5.10 Ensure DCUI has a trusted users list for lockdown mode

Information

Lockdown mode disables direct host access, requiring admins to manage hosts from vCenter. Set DCUI.Access to a list of highly trusted users who would be able to override lockdown mode and access the DCUI in the event an ESXi host became isolated from vCenter.

NOTE: If you disable lockdown mode using the DCUI, all users with the DCUI.Access privilege will be granted the Administrator role on the host.

Rationale:

The list prevents all admins from becoming locked out and no longer being able to manage the host.

Solution

To set a trusted users list for DCUI, perform the following from the vSphere web client:

From the vSphere Web Client, select the host.

Click Configure then expand System.

Select Advanced System Settings then click Edit.

Enter DCUI.Access in the filter.

Set the DCUI.Access attribute is set to a comma-separated list of the users who are allowed to override lockdown mode.

See Also

https://workbench.cisecurity.org/files/3473