Ransomware, Patch/Configuration Management

Securing VMware ESXi environments: Ten best practices

Share
(Adobe Stock)

VMware ESXi, a popular type-1 hypervisor, is widely used for virtualization in enterprises. As a bare-metal hypervisor, ESXi operates directly on the hardware, making it a cornerstone of many organizations’ mission-critical systems. However, ESXi’s prominence and its lack of native endpoint detection and response (EDR) capabilities have made it an attractive target for attackers, especially in ransomware campaigns. To mitigate these risks, it’s vital to adopt robust security practices tailored to ESXi environments.

This article is an excerpt of research from Sophos, written by Principal Cyber Risk Advisor Stephen McNally, outlining ten essential strategies, including patch management, account isolation, and secure boot, to strengthen your ESXi infrastructure.

1. Keep ESXi and vCenter Updated and Patched

The first and most crucial step is to ensure that both vCenter Server and ESXi hosts are running supported versions and are fully patched. This minimizes the attack surface by addressing known vulnerabilities. VMware currently supports ESXi versions 7.0 and 8.0, with version 7.0 reaching its end of life in April 2025. It’s recommended to update vCenter Server before upgrading ESXi hosts to maintain compatibility and ensure a smooth transition.

2. Avoid Joining ESXi Hosts to the Domain

Joining ESXi hosts to an Active Directory (AD) domain can increase the risk of lateral movement attacks if domain credentials are compromised. Instead, manage ESXi hosts using unique, complex passwords, and avoid using shared root accounts. Implementing a corporate password manager with multifactor authentication (MFA) can streamline password management while enhancing security.

3. Enable Normal Lockdown Mode

Lockdown mode restricts direct access to ESXi hosts, requiring management through vCenter Server. This reduces the risk of unauthorized access and ensures that all actions are logged and monitored. While lockdown mode can temporarily be disabled for specific tasks like troubleshooting, it should be re-enabled immediately after the task is completed.

4. Deactivate SSH When Not in Use

SSH is often necessary for managing ESXi hosts but should be disabled when not in use to reduce the attack surface. This prevents unauthorized access and reduces the risk of brute force attacks. SSH can be managed through the vSphere Web Client or PowerCLI commands to ensure it’s only active when needed.

5. Enforce Password Complexity

Complex passwords are a critical defense against brute force attacks. ESXi uses the pam_passwdqc module to enforce password complexity, ensuring that passwords are sufficiently strong and resistant to common attacks. This can be configured to meet your organization’s specific security policies, including length, character classes, and passphrase requirements.

6. Implement Account Lockout Policies

Account lockout policies limit the number of failed login attempts before an account is locked, thwarting brute force attacks. Configuring ESXi hosts to lock accounts after five failed attempts can significantly enhance security. This policy should also be applied to vCenter and other management interfaces.

7. Enable UEFI Secure Boot

UEFI Secure Boot ensures that only signed and trusted boot loaders and operating system kernels are executed during startup. This prevents unauthorized code from compromising the boot process, thereby enhancing the security of ESXi hosts. It also lays the groundwork for further security measures, such as enforcing signed VIBs (vSphere Installation Bundles).

8. Configure Host to Run Only Signed VIBs

Restricting ESXi hosts to run only signed VIBs helps ensure that only verified and trusted code is executed. This mitigates the risk of malicious or unauthorized software being installed on the host, protecting the integrity of the environment.

9. Deactivate Unnecessary Services

Minimizing the attack surface by disabling unnecessary services, such as Managed Object Browser (MOB), CIM, SLP, and SNMP, can further secure ESXi hosts. These services should be turned off unless they are essential for your operations, reducing potential entry points for attackers.

10. Set Up Persistent Logging

Finally, enabling persistent logging ensures that crucial security events are recorded, even after a reboot. These logs can be forwarded to a Security Information and Event Management (SIEM) system for centralized monitoring and alerting, providing critical insights into potential security incidents.

By implementing these best practices, organizations can significantly strengthen the security of their VMware ESXi environments, making it more difficult for attackers to compromise their virtualized infrastructure. Regularly reviewing and updating these practices in line with the latest security developments is essential for maintaining a robust defense against evolving cyber threats.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.