UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must verify the exception users list for lockdown mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63175 ESXI-06-000003 SV-77665r1_rule Low
Description
In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.
STIG Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide 2017-07-11

Details

Check Text ( C-63909r1_chk )
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode review the exception users list.

or

From a PowerCLI command prompt while connected to the ESXi host run the following script:

$vmhost = Get-VMHost | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.QueryLockdownExceptions()

If the exception users list contains accounts that do not require special permissions, this is a finding.

Note: This list is not intended for system administrator accounts but for special circumstances such as a service account.
Fix Text (F-69093r1_fix)
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.