Learn how to manage role profiles, user account profiles, lockdown mode profiles, and active directory permission profiles that are grouped as part of the security host profile. Starting with vSphere 8.0, users with access to the ESXi Shell and the Administrator role can remove or grant ESXi Shell access to user accounts.

You can configure the host profile options, part of the security profile.

Prerequisites

Make sure that you have the SecurityConfigProfile plugin available to validate the role, user account, and active directory permission profiles as there are dependencies between them.

Procedure

  1. In the vSphere Client, select Menu > Policies and Profiles.
  2. Under Policies and Profiles, click Host Profiles.
  3. Select the host profile that you want to edit and click the Configure tab.
  4. Click Edit Host Profile.
  5. Unfold the Security and Services > Security Settings profile category and open the Security folder.
    The following profiles are displayed:
    Role

    This profile allows you to view default roles and add custom roles within the ESXi system.

    User Configuration

    This profile allows you to create and manage user accounts.

    By default, newly created user accounts have access to the ESXi Shell. Starting with vSphere 8.0, administrators can use the advanced option Security.DefaultShellAccess to change this default behavior.

    Here are some of the operations that you can perform for user accounts:

    • Create a user account.
    • Configure the password for a user account.
    • Configure the password for the root user.
    • Activate or deactivate user account ESXi Shell access.
      Note: Do not modify the shell access property for the root user account.
    • Configure the role for any user that is not the default one.
    • Assign a default or a custom role (configure permissions) for a local account.
    • Configure the SSH key for any user.
    Active Directory Permission

    This profile allows you to manage permissions for active directory users or groups. For example, you can create permissions that associate an active directory user or a group with a role.

    When an ESXi host joins the active directory domain, an Admin permission is created for the DOMAIN group ESX Admins. Also, when an active directory user or group is given some permissions on the ESXi host, a corresponding permission is created on that host. The Active Directory Permission profile captures that permission.

    Lockdown Mode

    This profile allows you to increase the security of your ESXi hosts by restricting user permissions and privileges.

    You can configure the following lockdown mode settings:
    • Normal lockdown mode: An ESXi host can be accessed from a local console and vCenter Server. DCUI service is not stopped.
    • Strict lockdown mode: An ESXi host can be only accessed from vCenter Server. The DCUI service is stopped.
    • Exception users: The users that still have their permissions regardless of the lockdown mode state.

    For more information on the security profile, see the vSphere Security documentation.