Download VMware Certified Professional 6 - Data Center Virtualization.2V0-621.PracticeTest.2018-10-09.153q.vcex

In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface: Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.  Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.  Reference:https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008077

Strict Lockdown mode:In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host. Reference:https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008077

root User Privileges By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server. This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator. Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server. Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-55F14938-8A2F-4703-8A60-3516F9C3E312.html

Configure a Host to Use Active Directory You can configure a host to use a directory service such as Active Directory to manage users and groups. When you add an ESXi host to Active Directory the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround. If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-63D22519-38CC-4A9F-AE85-97A53CB0948A.html

Disable Unexposed Features VMware virtual machines are designed to work on both vSphere systems and hosted virtualization platforms such as Workstation and Fusion. Certain VMX parameters do not need to be enabled when you run a virtual machine on a vSphere system. Disable these parameters to reduce the potential for vulnerabilities. Prerequisites Turn off the virtual machine. Procedure   Reference:https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.html

Removing Unnecessary Hardware Devices Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks. Use the following guidelines to increase virtual machine security.   Reference:https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.html

Securing Virtual Machines The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines. Subtopics General Virtual Machine Protection Configuring Logging Levels for the Guest Operating System Limiting Exposure of Sensitive Data Copied to the Clipboard Disable Unexposed Features Limiting Guest Operating System Writes to Host Memory Removing Unnecessary Hardware Devices Prevent a Virtual Machine User or Process from Disconnecting Devices Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Web Client Reference:https://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-CF45F448-2036-4BE3-8829-4A9335072349.html

ESXi Passwords By default, ESXi enforces requirements for user passwords. Your user password must meet the following length requirements. Passwords containing characters from one or two character classes must be at least eight characters long. Passwords containing characters from three character classes must be at least seven characters long. Passwords containing characters from all four character classes must be at least six characters long. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.The password cannot contain the words root, admin, or administrator in any form. Reference:https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html

B-)  ESXi Passwords and Account Lockout For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information. ESXi Passwords: ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.(link  : https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-DC96FFDB-F5F2-43EC-8C73-05ACDAE6BE43.html)

  Reference:https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-96210743-0C17-4AE9-89FC-76778EC9D06E.html