To increase security of your ESXi hosts, you put them in Lockdown mode, so that administrative operations can be performed only from vCenter Server.

About this task

vSphere supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, these users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.

You repeat this procedure to enable normal lockdown mode for all  hosts in the data center. The table below lists all of the hosts.

Table 1. Hosts in the data center

Host

FQDN

Management host 1

lax01m01esx01.lax01.rainpole.local

Management host 2

lax01m01esx02.lax01.rainpole.local

Management host 3

lax01m01esx03.lax01.rainpole.local

Management host 4

lax01m01esx04.lax01.rainpole.local

Shared Edge and Compute host 1

lax01w01esx01.lax01.rainpole.local

Shared Edge and Compute host 2

lax01w01esx02.lax01.rainpole.local

Shared Edge and Compute host 3

lax01w01esx03.lax01.rainpole.local

Shared Edge and Compute host 4

lax01w01esx04.lax01.rainpole.local

Procedure

  1. Log in to the Compute vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://lax01w01vc01.lax01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. In the Navigator, click Hosts and Clusters and expand the entire  lax01w01vc01.lax01.rainpole.local tree control.
  3. Select the lax01w01esx01.lax01.rainpole.local host.
  4. Click Configure.
  5. Under System, select Security Profile.
  6. In the Lockdown Mode panel, click Edit.
  7. In the Lockdown Mode dialog box, select the Normal radio button, and click OK.  
  8. Repeat the procedure to enable normal lockdown mode for all remaining hosts in the data center.
    Note:

    Lockdown Mode settings are not part of Host Profiles and must be manually enabled on all hosts.