ESXI-67-000003 - The ESXi host must verify the exception users list for Lockdown Mode.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


In vSphere, users can be added to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters Lockdown Mode.

Before adding service accounts such as a backup agent to the Exception Users list, verify that the list of users who are exempted from losing permissions is legitimate and as needed per the environment. Users who do not require special permissions should not be exempted from Lockdown Mode.


From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile.

Under 'Lockdown Mode', click 'Edit' and remove unnecessary users from the exceptions list.

See Also

Item Details


References: 800-53|AC-6(5), CAT|III, CCI|CCI-000366, Rule-ID|SV-239260r674709_rule, STIG-ID|ESXI-67-000003, STIG-Legacy|SV-104039, STIG-Legacy|V-93953, Vuln-ID|V-239260

Plugin: VMware

Control ID: 6434e0ab90c8b4b0e10a035ba8da5cf492f90b688ffb0832222081b16149a1a4