Strictly control access to different vCenter Server components to increase security for the system.

The following guidelines help ensure security of your environment.

If the local Windows administrator account currently has full administrative rights to vCenter Server, remove those access rights and grant those rights to one or more named vCenter Server administrator accounts. Grant full administrative rights only to those administrators who are required to have it. Do not grant this privilege to any group whose membership is not strictly controlled.

Note

Starting with vSphere 6.0, the local administrator no longer has full administrative rights to vCenter Server by default. Using local operating system users is not recommended.

Install vCenter Server using a service account instead of a Windows account. The service account must be an administrator on the local machine.

Make sure that applications use unique service accounts when connecting to a vCenter Server system.

Avoid allowing users to log directly in to the vCenter Server host machine. Users who are logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate. Allow only those users who have legitimate tasks to perform to log in to the system and ensure that login events are audited.

Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators.

Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy. For example, by default the Administrator role allows users to interact with files and programs inside a virtual machine's guest operating system. Assigning that role to too many users can lessen virtual machine data confidentiality, availability, or integrity. Create a role that gives the administrators the privileges they need, but remove some of the virtual machine management privileges.

The database user requires only certain privileges specific to database access. In addition, some privileges are required only for installation and upgrade. These privileges can be removed after the product is installed or upgraded.

The datastore browser functionality allows users with proper privileges to view, upload, or download files on datastores associated with the vSphere deployment through the Web browser or the vSphere Web Client. Assign the Datastore.Browse datastore privilege only to users or groups who really need those privileges.

By default, a user with vCenter Server Administrator role can interact with files and programs within a virtual machine's guest operating system. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a nonguest access role without the Guest Operations privilege. See Restrict Users from Running Commands Within a Virtual Machine.

By default, vCenter Server changes the vpxuser password automatically every 30 days. Ensure that this setting meets your policies, or configure the policy to meet your company's password aging policies. See Set the vCenter Server Password Policy.

Note

Make sure that password aging policy is not too short.

Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account administrator@vsphere.local. This account can then act as the administrator.

Reestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous administrator@vsphere.local account.

On each Windows computer in the infrastructure, ensure that Remote Desktop Host Configuration settings are set to ensure the highest level of encryption appropriate for your environment.

Instruct users of one of thevSphere Web Client or other client applications to never ignore certificate verification warnings. Without certificate verification, the user might be subject of a MiTM attack.