4.8 Ensure the Exception Users list is properly configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Users who are added to the 'Exception Users' list do not lose their permissions when the host enters lockdown mode. Usually you may want to add some service accounts, such as a backup agent, to the Exception Users list.

Rationale:

Users who do not require special permissions should not be exempted from lockdown mode because this increases the risk of unauthorized actions being performed, especially if a user account is compromised.

Impact:

If a user is not added to the exception list but should be when host is in lockdown mode they will be unable to perform operations.

Solution

To correct the membership of the Exception Users list, perform the following in the vSphere Web Client:

Select the host.

Click on Configure then expand System and select Security Profile.

Select Edit next to Lockdown Mode.

Click on Exception Users.

Add or delete users as appropriate.

Click OK.

See Also

https://workbench.cisecurity.org/files/3473