ESXI-06-000003 - The system must verify the exception users list for lockdown mode.


In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.

See Also

Item Details


References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-63175, Rule-ID|SV-77665r1_rule, STIG-ID|ESXI-06-000003, Vuln-ID|V-63175

Plugin: VMware

Control ID: 3625952f509f36c6db8f72ae238cfd63bf2908a459e8ee70558f983e51236557