VMware Default Passwords and Credentials: Complete Security Reference Guide
Understanding VMware’s default credentials is crucial for initial deployment and security hardening. This comprehensive guide covers default usernames, passwords, and security best practices across VMware’s virtualization infrastructure components, including critical security warnings and modern authentication recommendations.
Security Warning
CRITICAL SECURITY NOTICE: Default credentials represent significant security vulnerabilities and must be changed immediately upon deployment. Failure to modify default passwords can result in unauthorized access, data breaches, and complete infrastructure compromise. This guide is intended for initial deployment and security assessment purposes only.
VMware vCenter Server
vCenter Server Appliance (VCSA)
Initial Access Credentials
Console/SSH Access:
Username: root
Password: vmware
Initial Web Configuration:
URL: https://[vCenter-IP]:5480
Username: root
Password: vmware
vSphere Web Client:
URL: https://[vCenter-IP]:9443
Username: administrator@vsphere.local
Password: [Set during installation]
VCSA Management Interface URLs
# Initial configuration interface
https://[vCenter-IP]:5480
# vSphere HTML5 Client
https://[vCenter-IP]/ui
# Legacy vSphere Web Client
https://[vCenter-IP]:9443
# Direct Platform Services Controller
https://[vCenter-IP]:443/psc
# vCenter Lookup Service
https://[vCenter-IP]:7444/lookupservice/sdk
vCenter for Windows (Deprecated)
Legacy installations may include:
Service Account: SYSTEM (LocalSystem)
vCenter Single Sign-On: administrator@vsphere.local
Database Service: [Varies by DB configuration]
ESXi Hypervisor
Default ESXi Credentials
Initial Access
Username: root
Password: [No password - must be set during installation]
Direct Console User Interface (DCUI):
Username: root
Password: [User-defined during installation]
ESXi Shell/SSH:
Username: root
Password: [Same as DCUI password]
ESXi Management URLs
# ESXi Host Client
https://[ESXi-IP]/ui
# Legacy vSphere Web Access
https://[ESXi-IP]:443
# ESXi Embedded Host Client
https://[ESXi-IP]:9443
Service Accounts and Built-in Users
ESXi includes several built-in accounts:
vpxuser: Used by vCenter to manage ESXi hosts
dcui: Direct Console User Interface account
root: Primary administrative account
VMware vCenter Operations Manager (vCOPS)
vCOPS UI VM Console
Local Console Access
Username: admin
Password: admin
Username: root
Password: vmware
Web GUI Access
URL: https://[vCOPS-IP]
Username: admin
Password: admin
Analytics UI:
URL: https://[vCOPS-IP]/vcops-vsphere
Username: admin
Password: admin
vCOPS Configuration
Database Credentials
vCOPS Database User: vcops
Default Password: vcops
Database: vcopsdb
Service Accounts
vCOPS Service: vcops-admin
Analytics Service: analytics-admin
Custom UI Service: custom-ui-admin
VMware vShield Manager
Default Access Credentials
Management Console
Username: admin
Password: default
SSH/Console Access:
Username: admin
Password: default
vShield Components
vShield Edge
CLI Access: admin/default
Web Interface: admin/default
Enable Password: default
vShield App
Management User: admin/default
Service Account: Varies by deployment
VMware Horizon View
View Connection Server
Administrative Access
Windows Administrator: [Domain Administrator]
View Administrator: [Domain User with View Admin rights]
Database User: [SQL Server service account]
Default Database: VDM
Security Server
Service Account: [Domain service account]
Certificate Store: Local Computer\Personal
VMware NSX
NSX Manager
Default Credentials
Username: admin
Password: admin
CLI Access:
Username: admin
Password: admin
Enable Password: admin
NSX Components
NSX Controller
Username: admin
Password: admin
Service Account: nsx-controller
NSX Edge
Username: admin
Password: default
CLI Enable: admin
VMware vRealize Suite
vRealize Operations Manager (vROPS)
Management Interface
Username: admin
Password: admin
Database User: vrops
Database Password: vrops
vRealize Automation (vRA)
IaaS Manager
Username: Administrator
Password: [Set during installation]
Service Account: [Domain service account]
vRealize Log Insight
Administrative Access
Username: admin
Password: admin
Root Access:
Username: root
Password: vmware
Security Hardening Requirements
Immediate Actions Required
1. Change All Default Passwords
# ESXi password change via DCUI or CLI
passwd root
# vCenter password change via vSphere Client
# Navigate to Administration > Single Sign-On > Users and Groups
# Select administrator@vsphere.local and reset password
2. Disable Unnecessary Accounts
# ESXi: Disable SSH after configuration
vim-cmd hostsvc/enable_ssh false
# Lock down DCUI access
vim-cmd hostsvc/advopt/update UserVars.DcuiTimeOut long 120
3. Enable Account Lockout Policies
# ESXi account lockout configuration
vim-cmd hostsvc/advopt/update Security.AccountLockFailures long 5
vim-cmd hostsvc/advopt/update Security.AccountUnlockTime long 900
Authentication Security Enhancements
Multi-Factor Authentication (MFA)
vCenter MFA Configuration
# Enable MFA for vCenter Server
# Via vSphere Client: Administration > Single Sign-On > Configuration > Identity Sources
# Add RSA SecurID or other supported MFA providers
Smart Card Authentication
# Configure Smart Card authentication
# vCenter: Administration > Single Sign-On > Configuration > Smart Card Authentication
# ESXi: Security Profile > Authentication Services
Active Directory Integration
vCenter AD Integration
# Add AD as identity source
# vSphere Client: Administration > Single Sign-On > Configuration > Identity Sources
# Select "Active Directory (Integrated Windows Authentication)"
ESXi AD Authentication
# Join ESXi to Active Directory
esxcli system authentication activedirectory join --domain example.com --username admin --password
Certificate Management
Replace Default Certificates
vCenter Certificate Replacement
# Generate Certificate Signing Request
/usr/lib/vmware-vmca/bin/certificate-manager
# Options:
# 1. Replace Machine SSL certificate with custom certificate
# 2. Replace VMCA Root certificate with custom signing certificate
# 3. Replace Machine SSL certificate with VMCA certificate
ESXi Certificate Management
# Generate new certificate for ESXi
openssl req -new -nodes -out esxi.csr -keyout esxi.key -config openssl.cfg
# Install certificate via vSphere Client
# Host > Configure > System > Certificate
Network Security Configuration
Firewall Rules
ESXi Firewall Configuration
# List current firewall rules
esxcli network firewall ruleset list
# Enable/disable specific services
esxcli network firewall ruleset set --ruleset-id sshServer --enabled false
esxcli network firewall ruleset set --ruleset-id httpClient --enabled false
# Configure allowed IP ranges
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.168.1.0/24
vCenter Firewall Configuration
# Configure vCenter appliance firewall
# Via VAMI: https://[vCenter-IP]:5480
# Navigate to: Networking > Firewall
Network Segmentation
Management Network Isolation
# Create dedicated management network
# vSphere Client: Networking > Virtual Switches
# Create new vSwitch for management traffic only
# Configure management interface
esxcli network ip interface add --interface-name vmk1 --portgroup-name "Management Network"
esxcli network ip interface ipv4 set --interface-name vmk1 --ipv4 192.168.100.10 --netmask 255.255.255.0 --type static
Audit and Monitoring
Enable Comprehensive Logging
ESXi Audit Logging
# Enable audit logging
vim-cmd hostsvc/advopt/update Syslog.global.auditRecord.storageEnable bool true
# Configure syslog server
esxcli system syslog config set --loghost 'udp://syslog.example.com:514'
esxcli system syslog reload
vCenter Audit Configuration
# Enable vCenter audit events
# vSphere Client: Administration > Events
# Configure event forwarding to syslog server
Security Monitoring Tools
Log Analysis Configuration
# Configure vRealize Log Insight for security monitoring
# Create custom dashboards for:
# - Failed authentication attempts
# - Privilege escalation events
# - Configuration changes
# - Network access patterns
Automated Security Assessment
PowerCLI Security Assessment Script
# VMware Security Assessment Script
Connect-VIServer -Server vcenter.example.com
# Check for default passwords (requires careful implementation)
$SecurityIssues = @()
# Check ESXi hosts for security settings
$VMHosts = Get-VMHost
foreach ($VMHost in $VMHosts) {
# Check SSH service status
$SSHService = Get-VMHostService -VMHost $VMHost | Where-Object {$_.Key -eq "TSM-SSH"}
if ($SSHService.Running) {
$SecurityIssues += "SSH enabled on $($VMHost.Name)"
}
# Check account lockout settings
$AccountLockout = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name Security.AccountLockFailures
if ($AccountLockout.Value -eq 0) {
$SecurityIssues += "Account lockout disabled on $($VMHost.Name)"
}
# Check certificate expiration
$Certificate = Get-VMHostCertificate -VMHost $VMHost
$DaysToExpiry = ($Certificate.NotAfter - (Get-Date)).Days
if ($DaysToExpiry -lt 30) {
$SecurityIssues += "Certificate expiring soon on $($VMHost.Name) - $DaysToExpiry days"
}
}
# Generate security report
$SecurityIssues | Export-Csv -Path "VMwareSecurityAssessment.csv" -NoTypeInformation
Python Security Validation
#!/usr/bin/env python3
"""
VMware Security Configuration Validator
"""
import ssl
import socket
import subprocess
import json
from datetime import datetime, timedelta
class VMwareSecurityValidator:
def __init__(self, vcenter_host, username, password):
self.vcenter_host = vcenter_host
self.username = username
self.password = password
def check_certificate_expiry(self, hostname, port=443):
"""Check SSL certificate expiration"""
try:
context = ssl.create_default_context()
with socket.create_connection((hostname, port), timeout=10) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert()
expiry_date = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_until_expiry = (expiry_date - datetime.now()).days
return {
'hostname': hostname,
'expiry_date': expiry_date.isoformat(),
'days_until_expiry': days_until_expiry,
'is_expiring_soon': days_until_expiry < 30
}
except Exception as e:
return {'hostname': hostname, 'error': str(e)}
def validate_firewall_rules(self, esxi_hosts):
"""Validate ESXi firewall configurations"""
firewall_issues = []
for host in esxi_hosts:
# Check for open SSH
try:
result = subprocess.run([
'esxcli', '-s', host['hostname'], '-u', host['username'],
'-p', host['password'], 'network', 'firewall', 'ruleset', 'list'
], capture_output=True, text=True)
if 'sshServer' in result.stdout and 'true' in result.stdout:
firewall_issues.append({
'host': host['hostname'],
'issue': 'SSH service enabled',
'severity': 'medium'
})
except Exception as e:
firewall_issues.append({
'host': host['hostname'],
'issue': f'Unable to check firewall: {str(e)}',
'severity': 'high'
})
return firewall_issues
def generate_security_report(self):
"""Generate comprehensive security report"""
report = {
'assessment_date': datetime.now().isoformat(),
'vcenter_host': self.vcenter_host,
'issues': [],
'recommendations': []
}
# Add certificate checks
cert_info = self.check_certificate_expiry(self.vcenter_host)
if cert_info.get('is_expiring_soon'):
report['issues'].append({
'type': 'certificate_expiry',
'severity': 'high',
'description': f"vCenter certificate expires in {cert_info['days_until_expiry']} days"
})
# Add security recommendations
report['recommendations'] = [
'Change all default passwords immediately',
'Enable multi-factor authentication',
'Implement certificate-based authentication',
'Configure account lockout policies',
'Enable comprehensive audit logging',
'Implement network segmentation for management traffic',
'Regular security assessments and vulnerability scanning'
]
return report
# Example usage
if __name__ == "__main__":
validator = VMwareSecurityValidator("vcenter.example.com", "administrator@vsphere.local", "secure_password")
security_report = validator.generate_security_report()
with open('vmware_security_report.json', 'w') as f:
json.dump(security_report, f, indent=2)
Compliance and Documentation
Security Compliance Frameworks
NIST Cybersecurity Framework Alignment
Identify (ID)
- Asset inventory of all VMware components
- Risk assessment of default credentials
- Data classification for virtual machines
Protect (PR)
- Access control implementation
- Data security through encryption
- Protective technology deployment
Detect (DE)
- Security monitoring implementation
- Anomaly detection configuration
- Continuous monitoring processes
Respond (RS)
- Incident response procedures
- Analysis and mitigation strategies
- Improvement processes
Recover (RC)
- Recovery planning
- Improvements based on lessons learned
- Communication strategies
CIS Controls Implementation
# CIS Control 4: Controlled Use of Administrative Privileges
# Implement least privilege access for VMware administrators
# CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
# Configure comprehensive logging for all VMware components
# CIS Control 11: Secure Configuration for Network Devices
# Harden VMware network configurations
Documentation Requirements
Security Configuration Baseline
1. Password Policy Documentation
- Minimum password complexity requirements
- Password rotation schedules
- Account lockout policies
2. Network Security Documentation
- Firewall rule configurations
- Network segmentation diagrams
- Management network isolation
3. Certificate Management Documentation
- Certificate authorities used
- Certificate renewal procedures
- Certificate monitoring processes
4. Access Control Documentation
- Role-based access control matrix
- User account management procedures
- Multi-factor authentication configuration
Emergency Procedures
Account Lockout Recovery
vCenter Administrator Lockout
# Reset vCenter SSO administrator password
# Access vCenter Server Appliance Management Interface (VAMI)
# https://[vCenter-IP]:5480
# Navigate to Administration > Users
# Reset administrator@vsphere.local password
# Alternative: Reset via vCenter Server shell
/usr/lib/vmware-vmafd/bin/dir-cli user modify --account administrator --user-password NewPassword123! --login administrator@vsphere.local --password CurrentPassword
ESXi Root Account Lockout
# Boot ESXi host into troubleshooting mode
# Press Shift+O during boot to access boot options
# Add: ks=file://etc/vmware/weasel/ks_cust.cfg runweasel
# Alternative: Use ESXi installation media for password reset
# Boot from installation media
# Select "Troubleshooting Options"
# Mount existing installation and reset root password
Disaster Recovery Procedures
vCenter Database Recovery
# Restore vCenter from backup
# Stop vCenter services
service-control --stop --all
# Restore database from backup
# Start vCenter services
service-control --start --all
# Verify all components are operational
service-control --status
This comprehensive guide provides essential information for securing VMware infrastructure while maintaining operational efficiency. Regular security assessments and adherence to best practices ensure robust protection against evolving threats.