Posted by: Eric Siebert
Eric Siebert, ESX, Security, vSphere
With VMware Infrastructure 3, Web access was enabled by default. VMware chose to disable it in vSphere for security purposes. If you access an ESX 4 host with a Web browser you will see the default welcome page but if you click the log-in link you will get a 503 Service Unavailable error message.
This only affects ESX hosts (VMware vCenter Server has this enabled by default; ESXi does not have a Web access user interface (UI) to manage the host and virtual machines).
There is a tech note that describes the process for enabling this feature in ESX 4.0, but before you go ahead and do this you should ask yourself if you really need this feature enabled on all your hosts. VMware disabled this feature for a reason — Web based access methods are inherently insecure and are subject to numerous vulnerabilities that could potentially compromise your VMs and hosts.
The Web admin UI is very limited as you can only administer guest VMs and not host servers. Leaving it disabled removes a potential attack vector for your ESX hosts and makes them more secure. This is also true of other configuration settings that are disabled by default in ESX such as root access using SSH.
The first thing many administrators do is enable this because it is easier than setting up another user account and using su or sudo. So resist the urge to enable web access and utilize the vSphere client instead. If you must use web access for a specific reason only enable it on the hosts that need it. If you are using a vCenter Server use the web access on vCenter instead and use the roles and permissions built into it for additional security. By leaving vSphere web access disabled you are helping to make your ESX hosts and your whole virtual environment more secure.