In lockdown mode, some services are disabled, and some services are accessible only to certain users.
Lockdown Mode Services for Different Users
When the host is running, available services depend on whether lockdown mode is enabled, and on the type of lockdown mode.
- In strict and normal lockdown mode, privileged users can access the host through vCenter Server, either from the vSphere Web Client or by using the vSphere Web Services SDK.
- Direct Console Interface behavior differs for strict lockdown mode and normal lockdown mode.
- In strict lockdown mode, the Direct Console User Interface (DCUI) service is disabled.
- In normal lockdown mode, accounts on the Exception User list can access the DCUI if they have administrator privileges. In addition, all users who are specified in the DCUI.Access advanced system setting can access the DCUI.
- If the ESXi Shell or SSH is enabled and the host is placed in lockdown mode, accounts on the Exception Users list who have administrator privileges can use these services. For all other users, ESXi Shell or SSH access is disabled. Starting with vSphere 6.0, ESXi or SSH sessions for users who do not have administrator privileges are terminated.
All access is logged for both strict and normal lockdown mode.
| Service | Normal Mode | Normal Lockdown Mode | Strict Lockdown Mode |
|---|---|---|---|
| vSphere Web Services API | All users, based on permissions | vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
| CIM Providers | Users with administrator privileges on the host | vCenter (vpxuser) Exception users, based on permissions. vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions. vCloud Director (vslauser, if available) |
| Direct Console UI (DCUI) | Users with administrator privileges on the host, and users in the DCUI.Access advanced option | Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host |
DCUI service is stopped |
| ESXi Shell (if enabled) |
Users with administrator privileges on the host | Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host |
Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host |
| SSH (if enabled) |
Users with administrator privileges on the host | Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host |
Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host |
Users Logged in to the ESXi Shell When Lockdown Mode Is Enabled
Users might log in to the ESXi Shell or access the host through SSH before lockdown mode is enabled. In that case, users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. Starting with vSphere 6.0, the session is terminated for all other users. Termination applies to both normal and strict lockdown mode.
