Hi everyone,

It’s that time again! Actually, it’s the first time that I’m aware of that the vSphere hardening guide has been updated between major releases! Please head on over to the Security and Compliance VMware Community and download the beta of the vSphere 5.5 Update 1 Hardening Guide.

This is a beta release of the guide and as such, I would very much appreciate your prompt feedback. Please reply here or in the Community THIS WEEK. I’d like to release this for General Availability next week.

Here are the proposed changes in the guide.

There are 4 new additions to the guide. Please review.

  1. enable-VGA-Only-Mode: Used for server VM’s that don’t need a graphical console. e.g. Linux web servers, Windows Core, etc.
  2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM’s that don’t need them.
  3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations
  4. change-sso-admin-password: A great catch. When installing Windows vCenter, you’re prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc..

I had considered removing “disable-datastore-browser” and “disable-mob“. I’m holding off at the moment on those. I think they add more trouble than they protect but I’d like to get more input. Feedback on these two would be GREATLY appreciated.

Remember, I really do listen to your feedback. This is as much your guide as it is VMware’s. I look forward to your comments!


About the Author

Mike Foley

Mike Foley is a Staff Technical Marketing Architect for vSphere Security at VMware. His primary goal is to help IT Admins build more secure platforms that stand up to scrutiny from security teams with the least impact to IT Operations. Mike is also the current author of the vSphere Security Configuration (formerly Hardening) Guide. Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security. Mike was awarded a patent (8,601,544) in December 2013 for dual-band authentication using the virtual infrastructure Mike has a personal blog at and contributes to the VMware vSphere and Security blogs as well. Follow him at @vSphereSecurity on Twitter