UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host must verify the exception users list for lockdown mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256377 ESXI-70-000003 SV-256377r885912_rule Medium
Description
While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permissions when the host enters lockdown mode. The organization may want to add service accounts such as a backup agent to the Exception Users list. Verify the list of users exempted from losing permissions is legitimate and as needed per the environment. Adding unnecessary users to the exception list defeats the purpose of lockdown mode.
STIG Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide 2023-02-21

Details

Check Text ( C-60052r885910_chk )
For environments that do not use vCenter server to manage ESXi, this is not applicable.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Security Profile.

Under "Lockdown Mode", review the Exception Users list.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following script:

$vmhost = Get-VMHost | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.QueryLockdownExceptions()

If the Exception Users list contains accounts that do not require special permissions, this is a finding.

Note: The Exception Users list is empty by default and should remain that way except under site-specific circumstances.
Fix Text (F-59995r885911_fix)
From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Security Profile.

Under "Lockdown Mode", click "Edit" and remove unnecessary users from the Exception Users list.