Details

Lockdown mode disables direct host access, requiring admins to manage hosts from

vCenter. Set DCUI.Access to a list of highly trusted users who would be able to override

lockdown mode and access the DCUI in the event an ESXi host became isolated from vCenter.

NOTE: If you disable lockdown mode using the DCUI, all users with the DCUI.Access

privilege will be granted the Administrator role on the host.

*Rationale*

The list prevents all admins from becoming locked out and no longer being able to manage the host.

Solution

To set a trusted users list for DCUI, perform the following from the vSphere web client:

1. Select the host.
2. Select “Configure” -> “System” -> “Advanced System Settings”.
3. Type DCUI.Access in the filter.
4. Click on the attribute to highlight it.
5. Click edit.
6. Set the DCUI.Access attribute to a comma-separated list of the users who are
allowed to override lockdown mode.
7. Click “OK”.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2168

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.

References

• 800-53|IA-4
• CSCv6|5.1
• CSCv7|16.6

Source

• Tenable.com/audits