VMware ESXi, a popular type-1 hypervisor, is widely used for virtualization in enterprises. As a bare-metal hypervisor, ESXi operates directly on the hardware, making it a cornerstone of many organizations’ mission-critical systems. However, ESXi’s prominence and its lack of native endpoint detection and response (EDR) capabilities have made it an attractive target for attackers, especially in ransomware campaigns. To mitigate these risks, it’s vital to adopt robust security practices tailored to ESXi environments.
This article is an excerpt of research from Sophos, written by Principal Cyber Risk Advisor Stephen McNally, outlining ten essential strategies, including patch management, account isolation, and secure boot, to strengthen your ESXi infrastructure.
1. Keep ESXi and vCenter Updated and Patched
The first and most crucial step is to ensure that both vCenter Server and ESXi hosts are running supported versions and are fully patched. This minimizes the attack surface by addressing known vulnerabilities. VMware currently supports ESXi versions 7.0 and 8.0, with version 7.0 reaching its end of life in April 2025. It’s recommended to update vCenter Server before upgrading ESXi hosts to maintain compatibility and ensure a smooth transition.
2. Avoid Joining ESXi Hosts to the Domain
Joining ESXi hosts to an Active Directory (AD) domain can increase the risk of lateral movement attacks if domain credentials are compromised. Instead, manage ESXi hosts using unique, complex passwords, and avoid using shared root accounts. Implementing a corporate password manager with multifactor authentication (MFA) can streamline password management while enhancing security.
3. Enable Normal Lockdown Mode
Lockdown mode restricts direct access to ESXi hosts, requiring management through vCenter Server. This reduces the risk of unauthorized access and ensures that all actions are logged and monitored. While lockdown mode can temporarily be disabled for specific tasks like troubleshooting, it should be re-enabled immediately after the task is completed.
4. Deactivate SSH When Not in Use
SSH is often necessary for managing ESXi hosts but should be disabled when not in use to reduce the attack surface. This prevents unauthorized access and reduces the risk of brute force attacks. SSH can be managed through the vSphere Web Client or PowerCLI commands to ensure it’s only active when needed.
5. Enforce Password Complexity
Complex passwords are a critical defense against brute force attacks. ESXi uses the pam_passwdqc module to enforce password complexity, ensuring that passwords are sufficiently strong and resistant to common attacks. This can be configured to meet your organization’s specific security policies, including length, character classes, and passphrase requirements.
6. Implement Account Lockout Policies
Account lockout policies limit the number of failed login attempts before an account is locked, thwarting brute force attacks. Configuring ESXi hosts to lock accounts after five failed attempts can significantly enhance security. This policy should also be applied to vCenter and other management interfaces.
7. Enable UEFI Secure Boot
UEFI Secure Boot ensures that only signed and trusted boot loaders and operating system kernels are executed during startup. This prevents unauthorized code from compromising the boot process, thereby enhancing the security of ESXi hosts. It also lays the groundwork for further security measures, such as enforcing signed VIBs (vSphere Installation Bundles).
8. Configure Host to Run Only Signed VIBs
Restricting ESXi hosts to run only signed VIBs helps ensure that only verified and trusted code is executed. This mitigates the risk of malicious or unauthorized software being installed on the host, protecting the integrity of the environment.
9. Deactivate Unnecessary Services
Minimizing the attack surface by disabling unnecessary services, such as Managed Object Browser (MOB), CIM, SLP, and SNMP, can further secure ESXi hosts. These services should be turned off unless they are essential for your operations, reducing potential entry points for attackers.
10. Set Up Persistent Logging
Finally, enabling persistent logging ensures that crucial security events are recorded, even after a reboot. These logs can be forwarded to a Security Information and Event Management (SIEM) system for centralized monitoring and alerting, providing critical insights into potential security incidents.
By implementing these best practices, organizations can significantly strengthen the security of their VMware ESXi environments, making it more difficult for attackers to compromise their virtualized infrastructure. Regularly reviewing and updating these practices in line with the latest security developments is essential for maintaining a robust defense against evolving cyber threats.