To increase the security of your ESXi hosts, you enable Lockdown mode to allow administrative operations to be performed only from vCenter Server.

vSphere supports an Exception User list for service accounts that have to log in to the host directly. Accounts with administrative privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, these users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.

You repeat this procedure to enable normal lockdown mode for all  hosts in the data center in the following table.
Table 1. Hosts in the Data Center
Host FQDN
Management host 1 lax01m01esx01.lax01.rainpole.local
Management host 2 lax01m01esx02.lax01.rainpole.local
Management host 3 lax01m01esx03.lax01.rainpole.local
Management host 4 lax01m01esx04.lax01.rainpole.local
Shared Edge and Compute host 1 lax01w01esx01.lax01.rainpole.local
Shared Edge and Compute host 2 lax01w01esx02.lax01.rainpole.local
Shared Edge and Compute host 3 lax01w01esx03.lax01.rainpole.local
Shared Edge and Compute host 4 lax01w01esx04.lax01.rainpole.local

Procedure

  1. Log in to the Compute vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://lax01w01vc01.lax01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.
      Setting Value
      User name administrator@vsphere.local
      Password vsphere_admin_password
  2. In the Navigator, click Hosts and Clusters and expand the entire lax01w01vc01.lax01.rainpole.local tree.
  3. Select the lax01w01esx01.lax01.rainpole.local host.
  4. Click Configure.
  5. Under System, select Security Profile.
  6. In the Lockdown Mode panel, click Edit.
  7. In the Lockdown Mode dialog box, select the Normal radio button, and click OK.  
  8. Repeat the procedure to enable normal lockdown mode for all remaining hosts in the data center.
    Note: Lockdown Mode settings are not part of Host Profiles and must be manually enabled on all hosts.