w ESX is a very secure product, by design
w Access to the VMKernel is only from virtual guests and only through API calls. The VMKernel is what ultimately leads to the strong security of ESX. The VMKernel was designed from scratch by VMware with security in mind.
w All virtual guests are isolated from each other by the VMKernel and each VM only has access to its own resources.
w When loaded, ESX is secure, by default. By default, the service console has a firewall enabled with only the minimum required ports for vmware VI client management enabled. We recommend you leave the firewall enabled.
w For stability and security, it is not recommended to load 3rd party products on the service console.
w ESX server uses local linux accounts
w VC uses windows AD accounts
w Permissions can be setup either using windows AD groups or users, depending on what your VI client is connected to
w All VI client communications I encrypted.
w VLANs can be used to segment a network for security
w CHAP should be used to authenticate Iscsi traffic
w Users and groups are assigned to roles.
w A role is a set of privileges
w Roles are assigned to objects, such as a VM or data center
w The combining of the user and group with the role is what creates the permission.
w By default, only local ESX service console root users or windows AD administrators can login with the VI client.
w In the case of using VC, administrators would be
- Members of the local admin group if the VC server is NOT a DC or
- Member of the domain admin group if VC is a domain controller
w If the host you are login into is not a DC login as domain\user
w It is not recommended to run VC on an AD DC
w Access rule changes take effect immediately, no need to log off and back on
w ESX security permissions are inherited in a hierarchical manor
w Networks and datastores inherit permissions from above but you cannot directly assign permissions to them.