traffic from Authorized Networks

The vCenter Server Appliance must configure the firewall to only allow traffic from authorized networks.

Ensure that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the system. Outgoing (egress) traffic is not blocked, nor are related or established connections, so vCenter Server Appliance is still able to communicate with systems where it initiates the connection. Use perimeter firewalls to curtail those types of connections.

Values
Installation Default Value: Connections allowed from any IP address.
Baseline Suggested Value: Connections allowed only from authorized infrastructure and administration workstations.
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
Loss of connectivity. Ensure that you configure an allow rule for yourself prior to configuring a "deny all" rule.
PowerCLI Command Assessment
N/A
PowerCLI Command Remediation Example
N/A
Setting Location in the vCenter Server Management Interface
Firewall

Configure Remote Log Server

Configure a remote log server for the vCenter Server.

Remote logging to a central host enhances the security of vCenter Server by storing logs securely. Remote logging simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record.

Values
Installation Default Value: Not configured
Baseline Suggested Value: Site-specific log server
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
(Get-CisService -Name "com.vmware.appliance.logging.forwarding").get()
PowerCLI Command Remediation Example
N/A
Setting Location in the vSphere Client
N/A

Configure Time Synchronization

vCenter Server must have reliable time synchronization sources.

Cryptography, audit logging, cluster operations, and incident response and forensics heavily rely on synchronized time. Network Time Protocol (NTP) must have at least four sources. If you must choose between two sources and one source, one source is preferable.

Values
Installation Default Value: Undefined
Baseline Suggested Value: Site-specific, or:

0.vmware.pool.ntp.org,

1.vmware.pool.ntp.org,

2.vmware.pool.ntp.org,

3.vmware.pool.ntp.org

Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Note: You must first connect to the vCenter Server host by using the Connect-CISServer cmdlet.
(Get-CisService -Name ""com.vmware.appliance.timesync"").get()
(Get-CisService -Name ""com.vmware.appliance.ntp"").get()
PowerCLI Command Remediation Example
(Get-CisService -Name ""com.vmware.appliance.timesync"").set(""NTP"")
(Get-CisService -Name ""com.vmware.appliance.ntp"").set(""0.vmware.pool.ntp.org,1.vmware.pool.ntp.org,2.vmware.pool.ntp.org,3.vmware.pool.ntp.org"")
Setting Location in the vSphere Client
N/A

Install Software Updates

Ensure that vCenter Server has all software updates installed.

By keeping vCenter Server patches up to date, vulnerabilities can be mitigated. Attackers can exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges.

When applying updates, update vCenter Server first, if an update is available, then proceed with updating ESXi. This sequence ensures that the management layer is updated before updating the ESXi hosts.

Values
Installation Default Value: N/A
Baseline Suggested Value: N/A
Recommended Action
Modify the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
N/A
PowerCLI Command Remediation Example
N/A
Setting Location in the vSphere Client
See the Managing Host and Cluster Lifecycle documentation.

Rotate the vpxuser Password

The vCenter Server must configure the vpxuser password to be rotated on an appropriate interval.

The VirtualCenter.VimPasswordExpirationInDays setting configures the rotation period. Ensure that the vCenter Server is properly rotating the password that it automatically sets on the ESXi hosts.

Values
Installation Default Value: 30
Baseline Suggested Value: 30
Recommended Action
Audit the installation default value.
Potential Functional Impact if Default Value Is Changed
None
PowerCLI Command Assessment
Get-AdvancedSetting -Entity $VC -Name VirtualCenter.VimPasswordExpirationInDays
PowerCLI Command Remediation Example
Get-AdvancedSetting -Entity $VC -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30
Setting Location in the vSphere Client
Select vCenter Server > Configure > Advanced Settings