Because all one-hundred of these questions will come up, often, here is a link to VMware’s VIOPS Top 100 Security Questions.
25. How do you ensure that only certain administrators can connect to the ESX Service Console?
(Dan Eason)
Implementing TCP Wrappers ensures only certain IP address or Subnets can connect to the SSHD and XINETD daemons
26. How do you remove SSH access to the Service Console for Root?
(Dan Eason)
Root is disabled by default on ESX, creation of a standard user and usage of SUDO will ensure that any access is logged by the username which is created and given elevated rights. ESX will extensively log and record any actions that the delegated username performs.
27. Can a SUDO user drop themselves into a Root shell to gain complete access?
(Dan Eason)
If the /etc/sudoers file is configured with commands that they are priviledged to run this will limit them to a subset of commands i.e. ESXCFG Commands.
A bit more on this can be found in a post by Edward L. Haletky on searchvmware.com
Light reading for this week. Stay safe out there.