nerdexam
Broadcom-VMware

2V0-622 · Question #18

A common root user account has been configured for a group of ESXi 6.x hosts. Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)

The correct answer is B. Set a complex password for the root account and limit its use. C. Use ESXi Active Directory capabilities to assign users the administrator role.. Sharing a root account across multiple ESXi hosts is a security risk best mitigated by enforcing a strong password with minimal use and replacing shared root usage with individual AD-authenticated administrator accounts.

Section 1 – Configure and Administer vSphere 6.5 Security

Question

A common root user account has been configured for a group of ESXi 6.x hosts. Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)

Options

  • ARemove the root user account from the ESXi host.
  • BSet a complex password for the root account and limit its use.
  • CUse ESXi Active Directory capabilities to assign users the administrator role.
  • DUse Lockdown mode to restrict root account access.

How the community answered

(46 responses)
  • A
    7% (3)
  • B
    83% (38)
  • D
    11% (5)

Why each option

Sharing a root account across multiple ESXi hosts is a security risk best mitigated by enforcing a strong password with minimal use and replacing shared root usage with individual AD-authenticated administrator accounts.

ARemove the root user account from the ESXi host.

The root account is a built-in system account on ESXi and cannot be removed; VMware does not support deleting the root user from a host.

BSet a complex password for the root account and limit its use.Correct

Setting a complex, unique password for root and limiting its use reduces the blast radius if credentials are compromised and discourages casual shared use that leads to lack of accountability.

CUse ESXi Active Directory capabilities to assign users the administrator role.Correct

Joining ESXi hosts to Active Directory and assigning individual domain users the administrator role eliminates the need to share root credentials, provides per-user audit trails, and follows the principle of least privilege.

DUse Lockdown mode to restrict root account access.

Lockdown Mode restricts all direct host access broadly rather than specifically limiting root account usage, and enabling it could block legitimate administrative workflows without addressing the shared-credential root cause.

Concept tested: ESXi root account security hardening and AD integration

Source: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-A1C4B8C0-2B37-4F7B-9D2E-0F5E4E6D0A4D.html

Topics

#root account security#Active Directory#ESXi hardening#lockdown mode

Community Discussion

No community discussion yet for this question.

Full 2V0-622 Practice