Details
The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.
Solution
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the ESXi Shell service and click options. Change the service to ‘Start and stop manually’ and stop the service and click OK.
or
From a PowerCLI command prompt while connected to the ESXi host run the following commands:
Get-VMHost | Get-VMHostService | Where {$_.Label -eq ‘ESXi Shell’} | Set-VMHostService -Policy Off
Get-VMHost | Get-VMHostService | Where {$_.Label -eq ‘ESXi Shell’} | Stop-VMHostService
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-7a.
- CAT|II
- CCI|CCI-000381
- Group-ID|V-63241
- Rule-ID|SV-77731r1_rule
- STIG-ID|ESXI-06-000036
- Vuln-ID|V-63241