VMware vSphere Security Configuration Guide 7
The vSphere Security Configuration Guide (SCG) is the baseline for hardening and auditing guidance for VMware vSphere itself. Started more than a decade ago, it has long served as guidance for vSphere Administrators looking to protect their infrastructure.
What's New in vSphere SCG 7
The vSphere Security Configuration Guide 7 is the first major update in a few years and reflects a changed landscape, both within VMware and in information security in general.
First, this version is a transition to a new model that, in the future, will be aligned to our compliance efforts. As much as we, as vSphere Administrators, like to try to avoid compliance it is here to stay, and we have found that much of the friction around compliance is caused by gaps in understanding during the audit process. By aligning to NIST 800-53 and using our patented processes for mapping those controls into NIST 800-171, CMMC, PCI DSS, ISO 27001, NERC CIP, and other compliance standards, we can reduce duplicate efforts and create better guidance that helps fill the gaps in understanding and gets you to a secure state faster.
Second, this update reflects the core tenets of information security: confidentiality, integrity, and availability. This is the CIA triad and it reflects that security is woven into all aspects of IT. Our guidance needs to reflect that, too. Security isn’t just keeping our data safe in place, it’s keeping it safe in use, and making sure that our systems are usable when we need them to be. Threats like CPU & hardware vulnerabilities and ransomware were unrealized when vSphere 6.7 was released, but they are major considerations now which everyone needs to take very seriously. To these ends we are “doubling down” on ideas like reducing attack surface, disabling SSH (and leaving it that way), automating with PowerCLI & APIs, patching at all levels, and isolation among systems. Acknowledging this new reality, prior vSphere SCG guidance that enabled other behaviors has been removed in this release.
Last, the release of VMware vSphere 7 in April 2020 brought new technologies, but also new release processes, too. Moving forward we hope to release updates to vSphere on more regular intervals. The intention is to update the SCG at those intervals as well, correcting errors and omissions that we find, introducing automation, and adjusting the guidance to reflect changing defaults in vSphere. The vSphere SCG isn’t just for customers, we also use it as a benchmark for how well we are meeting our goals of making vSphere secure by default and making security features easy to use. You will see that some of the SCG guidance reflects that and offers vSphere Administrators the option of relying on the new defaults in order to reduce the customizations that need to be managed.
The audience for the vSphere SCG is VMware vSphere customers who have implemented vSphere 7 directly. There are many engineered data center & hybrid cloud infrastructure products, like VMware Cloud Foundation, VMware Cloud, Dell EMC VxRail, and such that implement vSphere as part of their solutions. If this is how you consume vSphere you should check with those products’ support for guidance on security first, before implementing these ideas. Some of the vSphere SCG’s recommendations are likely to be safe to implement, but others may interfere with operations of those solutions.
You can get the VMware vSphere Security Configuration Guide 7 from:
If you want to link to this content we maintain a permanent redirect: