ExamTopics Logo
Mail Us[email protected]
Menu
Vmware Discussions
exam questions

Exam 2V0-11.25 All Questions

View all questions & answers for the 2V0-11.25 exam
Go to Exam

Exam 2V0-11.25 topic 1 question 22 discussion

Actual exam question from VMware's 2V0-11.25
Question #: 22
Topic #: 1
[All 2V0-11.25 Questions]

Following an internal security audit of the new VMware Cloud Foundation (VCF) instance, the following audit finding was documented for priority remediation:
All users from the custom administrators group could access the Direct Console User Interface (DCUI) on all ESXi hosts within the workload domain. RISK=High, IMPACT=High
The company IT security policy around accessing ESXi servers states the following:
Users within the custom administrators group must access ESXi host configurations from within vCenter Server or the vSphere Web Client only.
Only users within the restricted administrators group must be allowed direct access to ESXi hosts.
Which two actions should the administrator perform on each of the hosts within the workload domain to remediate the security finding? (Choose two.)

  • A. Disable SSH and the ESXi Shell.
  • B. Add the custom administrators group to the DCUI.Access advanced system setting.
  • C. Add the restricted administrators group to the DCUI.Access advanced system setting.
  • D. Enable Strict Lockdown Mode.
  • E. Enable Normal Lockdown Mode.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by 9e7c4f1 at May 7, 2025, 9:04 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
xmtpcs10
1 month, 1 week ago
Selected Answer: CE
E to enable DCUI to Administrators group. C to disable DCUI access to non-Administrators group.
upvoted 3 times
...
BrianOC
1 month, 3 weeks ago
Selected Answer: CD
A. Disable SSH and ESXi Shell – Helpful but not sufficient. You still need to control DCUI and lockdown behavior. B. Add the custom administrators group to DCUI.Access – This would violate the security policy. They’re explicitly not supposed to have direct host access. E. Enable Normal Lockdown Mode – Normal mode allows access via DCUI by any user with local shell permissions, which doesn’t enforce the strict separation your policy requires.
upvoted 2 times
...
9e7c4f1
1 month, 3 weeks ago
Selected Answer: CE
CE Strict lockdown would shut down DCUI service altogether. Normal allows roles with 'DCUI.Access' permission to use it https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security-8-0/securing-esxi-hosts/customizing-hosts-with-the-security-profile/lockdown-mode.html
upvoted 3 times
xmtpcs10
1 month, 1 week ago
Yes, but it doesn't allow "Only users within the restricted administrators group must be allowed direct access to ESXi hosts", so you need DCUI up and running.
upvoted 1 times
xmtpcs10
1 month, 1 week ago
Sorry, I didn't read that well, you're right.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel