Details
The ESXi shell is an interactive command line environment available from the
Direct Console User Interface (DCUI) or remotely via SSH. The ESXi shell should only be enabled
on a host when running diagnostics or troubleshooting.
*Rationale*
Activities performed from the ESXi shell bypass vCenter RBAC and audit controls, so the ESXi shell
should only be enabled when needed to troubleshoot/resolve problems that cannot be fixed through the
vSphere web client or vCLI/PowerCLI.
Solution
To disable the ESXi shell, perform the following:
1. From the vSphere web client, select the host.
2. Select “Configure” -> “System” -> “Security Profile”.
3. Scroll down to “Services”.
4. Click “Edit…”.
5. Select “ESXi Shell”.
6. Click “Stop”.
7. Change the Startup Policy to “Start and Stop Manually”. 8. Click “OK”.
Alternately, use the following PowerCLI command:
# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM” } | Set- VMHostService -Policy Off
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system VMware.