By using the vCSA, as also suggested by VMware, you can use the same VM hardening suggestions and also benefit from a hardened OS. By default, shell access is disabled. SSH can be enabled during deployment but you still access the vCSA with a limited set of commands (anyway, enabling the full shell is quite easy).

PSC security best practices are quite simple and are as follows:

• Check password expiration: The default vCenter SSO password lifetime is 90 days.
• Configure NTP: This ensures that all systems use the same relative time source (including the relevant localization offset). Synchronized systems are essential for vCenter SSO certificate validity, and for the validity of other vSphere certificates.