VMware Cloud Foundation 5.x Administrator (2025) — Question 23

Following an internal security audit of the new VMware Cloud Foundation (VCF) instance, the following audit finding was documented for priority remediation:
All users from the custom administrators group could access the Direct Console User Interface (DCUI) on all ESXi hosts within the workload domain. RISK=High, IMPACT=High
The company IT security policy around accessing ESXi servers states the following:
Users within the custom administrators group must access ESXi host configurations from within vCenter Server or the vSphere Web Client only.
Only users within the restricted administrators group must be allowed direct access to ESXi hosts.
Which two actions should the administrator perform on each of the hosts within the workload domain to remediate the security finding? (Choose two.)

Answer options

• A. Disable SSH and the ESXi Shell.
• B. Add the custom administrators group to the DCUI.Access advanced system setting.
• C. Add the restricted administrators group to the DCUI.Access advanced system setting.
• D. Enable Strict Lockdown Mode.
• E. Enable Normal Lockdown Mode.

Correct answer: C, E

Explanation

The correct actions are C and E. Adding the restricted administrators group to the DCUI.Access setting ensures that only these users can access the DCUI, which aligns with the security policy. Enabling Normal Lockdown Mode restricts direct access to the ESXi hosts, preventing the custom administrators group from making unauthorized changes, while the other options either allow access or do not align with the required security measures.