To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, operations must be performed through vCenter Server by default.
Normal Lockdown Mode and Strict Lockdown Mode
With vSphere 6.0 and later, you can select normal lockdown mode or strict lockdown mode.
- Normal Lockdown Mode
-
In normal lockdown mode, the DCUI service remains active. If the connection to the
vCenter Server system is lost, and access through the
vSphere Client is unavailable, privileged accounts can log in to the
ESXi host's Direct Console Interface and exit lockdown mode. Only the following accounts can access the Direct Console User Interface:
- Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
- Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
- Strict Lockdown Mode
- In strict lockdown mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Client is no longer available, the ESXi host becomes unavailable, unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you must reinstall the host.
Lockdown Mode and the ESXi Shell and SSH Services
Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are independent of lockdown mode. For lockdown mode to be an effective security measure, ensure that ESXi Shell and SSH services are also deactivated. These services are deactivated by default.
When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and the SSH service deactivated is the most secure option.
Put an ESXi Host in Normal Lockdown Mode by Using the VMware Host Client
You can use the VMware Host Client to enter normal lockdown mode.
Procedure
Put an ESXi Host in Strict Lockdown Mode by Using the VMware Host Client
You can use the VMware Host Client to enter strict lockdown mode.
Procedure
Exit Lockdown Mode by Using the VMware Host Client
If you have entered normal or strict lockdown mode on an ESXi host, you can exit lockdown by using the VMware Host Client.
Procedure
- ♦ Right-click Host in theVMware Host Client inventory, select Lockdown mode from the drop-down menu, and select Exit lockdown.
Specify Lockdown Mode Exception Users in the VMware Host Client
With vSphere 6.0 and later, you can add users to the exception users list by using the VMware Host Client. These users do not lose their permissions when the host enters lockdown mode. You can add service accounts, such as a backup agent to the exception users list.
Procedure
- Click Manage in the VMware Host Client inventory and click Security & Users.
- Click Lockdown mode.
- Click Add user exception, enter the name of the user, and click Add exception.
- (Optional) Select a name from the exception users list, click Remove user exception, and click Confirm.
