To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, operations must be performed through vCenter Server by default.
You can select normal lockdown mode or strict lockdown mode, which offer different degrees of lockdown. You can also use the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. Use the Exception User list to add the accounts of third-party solutions and external applications that need to access the host directly when the host is in lockdown mode.
Lockdown Mode Behavior
In lockdown mode, some services are deactivated, and some services are accessible only to certain users.
Lockdown Mode Services Available for Different Users
When the host is running, available services depend on whether lockdown mode is activated, and on the type of lockdown mode.
- In strict and normal lockdown mode, privileged users can access the host through vCenter Server, from the vSphere Client, or by using the vSphere Web Services SDK.
- Direct Console Interface behavior differs for strict lockdown mode and normal lockdown mode.
- In strict lockdown mode, the Direct Console User Interface (DCUI) service is deactivated.
- In normal lockdown mode, accounts on the Exception User list can access the DCUI if they have administrator privileges. In addition, all users who are specified in the
DCUI.Access
advanced system setting can access the DCUI.
- If the ESXi Shell or SSH is activated and the host is placed in lockdown mode, accounts on the Exception Users list who have administrator privileges can use these services. For all other users, ESXi Shell or SSH access is deactivated. ESXi or SSH sessions for users who do not have administrator privileges are closed.
All access is logged for both strict and normal lockdown mode.
Service | Normal Mode | Normal Lockdown Mode | Strict Lockdown Mode |
---|---|---|---|
vSphere Web Services API | All users, based on permissions | vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
CIM Providers | Users with administrator privileges on the host | vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
Direct Console UI (DCUI) | Users with administrator privileges on the host, and users in the DCUI.Access advanced system setting |
Users defined in the |
DCUI service is stopped. |
ESXi Shell (if activated) and SSH (if activated) | Users with administrator privileges on the host | Users defined in the |
Users defined in the Exception users with administrator privileges on the host |
Lockdown Mode Behavior for Users Logged In to the ESXi Shell When Lockdown Mode Is Activated
Users might log in to the ESXi Shell or access the host through SSH before lockdown mode is activated. In that case, users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. The session is closed for all other users. Termination applies to both normal and strict lockdown mode.
How Can You Deactivate Lockdown Mode
- From the vSphere Client
- Users can deactivate both normal lockdown mode and strict lockdown mode from the vSphere Client. See Deactivate Lockdown Mode from the vSphere Client.
- From the Direct Console User Interface
- Users who can access the Direct Console User Interface on the ESXi host can deactivate normal lockdown mode. In strict lockdown mode, the Direct Console Interface service is stopped. See Activate or Deactivate Normal Lockdown Mode from the Direct Console User Interface.
Activate Lockdown Mode from the vSphere Client
Select lockdown mode to require that all host configuration changes go through vCenter Server. vSphere supports normal lockdown mode and strict lockdown mode.
If you want to disallow all direct access to a host completely, you can select strict lockdown mode. Strict lockdown mode makes it impossible to access a host if the vCenter Server is unavailable and SSH and the ESXi Shell are deactivated. See Lockdown Mode Behavior.
Procedure
- Browse to the host in the vSphere Client inventory.
- Click Configure.
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Lockdown Mode and select one of the lockdown mode options.
Option Description Normal The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is activated, access might be possible. Strict The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is activated, running sessions for accounts in the DCUI.Access
advanced system setting and for Exception User accounts that have administrator privileges remain enabled. All other sessions are closed. - Click OK.
Deactivate Lockdown Mode from the vSphere Client
Deactivate lockdown mode to allow configuration changes from direct connections to the ESXi host. Leaving lockdown mode activated results in a more secure environment.
Users can deactivate both normal lockdown mode and strict lockdown mode from the vSphere Client.
Procedure
- Browse to a host in the vSphere Client inventory.
- Click Configure.
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Lockdown Mode and select Disabled to deactivate lockdown mode.
- Click OK.
Results
The system exits lockdown mode, vCenter Server displays an alarm, and an entry is added to the audit log.
Activate or Deactivate Normal Lockdown Mode from the Direct Console User Interface
You can activate and deactivate normal lockdown mode from the Direct Console User Interface (DCUI). You can activate and deactivate strict lockdown mode only from the vSphere Client.
- Accounts in the Exception Users list who have administrator privileges on the host. The Exception Users list is meant for service accounts such as a backup agent.
- Users defined in the
DCUI.Access
advanced option for the host. This option can be used to activate access in a catastrophic failure.
User permissions are preserved when you activate lockdown mode. User permissions are restored when you deactivate lockdown mode from the Direct Console Interface.
DCUI.Access
advanced option to guarantee that the host remains accessible.
To retain permissions, deactivate lockdown mode for the host from the vSphere Client before the upgrade.
Procedure
- At the Direct Console User Interface of the host, press F2 and log in.
- Scroll to the Configure Lockdown Mode setting and press Enter to toggle the current setting.
- Press Esc until you return to the main menu of the Direct Console User Interface.
Specifying Accounts with Access Privileges in Lockdown Mode
You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list. You can specify a single user who can access the ESXi host in a catastrophic vCenter Server failure.
What Can Accounts Do When vSphere Is in Lockdown Mode
- In vSphere 5.0 and earlier, only the root user can log in to the Direct Console User Interface on an ESXi host that is in lockdown mode.
- In vSphere 5.1 and later, you can add a user to the
DCUI.Access
advanced system setting for each host. The setting is meant for a catastrophic failure of vCenter Server. Companies usually lock the password for the user with this access into a safe. A user in theDCUI.Access
list does not need to have full administrative privileges on the host. - In vSphere 6.0 and later, the
DCUI.Access
advanced system setting is still supported. In addition, vSphere 6.0 and later supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, those users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.You specify Exception Users from the vSphere Client.Note: Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. Users that are members of an Active Directory group lose their permissions when the host is in lockdown mode.
Add Users to the DCUI.Access Advanced System Setting
If there is a catastrophic failure, the DCUI.Access
advanced system setting allows you to exit lockdown mode when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Client.
- Browse to the host in the vSphere Client inventory.
- Click Configure.
- Under System, click Advanced System Settings, and click Edit.
- Filter for DCUI.
- In the DCUI.Access text box, enter the local ESXi user names, separated by commas.
Note: You cannot enter Active Directory users. Only local ESXi users are supported.
By default, the root user is included. Consider removing the root user from the DCUI.Access list, and specifying a named account for better auditability.
- Click OK.
Specify Lockdown Mode Exception Users
You can add users to the Exception Users list from the vSphere Client. These users do not lose their permissions when the host enters lockdown mode.
Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. They are not members of an Active Directory group and are not vCenter Server users. These users are allowed to perform operations on the host based on their privileges. That means, for example, that a read-only user cannot deactivate lockdown mode on a host.
- Browse to the host in the vSphere Client inventory.
- Click Configure.
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Exception Users and click the Add User icon to add exception users.
- Click OK.