Standard

Posted by

Posted on

17 February, 2024

Posted under

security, VMWare

Comments

Leave a comment

Securing ESXi 8 hosts

These are some of the recommendations to increase the security of an ESXi 8 host against malware. 

Hardware BIOS configuration

Enable UEFI boot in BIOS.

Enable SecureBoot in BIOS.

Enable TPM2 module.

Set the TPM2 hash algorithm to SHA265.

Enable IntelTXT on servers with Intel CPUs.

Disable physical USB ports from BIOS.

ESXi configuration

Set kernel parameter/advanced setting “execinstalledonly”.

$esxi_host = Get-VMHost -Name "esxi1.lab.net"
$esxi_host | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Where-Object {$_.Value -ne $true} | Set-AdvancedSetting -Value $true -Confirm:$false

NB! ESXi host must be rebooted for the setting to take effect!

More information:
https://www.truesec.com/hub/blog/secure-your-vmware-esxi-hosts-against-ransomware
https://www.truesec.com/hub/blog/esxi-8-0-and-execinstalledonly-the-good-the-bad-and-the-ugly

Set encryption mode to TPM, enforce SecureBoot through TPM, and enforce “execinstalledonly” through TPM.

$esxi_host = Get-VMHost -Name “esxi1.lab.net”
$esxcli = $esxi_host | Get-EsxCli -V2 -ErrorAction Stop
$tpm_arguments = $esxcli.system.settings.encryption.set.CreateArgs()
$tpm_arguments.mode = “TPM”
$tpm_arguments.requiresecureboot = $true
$tpm_arguments.requireexecinstalledonly = $true
$esxcli.system.settings.encryption.set.Invoke($tpm_arguments)

More information: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-9047A43D-BB1F-4878-A971-EEFCAC183C86.html

Disable SSH

$esxi_host = Get-VMHost -Name "esxi1.lab.net"

# Disable SSH on startup
$esx_host | Get-VMHostService | Where-Object {$_.key -eq "TSM-SSH" -and $_.Policy -ne "off" } | Set-VMHostService -policy "off"

# Stop SSH if service is running
$esx_host | Get-VMHostService | Where-Object {$_.key -eq "TSM-SSH" -and $_.Running -eq "True"} | Stop-VMHostService -Confirm:$false

Disable Shell

$esxi_host = Get-VMHost -Name "esxi1.lab.net"

# Disable Shell on startup
$esx_host | Get-VMHostService | Where-Object {$_.key -eq "TSM" -and $_.Policy -ne "off" } | Set-VMHostService -policy "off"
 
# Stop Shell if service is running
$esx_host | Get-VMHostService | Where-Object {$_.key -eq "TSM" -and $_.Running -eq "True"} | Stop-VMHostService -Confirm:$false

Enable and configure ESXi local firewall.

Check these posts:
SECURING ESXI PART 5 – ESXI FIREWALL RULES
CHECKING ESXI FIREWALL STATUS VIA POWERCLI
UNABLE TO CONFIGURE ESXI FIREWALL: CAN NOT CHANGE ALLOWED IP LIST THIS RULESET, IT IS OWNED BY SYSTEM SERVICE

Set the VIB installation level to “PartnerSupported”

$esxi_host = Get-VMHost -Name "esxi1.lab.net"
$esxcli = $esxi_host | Get-EsxCli -V2 -ErrorAction Stop

# Set arguments
$esxcli_arguments = $esxcli.software.acceptance.set.CreateArgs()
$esxcli_arguments.level = “PartnerSupported”

# Apply setting
$esxcli.software.acceptance.set.Invoke($esxcli_arguments)

More information – https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-751034F3-5337-4DB2-8272-8DAC0980EACA.html

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.