Architecting a vSphere Compute Platform : Designing Host Security for Multitenanted Clouds : 10.12 ESXi Host Hardening
   
10.12 ESXi Host Hardening
To provide an ESXi security baseline, consider the requirements for hardening the hypervisor. VMware guidance on security hardening and the recommendation level depends on the rating that corresponds to the operational environment in which it is to be applied. Each service provider will need make their own determination as to the applicability of each level.
VMware provides the following three baseline levels for hardening:
Enterprise Security Level 1 (Enterprise L1) – This includes most enterprise production environments. The recommendations are meant to protect against most security attacks and provide protection of confidential information to the level required by all major security and compliance standards.
Specialized Security Level 2 (SSL2) – This includes environments that are particularly susceptible to targeted attacks. Examples include: Internet-facing hosts and internal systems with highly confidential or regulated data.
Specialized Security Level 3 (SSL3) – This represents unique and specialized environments that have some aspects that makes them especially vulnerable to attacks. Recommendations at this level might result in loss of (ease-of-use) functionality or purposefully cause the inability to use certain features. Careful consideration must be given to determining the applicability of these recommendations, including the possibility of using alternate compensating controls.
For instance, based on the provider’s security policy, the following configuration steps to harden each host could be taken during the implementation phase of a new multitenant platform.
Table 24. Sample Host Hardening Configuration
Configuration
Description
Enabling the ESXi normal lockdown mode to prevent root access to the hosts over the network
Lockdown mode is enabled on each ESXi host. All configuration changes to the vSphere environment must be made by accessing the vCenter Server. Lockdown mode restricts access to host services on the ESXi server, but does not affect the availability of these services.
Disabled managed object browser (MOB)
The managed object browser provides a way to explore the VMkernel object model. Attackers can use this interface to perform malicious configuration changes or actions.
Use the following ESXi shell command to determine if MOB is enabled:
vim-cmd proxysvc/service_list
(vim.ProxyService.NamedPipeServiceSpec) {
dynamicType = <unset>,
serverNamespace = "/mob",
accessMode = "httpsWithRedirect",
pipeName = "/var/run/vmware/proxy-mob",
If MOB is enabled, use the following ESXi shell command to disable the MOB:
vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"
 
The VMware security hardening guides provide detailed guidance for customers on how to deploy and operate VMware products in a secure manner. For more information on ESXi host hardening, refer to the VMware Security Hardening Guides at https://www.vmware.com/security/hardening-guides.