WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Hardware Options
    • Hardware Reviews
    • Lab Deployment Scripts
    • Nested Virtualization
    • Homelab Podcasts
  • VMware Nostalgia
  • Apple

Applying additional security hardening enhancements in ESXi 8.0

01.10.2023 by William Lam // 14 Comments

While responding to a few ESXi security configuration questions, I was referencing our ESXi Security documentation, which includes a lot of useful information and latest best practices. It is definitely worth re-reviewing this section from time to time to take advantage of all the ESXi security enhancements to help protect and secure your vSphere environment.

In certain areas of the ESXi security documentation, I noticed that it mentions CLI and API, but it does not always provide an example that customers can then reference and use in their Automation, which is really the only guaranteed method to ensure configurations are consistent across your vSphere environment. After answering some of the security related questions, especially on the Automation examples, I figure it would be useful to share this information more broadly so that folks are aware of some of the new and existing security enhancements along with some of their implications if you are not implementing them.

Speaking of new ESXi security enhancements, one of the new features that was introduced in ESXi 8.0 is the ability to disable ESXi Shell access for non-root users. While this might sound like a pretty basic feature, applying this towards the vCenter Server service account vpxuser can help add another layer of protection for your ESXi hosts against attackers. It turns out that users with ESXi Shell access can also modify other local users password on ESXi host including the root user. By restricting ESXi Shell access for the vpxuser, you prevent attackers, which can also be insiders who have access to vCenter Server the ability to just change the ESXi root password without knowing the original password. As a result, this can lock you out of your ESXi hosts or worse, enable an attacker to encrypt your workloads, especially as the rise ransomeware attacks has been increasing.

[Read more...]

Categories // Automation, ESXi, PowerCLI, Security, vSphere 8.0 Tags // esxcli, ESXi 8.0, kickstart, security

How to replace some of ESXi Kickstart automation with new configstorecli commands?

01.06.2023 by William Lam // 2 Comments

I had received a question a couple of weeks back from a customer who was already automating their ESXi installation using ESXi Kickstart, also known as ESXi Scripted Installation but they had ran into an issue when migrating the exact same automation to the latest ESXi 7.0 releases.

The method the customer was using to manage their ESXi password policies, which was by updating the /etc/pam.d/passwd file, no longer function as expected and this was a result of the introduction of the ESXi ConfigStore, which I have written about here.

As mentioned in the article, the goal of the ESXi ConfigStore is the following:

The goal of the ConfigStore, initially introduced in ESXi 7.0 Update 1, is to centrally manage all configurations for an ESXi host instead of relying on different methods including a variety of configuration files.

[Read more...]

Categories // Automation, ESXi, vSphere 7.0, vSphere 8.0 Tags // configstorecli, ESXi 7.0, ESXi 8.0, kickstart

Quick Tip - Automating ESXi 8.0 install using allowLegacyCPU=true

10.17.2022 by William Lam // 5 Comments

For those looking to install ESXi 8.0 but have an unsupported CPU, the following kernel boot option allowLegacyCPU=true can be added which would bypass the installer pre-check as shown in the screenshot below.

When the ESXi installer bypass happens, instead of an error which forces you to reboot, you will get a warning message and user must acknowledge they understand they are using an unsupported CPU and then continue with the installation.

UPDATE (10/05/23) - ESXi 8.0 Update 2 requires CPU processors that support XSAVE instruction or you will not be able to upgrade and means you will hardware with a minimum of an Intel Sandy Bridge or AMD Bulldozer processor or later.

Note: For more information, also checkout my vSphere 8 Homelab considerations blog post for more tips and tricks.

For an interactive installation of ESXi, the additional acknowledgment is not an issue but for an automated installation of ESXi using Kickstart, this can be a problem since you are still required to manually hit enter before the installation actually begins. The question from a couple of my readers, is there a workaround for this?

[Read more...]

Categories // Automation, ESXi, vSphere 8.0 Tags // ESXi 8.0, kickstart, vSphere 8.0

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • 5
  • …
  • 12
  • Next Page »

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Ultimate Lab Resource for VCF 9.0 06/25/2025
  • VMware Cloud Foundation (VCF) on ASUS NUC 15 Pro (Cyber Canyon) 06/25/2025
  • VMware Cloud Foundation (VCF) on Minisforum MS-A2 06/25/2025
  • VCF 9.0 Offline Depot using Synology 06/25/2025
  • Deploying VCF 9.0 on a single ESXi host? 06/24/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...