Your vCenter Server system and associated services are protected by authentication through vCenter Single Sign-On and by authorization through the vCenter Server permissions model. You can modify the default behavior, and you can take additional steps to protect access to your environment.

As you protect your vSphere environment, consider that all services that are associated with the vCenter Server instances must be protected. In some environments, you might protect several vCenter Server instances and one or more Platform Services Controller instances.

Harden All vCenter Host Machines

The first step in protecting your vCenter environment is hardening each machine on which vCenter Server or an associated service runs. Similar considerations apply to a physical machine or a virtual machine. Always install the latest security patches for your operating system and follow industry standard best practices to protect the host machine.

Learn about the vCenter Certificate Model

By default, the VMware Certificate Authority provisions each ESXi host, each machine in the environment, and each solution user with a certificate signed by VMCA. The environment works out of the box, but if company policy requires it, you can change the default behavior. See vSphere Security Certificates.

For additional protection, be sure to explicitly remove expired or revoked certificates and failed installations.

Configure vCenter Single Sign-On

vCenter Server and associated services are protected by the vCenter Single Sign-On authentication framework. When you first install the software, you specify a password for the administrator@vsphere.local user, and only that domain is available as an identity source. You can add other identity sources, either Active Directory or LDAP, and set a default identity source. Going forward, users who can authenticate to an identity source can view objects and perform tasks if they are authorized to do so. See vSphere Authentication with vCenter Single Sign-On.

Assign Roles to Users or Groups

For better logging, associate each permission you give on an object with a named user or group and a predefined role or custom role. The vSphere 6.0 permissions model allows great flexibility through multiple ways of authorizing users or groups. See Understanding Authorization in vSphere and Required Privileges for Common Tasks.

Be sure to restrict administrator privileges and the use of the administrator role. If possible, do not use the anonymous Administrator user.

Set up NTP

Set up NTP for each node in your environment. The certificate infrastructure requires an accurate time stamp and does not work correctly if the nodes are out of sync.