Product Guide › Administering CA Access Control for Virtual Environments › Hypervisor Hardening › Hypervisor Hardening Policies

Hypervisor Hardening Policies

Before you decide what level of hardening to apply, review the following supported hypervisor hardening policies:

• Remote Access—(ESXi Only) Restrict remote access by enabling lockdown mode to disable all remote access to ESXi server. When enabled, lockdown mode forces administrators to perform tasks from a central location only and reduces the risk of performing tasks that are not audited.
• Remote Syslog—Logging events to a central location increases administration capabilities and enables you to monitor all devices from a central location. Further, storing events in to a central location help prevent log tampering.
• Persistent Logging—Configure persistent logging to a database to keep server logs for an extended period. Persistent logging makes it easy to monitor events and diagnose server issues.
• NTP Time Synchronization—Incorrect time settings can prevent you from identifying and tracking attacks. Configure NTP time synchronization to help ensure all systems use the same time source to help track and correlate attacks.
• SNMP Configuration—(ESXi Only) If the SNMP agent is not properly configured, attackers can redirect the traps to malicious hosts and use the information for malicious purposes.
• Direct Console User Interface (ESXi Only)—the Direct Console User Interface (DCUI) is the ESXi management console that enables administrators to perform host configuration and maintenance tasks. A user with local administrative privileges can perform actions directory in the DCUI that are not audited in the VMware vCenter Server. Disable the DCUI to prevent users from performing administrative tasks directly on the ESXi server.
• Tech Support Mode (ESXi Only)—Tech support mode is an interactive command line available on the server console or through an SSH console. When enabled, you can perform troubleshooting and support related tasks directly on the ESXi Server. Disable tech support mode to prevent unauthorized access to the server.
• VMSafe Network API—The VMSafe Network API provides a security architecture for virtualized environments. Disable the VMSafe Network API if you are not using the VMSafe Network API.