Information
Deactivating shell access for the vpxuser account enhances security by enforcing an "API only" stance for predefined non-root ESXi users such as vpxuser and dcui.
This control reduces the attack surface by limiting the avenues through which system configurations can be altered, aligning with modern least privilege principles and ensuring that privileged authentication through vCenter Server remains tightly controlled.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Impact:
Deactivating shell access prevents users from granting shell access to others or changing passwords of users who have shell access, necessitating host-by-host reconfiguration through an authorized account if changes are required. This could potentially impact third-party workflows and necessitates the retention of at least one fully privileged user for necessary configurations.