vSphere Hardening – G4 : Disable Authorized (SSH) Keys

Guideline ID : ESXi.remove-authorized-keys

Vulnerability Discussion : ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication.  To enable password free access copy the remote users public key into the “/etc/ssh/keys-root/authorized_keys” file on the ESXi host.  The presence of the remote user’s public key in the “authorized_keys” file identifies the user as trusted, meaning the user is granted access to the host without providing a password.  If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password. This is a change enacted in 5.1 … Read The Rest ......

vSphere Hardening – G3 : Mask and zone SAN resources appropriately

Guideline ID : ESXi.mask-zone-san

Vulnerability Discussion : You should use zoning and LUN masking to segregate SAN activity. For example, you manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.

Risk Profile : 1, 2, 3

Description : Mask and zone SAN resources appropriately.

Zoning provides access control in the SAN topology. Zoning defines which HBAs can connect to which targets. When … Read The Rest ......

vSphere Hardening – G2 : Configure Host Profiles to monitor and alert on configuration changes


Guideline ID : ESXi.enable-host-profiles

Vulnerability Discussion : Monitoring for configuration drift and unauthorized changes is critical to ensuring the security of an ESXi host. Host Profiles provide an automated method for monitoring host configurations against an established template and for providing notification if deviations are detected.

Risk Profile : 1, 2, 3

Description : Configure Host Profiles to monitor and alert on configuration changes

Create Host profile 

  1. Log in to the Webclient of your vCenter server and click on host profile .
  2. click on the + Sign to create new host profile andit will pop up an wizard
  3. Select
Read The Rest ......