ESXi: esxi-8.account-dcui

Information

The ESXi host must deny shell access for the dcui account. The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface.

Solution

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.account.set.CreateArgs()
$arguments.id = "dcui"
$arguments.shellaccess = "false"
$ESXcli.system.account.set.Invoke($arguments)

See Also

https://github.com/vmware/vcf-security-and-compliance-guidelines/raw/refs/heads/main/security-configuration-hardening-guide/vsphere/8.0/