Hardening the host via vSphere Client

The most common way to configure the security stance of our ESXi hosts is through the vSphere Client. vSphere Client can be connected directly to a host that is not managed by vCenter or can be connected to vCenter and manage the host centrally. While vSphere 5.5 has features that are only available in the vSphere Web Client, for the purposes of configuring the ESXi host security profile, we'll use the vSphere client.

Getting ready

In order to proceed, we require access to a vSphere Client. The client can be run on any modern Windows desktop operating system or server operating system.

Note

The vSphere 5.5 Client will not run from a Windows Domain Controller.

The vSphere Client can be downloaded from the link provided on the ESXi host web page, in our example http://192.168.10.10, or from vCenter server: https://my.vmware.com/web/vmware/evalcenter?p=vsphere-55.

How to do it…

Perform the following steps:

1. Open the vSphere Client and enter the IP address of the host that we'll connect. In this example, the host IP is 192.168.10.10.
2. Enter the username and password with access to the host; the default username is root.
   
3. Once the client is open, we'll navigate to the inventory section.

   Note

   In most cases, a dialog box will present a warning due to an untrusted certificate. Ignore this warning as we will assign proper certificates later in Chapter 12, Configuring vSphere Certificates.

4. After selecting the inventory, click on the Configuration tab.
5. Once on the Configuration tab, locate the Security Profile section in the left-hand side pane under the Software heading, as shown in the following screenshot:
6. From Security Profile, we can observe our firewall ports and services running on the host:
   

How it works…

The security profile options are the same regardless of whether the vSphere client is connected directly to the host or vCenter is managing the host.

Note

The important thing to note in Security Profile is that once a configuration is updated, the change takes place immediately.

In complex designs, administrators might open ports or start services that are not needed in order to eliminate any potential security problems that might impede the proper configuration of the environment.

Care should be taken in verifying the security services and firewall settings, particularly after any changes to the systems or the environment, including upgrades or patches to the ESXi hosts themselves. This also includes changes or an upgrade to vCenter after any remote troubleshooting has been completed by a third party.

Details on making changes to the firewall and the services are discussed in the following sections; however, it should be noted that a service has the potential of automatically starting or stopping depending on how firewall ports are configured.