The hardening guide describes a lot of specific VM options but, starting with ESXi 6.0 Patch 5, many of the VM advanced settings are now set to be secure by default. This means that the desired values in the Security Configuration Guide are the default values for all new VMs and you don't have to set them manually anymore.

For more information, see the blog post at https://blogs.vmware.com/vsphere/2017/06/secure-default-vm-disable-unexposed-features.html.

For VMs, several specific hardening operations should be considered:

• Use templates to deploy VMs
• Minimize use of the VM console
• Prevent VMs from taking over resources
• Disable unnecessary functions inside VMs

For more information, check the official documentation at https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-14CCC8CD-D90D-4227-B2C3-0A93D3C023BA.html.

It is recommended to disable or remove any virtual hardware that is not vital for the VM (such as the floppy drive). The same security principles as physical servers apply to the VMs:

• Protect the BIOS of the server with the password
• Patch the OS and application
• Enable Secure Boot
• Protect the server with the firewall (if connected to an unsecured network)

For virtual networking, NSX can provide the micro-segmentation capability to enforce network security directly at the VM virtual NIC level. Also, at VMworld 2017, a new product was announced—VMware AppDefense, a data center endpoint security product that protects applications running in virtualized environments. AppDefense works inside the VMs (as compared to NSX, which only works at the network level) and understands how applications are supposed to work regularly and monitors all changes to that behavior state that indicate a threat.