To protect the service console against unauthorized intrusion and misuse, VMware imposes constraints on several service console parameters, settings, and activities. You can loosen the constraints to meet your configuration needs, but if you do so, make sure that you are working in a trusted environment and have taken enough other security measures to protect the network as a whole and the devices connected to the ESX host.

Consider the following recommendations when evaluating service console security and administering the service console.

Limit user access.

To improve security, restrict user access to the service console and enforce access security policies like setting up password restrictions—for example, character length, password aging limits, and using a grub password for booting the host.

The service console has privileged access to certain parts of ESX. Therefore, provide only trusted users with login access. By default, root access is limited by not allowing secure shell (SSH) login as the root user. Strongly consider keeping this default. Require ESX system administrators to log in as regular users and then use the sudo command to perform specific tasks that require root privileges.

Also, try to run as few processes on the service console as possible. Ideally, strive to run only the essential processes, services, and agents such as virus checkers, virtual machine backups, and so forth.

Use vSphere Client to administer your ESX hosts.

Whenever possible, use vSphere Client, vSphere Web Access, or a third-party network management tool to administer your ESX hosts instead of working though the command-line interface as the root user. Using vSphere Client lets you limit the accounts with access to the service console, safely delegate responsibilities, and set up roles that prevent administrators and users from using capabilities they do not need.

Use only VMware sources to upgrade ESX components that you run on the service console.

The service console runs a variety of third-party packages, such as the Tomcat Web service, to support management interfaces or tasks that you must perform. VMware does not support upgrading these packages from anything other than a VMware source. If you use a download or patch from another source, you might compromise service console security or functions. Regularly check third-party vendor sites and the VMware knowledge base for security alerts.