Add only system accounts to the ESXi exception users list.

You can add users to the exception users list from the vSphere Client. These user accounts do not lose their permissions when the host enters lockdown mode. Only add service accounts such as backup agents. Do not add administrative users or user groups to exception users list. Adding unnecessary users to the exception list defeats the purpose of lockdown mode.

Install security patches and updates for ESXi hosts.

You install all security patches and updates on the ESXi hosts as soon as the update bundles are available in SDDC Manager.

Do not apply patches to ESXi manually or by using vSphere Update Manager or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment unless directed to do so by support. If you patch the environment without using SDDC Manager, it can not only lead to a less-secure environment, but may cause issues with automated upgrades or actions in the future.

The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

The Management VMkernel port group must be on a dedicated VLAN. The Management VLAN must not be shared by any other function and must not be accessible to anything other than management-related functions such as vCenter.

The ESXi host must use approved certificates.

The default self-signed, VMCA-issued host certificate must be replaced with a certificate from a trusted Certificate Authority (CA) when the host is accessed directly, such as during a virtual machine (VM) console connection.