By using the vCSA, as also suggested by VMware, you can use the same VM hardening suggestions and also benefit from a hardened OS. By default, shell access is disabled. SSH can be enabled during deployment, but you still access the vCSA with a limited set of commands (anyway, enabling the full shell is quite easy).

Similar best practices to the ESXi hypervisor apply to the vCenter Server as well, with a few additional recommendations related to PSC:

• Check password expiration: The default vCenter SSO password lifetime is 90 days.
• Configure NTP: This ensures that all systems use the same relative time source (including the relevant localization offset). Synchronized systems are essential for vCenter SSO certificate validity, and the validity of other vSphere certificates.