| For environments that do not use vCenter server to manage ESXi, this is not applicable. |
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Security Profile.
Under "Lockdown Mode", review the Exception Users list.
From a PowerCLI command prompt while connected to the ESXi host, run the following script:
$vmhost = Get-VMHost | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
If the Exception Users list contains accounts that do not require special permissions, this is a finding.
Note: The Exception Users list is empty by default and should remain that way except under site-specific circumstances.