Use this checklist to verify the security of your virtualization environment. Recommended review frequency: quarterly or after significant infrastructure changes.

• Two-factor authentication (2FA) is enabled for hypervisor or management interfaces.
• Administrator accounts use complex, unique passwords.
• Default accounts (e.g. root, administrator) are disabled or renamed.
• Access is restricted by IP address or VLAN.

• The hypervisor is up to date with the latest stable security patches.
• Guest operating systems are regularly updated.
• Integration drivers (e.g. VMware Tools, Hyper-V Integration Services) are current.
• Remote access protocols (SSH, RDP) are securely configured or disabled.

• Virtual machine backups are configured and executed regularly.
• At least one backup copy is stored offline or in immutable storage.
• Backup restore testing has been performed in the past 30 days.

• Logging of administrative actions and system configuration changes is enabled.
• A centralized monitoring or SIEM system is in place.
• Logs are stored securely and include integrity protection.

• Management interfaces are on a separate network from guest systems.
• VMs with different trust levels are isolated or placed on different hosts.
• Host-level or VM-level firewalls are active.

• Hyper-V: Secure Boot and vTPM are enabled.
• ESXi: SSH and ESXi Shell are disabled by default.
• Role-based access control (RBAC) is implemented.
• Configuration changes are documented and tracked.