The system must enable lockdown mode to restrict remote access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-OS-99999-ESXI5-000142	SRG-OS-99999-ESXI5-000142	SRG-OS-99999-ESXI5-000142_rule		Medium

Description
Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines. There are some operations, such as backup and troubleshooting, that require direct access to the host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed. Lockdown restricts access to the ESXi console to the root user only, requiring non-root users access the host through vSphere Client/vCenter where RBAC and logging can be used to restrict and log activity. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to root users who log in using authorized keys. When an authorized key file is used for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Use of an authorized key file for root must therefore be disallowed.

Description

Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines. There are some operations, such as backup and troubleshooting, that require direct access to the host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed. Lockdown restricts access to the ESXi console to the root user only, requiring non-root users access the host through vSphere Client/vCenter where RBAC and logging can be used to restrict and log activity. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to root users who log in using authorized keys. When an authorized key file is used for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Use of an authorized key file for root must therefore be disallowed.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000142_chk )
From the vSphere client, select the host then select "Configuration >> Security Profile". Verify Lockdown Mode is enabled. If Lockdown Mode is not enabled, this is a finding.

Fix Text (F-SRG-OS-99999-ESXI5-000142_fix)
To enable Lockdown mode, log in directly the ESXi host as root. Open the DCUI on the host. Press F2 for Initial Setup. Toggle the Configure Lockdown Mode setting and configure Lockdown Mode.