To increase the security of your ESXi hosts, you can put them in lockdown mode.

In lockdown mode, all operations must be performed through vCenter Server. By default, only the vCenter Server system, represented by the vpxuser user, has authentication permissions. No other users can perform operations against a host in lockdown mode.

vSphere 5.x and later supports normal lockdown mode, as discussed in the vSphere 5.x documentation center. vSphere 6.0 and later supports more fine-grained management.

  • In normal lockdown mode, you can add users to the DCUI.Access advanced option, which can access the Direct Console User Interface regardless of their privileges on the host. Starting with vSphere 6.0, you can also use the vSphere Web Client to add Exception users, which can access the Direct Console User Interface if they have host management privileges.
  • In strict lockdown mode, users cannot access the Direct Console User Interface. If vCenter Server becomes unavailable, the host can no longer be managed.

When a host is in normal or strict lockdown mode, you cannot run vSphere CLI commands against the host directly. Instead, you target the vCenter Server system that manages the host with the --server option and specify the ESXi host with the --vihost option.

When you enable strict lockdown mode, the Direct Console User Interface service is disabled.

You can enable lockdown mode by using the Add Host wizard to add a host to vCenter Server, by using the vSphere Web Client to manage a host, or by using the Direct Console User Interface (DCUI).

See the vSphere Security documentation for details on lockdown mode in vSphere 6.x.