vCenter hardening — practical checklist for 2026

Every time I set up a new vCenter I run through the same list. Here it is — the things that actually matter, in order of impact.

1. Change the default SSO domain
#

The default vsphere.local domain is well-known. Change it during install or shortly after. You can’t rename it post-install, so this one needs to happen early.

2. Disable the default Administrator account
#

Create a named admin account first, verify it works, then disable administrator@vsphere.local.

# From vCenter Shell (SSH)
/usr/lib/vmware-vmafd/bin/dir-cli user modify \
  --account administrator \
  --disable \
  --login administrator@vsphere.local \
  --password 'YourPassword'

3. Restrict SSH access to vCenter
#

SSH on vCenter should be off unless you’re actively troubleshooting. Enable it only when needed.

VAMI → Access → SSH Login → Disabled

4. Enable NTP and verify time sync
#

Clock skew breaks Kerberos auth and makes log correlation useless.

# Check current NTP config
timesync-ntp status

# Set NTP servers (VAMI UI is easier for this)

5. Tighten TLS to 1.2+ only
#

Disable TLS 1.0 and 1.1. This is now default in vSphere 8 but double-check on upgraded deployments.

VAMI → TLS Configuration → verify TLS 1.0 and 1.1 are disabled.

6. Enable audit logging to syslog
#

Forward logs to a SIEM. Without centralized logging, forensics after an incident is nearly impossible.

# vSphere Client → vCenter → Configure → Advanced Settings
# Add:
# config.log.host = udp://your-syslog:514
# config.log.level = info

7. Lock down firewall rules
#

By default vCenter accepts management connections from anywhere. Add firewall rules to restrict access to jump hosts / VPN ranges only.

8. Configure session timeout
#

Default idle timeout is very long. Set it to 15–30 minutes.

Administration → Client Configuration → Session Timeout

9. Enable FIPS 140-2 mode (if required)
#

For regulated environments. Note: enabling FIPS post-install requires a restart.

10. Review and remove unused plugins
#

Every plugin is an attack surface. Remove anything you’re not actively using.

Administration → Client Plug-Ins → disable/remove unused

Quick audit command
#

Run this from a jumphost to check which ports are actually open on your vCenter:

nmap -sV -p 443,80,22,902,9443,5480 <vcenter-ip>

Compare against VMware’s required ports documentation and close anything unexpected.

This list covers the 80% that matters most. Full CIS Benchmark for vSphere has 100+ controls — worth reading if you’re in a regulated environment.

1. Change the default SSO domain#

2. Disable the default Administrator account#

3. Restrict SSH access to vCenter#

4. Enable NTP and verify time sync#

5. Tighten TLS to 1.2+ only#

6. Enable audit logging to syslog#

7. Lock down firewall rules#

8. Configure session timeout#

9. Enable FIPS 140-2 mode (if required)#

10. Review and remove unused plugins#

Quick audit command#