UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must disable DCUI to prevent local administrative control.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-99999-ESXI5-000135 SRG-OS-99999-ESXI5-000135 SRG-OS-99999-ESXI5-000135_rule Medium
Description
The DCUI allows for low-level host configuration, such as configuring IP address, hostname, and root password, as well as diagnostic capabilities, such as enabling the ESXi shell, viewing log files, restarting agents, and resetting configurations. Actions performed from the DCUI are not tracked by vCenter Server. Even if Lockdown Mode is enabled, someone with the root password can perform administrative tasks in the DCUI bypassing RBAC and auditing controls provided through vCenter. DCUI access can be disabled. Disabling it prevents all local activity and thus forces actions to be performed in vCenter Server where they can be centrally audited and monitored.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000135_chk )

From the vSphere Client, select the host and select "Configuration >> Security Profile". In the services section select "Properties". Select "Direct Console UI" and click "Options". From the pop-up verify the DCUI service startup policy is set to "start and stop manually".

If the DCUI service startup policy is not set to "Start and stop manually", this is a finding.

Fix Text (F-SRG-OS-99999-ESXI5-000135_fix)
From the vSphere Client, select the host and select "Configuration >> Security Profile". In the services section select "Properties". Select "Direct Console UI" and click "Options". From the pop-up stop the DCUI service and set the startup policy to "start and stop manually".