vSphere Hardening – G5 : Remove revoked SSL certificates from the ESXi server

Guideline ID : ESXi.remove-revoked-certificates

Vulnerability Discussion : By default, each ESXi host does not have CRL checking available. Revoked certificates must be checked and removed manually. These are typically custom generated certificates from a corporate certificate authority or 3rd party authority.

Risk Profile : 1, 23

Description : Leaving expired or revoked certificates or leaving vCenter Server installation logs for failed installation on your vCenter Server system can compromise your environment.

Removing expired or revoked certificates is required for the following reasons.

  • If expired or revoked certificates are not removed from the vCenter Server system, the environment

Read The Rest ......

vSphere Hardening – G4 : Disable Authorized (SSH) Keys

Guideline ID : ESXi.remove-authorized-keys

Vulnerability Discussion : ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication.  To enable password free access copy the remote users public key into the “/etc/ssh/keys-root/authorized_keys” file on the ESXi host.  The presence of the remote user’s public key in the “authorized_keys” file identifies the user as trusted, meaning the user is granted access to the host without providing a password.  If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password. This is a change enacted in 5.1 … Read The Rest ......

vSphere Hardening – G3 : Mask and zone SAN resources appropriately

Guideline ID : ESXi.mask-zone-san

Vulnerability Discussion : You should use zoning and LUN masking to segregate SAN activity. For example, you manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.

Risk Profile : 1, 2, 3

Description : Mask and zone SAN resources appropriately.

Zoning provides access control in the SAN topology. Zoning defines which HBAs can connect to which targets. When … Read The Rest ......

vSphere Hardening – G2 : Configure Host Profiles to monitor and alert on configuration changes


Guideline ID : ESXi.enable-host-profiles

Vulnerability Discussion : Monitoring for configuration drift and unauthorized changes is critical to ensuring the security of an ESXi host. Host Profiles provide an automated method for monitoring host configurations against an established template and for providing notification if deviations are detected.

Risk Profile : 1, 2, 3

Description : Configure Host Profiles to monitor and alert on configuration changes

Create Host profile 

  1. Log in to the Webclient of your vCenter server and click on host profile .
  2. click on the + Sign to create new host profile andit will pop up an wizard
  3. Select
Read The Rest ......

vSphere Hardening – G1 : Create a non-root user account for local admin access


Guideline IDESXi.create-local-admin

Vulnerability Discussion : By default each ESXi host has a single “root” admin account that is used for local administration and to connect the host to vCenter Server.  To avoid sharing a common root account it is recommended on each host to create at least one named user account and assign it full admin privileges and to use  this account in lieu of a shared “root” account.  Set a highly complex password for the “root” account and secure it in a safe location.  Limit the use of “root” but do not remove the “root” account.

Risk Read The Rest ......

Risk Profiles Explained :vSphere Hardening


A Risk Profile is a way to categorize the security level. Some Security guidelines are “1” or some are “2” & “3”  because these are things you should be doing as per the organization requirement

Example: Setting users is something you do for all Risk Profiles. We should look at Risk Profile “3” is that it’s based on common sense/industry standard practice IT Operations.

Here is the detailed categorization for the each or the Risk profile.

Risk Profile 1: These security guidelines that can only be applicable in the highest security environments. E.g. Top-secret government or military, extremely sensitive data, Read The Rest ......

Understanding vSphere Hardening


Hi All,

While i was preparing for my vSphere Design Exam i found this interesting topic and most important to use in Every Well designed infrastructure for security and hardening of the environment. Hardening vSphere as per customer requirement is comes with may challenges like below.

  1. Understand the customer exactly what he is looking for.
  2. Also Contained a mix of
    • Operational Guidance – How you use the product in your environment
    • Programmatic Guidance – What settings should be applied OR audited

Operational guidelines

  • They can be addressed or mitigated in many ways
  • They are generally left open to interpretation
  • In
Read The Rest ......

Disable unwanted plug-ins from vCenter Server and vCenter Server Appliance


Hello All,

Recently i deployed the vSphere update manager in my lab to test some of the functionality . After testing is done i wanted to remove the plugin from vcsa but disabling it doesnt work as my vCenter keep searching and querying the update manager server. So i thought to remove it. As may be most of the people know how to remove it  but i thought to share it with the people in more details. There is an VMWare KB is also there to do so. so lets start.

In a web browser, navigate to http://vCenter_Server_name_or_IP/mob.… Read The Rest ......

Vembu now supports VMware vSphere 6.7 with its latest update


The hottest topic revolving in virtualization in recent times has been about the release of VMware vSphere 6.7. What followed was the increased expectations from the users to get a backup support for vSphere 6.7. While the majority of the backup vendors are scrambling to make progress, we have an update already released to support Backup for vSphere 6.7.

VMware 6.7 was announced on 17th of April, 2018.

In less than 60 days after the official release, Vembu is geared up to support 6.7.

With this latest upgrade, VMware aimed to create a consistent infrastructure for users across all … Read The Rest ......

Hello All,

Someone asked me about the way to calculate the raw Capacity(HDD or SDD placed for Capacity tier), i elaborated him the way to organize and decided to share it with everyone.

For redundancy and high avialbility vsa offer Number of Failures to Tolerate (#FTT) which we can set to 0, 1, 2, 3 according to the need and capacity available. The default is #FTT=1 which means using distributed software RAID there will be 2 (#FTT+1) copies of the data on two different hosts in the cluster. So if the VM is 100GB then it takes 200GB of VSAN … Read The Rest ......