A common root user account has been configured for a group of ESXi 6.x hosts.
Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)
A.
Remove the root user account from the ESXi host.
B.
Set a complex password for the root account and limit its use.
C.
Use ESXi Active Directory capabilities to assign users the administrator role.
D.
Use Lockdown mode to restrict root account access.
Explanation:
Explanation/Reference:
B and C are correct
https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-55F14938-8A2F-4703-8A60-3516F9C3E312.html
‘D’ would also be correct as it’s a recommended “best practice” in general to restrict access to ESX hosts via vCS, DCUI and, if enabled, SSH and ESX Shell. But since it specifically refers to the root account (which is still going to retain its privileges regardless of whether the lockdown mode is enabled) and the question says the decision to use _common_ user account on a _group_ of ESX hosts has been made, it’s kind of “less” correct than B and C.
I don’t see how C is going to mitigate the issue of having a common root account across multiple servers. Using AD to assign MORE users with Admin role is not going to help the root account in anyway. I would go with B and D. Lockdown mode would at least avoid remote logins to the server.