Information
The ESXi shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. The ESXi shell should only be enabled on a host when running diagnostics or troubleshooting.
Rationale:
Activities performed from the ESXi shell bypass vCenter RBAC and audit controls, so the ESXi shell should only be enabled when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere web client or vCLI/PowerCLI.
Solution
To disable the ESXi shell, perform the following:
From the vSphere web client, select the host.
Select 'Configure' -> 'System' -> 'Security Profile'.
Scroll down to 'Services'.
Click 'Edit...'.
Select 'ESXi Shell'.
Click 'Stop'.
Change the Startup Policy to 'Start and Stop Manually'.
Click 'OK'.
Alternately, use the following PowerCLI command:
# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM' } | Set-VMHostService -Policy Off