The ESXi host must verify the DCUI.Access list.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207603	ESXI-65-000002	SV-207603r388482_rule		Low

Description
Lockdown mode disables direct host access requiring that admins manage hosts from vCenter Server. However, if a host becomes isolated from vCenter Server, the admin is locked out and can no longer manage the host. If you are using normal lockdown mode, you can avoid becoming locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not running in strict lockdown mode.

Description

Lockdown mode disables direct host access requiring that admins manage hosts from vCenter Server. However, if a host becomes isolated from vCenter Server, the admin is locked out and can no longer manage the host. If you are using normal lockdown mode, you can avoid becoming locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not running in strict lockdown mode.

STIG	Date
VMware vSphere 6.5 ESXi Security Technical Implementation Guide	2021-09-22

Details

Check Text ( C-7858r364208_chk )
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user. For environments that do not use vCenter server to manage ESXi, this is not applicable.

Check Text ( C-7858r364208_chk )

From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root.

If the DCUI.Access is not restricted to root, this is a finding.

Note: This list is only for local user accounts and should only contain the root user.

For environments that do not use vCenter server to manage ESXi, this is not applicable.

Fix Text (F-7858r364209_fix)
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the DCUI.Access value and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name DCUI.Access \| Set-AdvancedSetting -Value "root"