Details
The ESXi shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. The ESXi shell should only be enabled on a host when running diagnostics or troubleshooting.
Rationale:
Activities performed from the ESXi shell bypass vCenter RBAC and audit controls, so the ESXi shell should only be enabled when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere web client or vCLI/PowerCLI.
Solution
To disable the ESXi shell, perform the following:
From the vSphere Web Client, select the host.
Select Configure then expand System and select Services.
Click on ESXi Shell then click Edit Startup Policy.
Set the Startup Policy is set to Start and Stop Manually.
Click on OK.
Alternately, use the following PowerCLI command:
# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq ‘TSM’ } | Set-VMHostService -Policy Off
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.