To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, operations must be performed through vCenter Server by default.

You can select normal lockdown mode or strict lockdown mode, which offer different degrees of lockdown. You can also use the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. Use the Exception User list to add the accounts of third-party solutions and external applications that need to access the host directly when the host is in lockdown mode.

Lockdown Mode Behavior

In lockdown mode, some services are deactivated, and some services are accessible only to certain users.

Lockdown Mode Services Available for Different Users

When the host is running, available services depend on whether lockdown mode is activated, and on the type of lockdown mode.

  • In strict and normal lockdown mode, privileged users can access the host through vCenter Server, from the vSphere Client, or by using the vSphere Web Services SDK.
  • Direct Console Interface behavior differs for strict lockdown mode and normal lockdown mode.
    • In strict lockdown mode, the Direct Console User Interface (DCUI) service is deactivated.
    • In normal lockdown mode, accounts on the Exception User list can access the DCUI if they have administrator privileges. In addition, all users who are specified in the DCUI.Access advanced system setting can access the DCUI.
  • If the ESXi Shell or SSH is activated and the host is placed in lockdown mode, accounts on the Exception Users list who have administrator privileges can use these services. For all other users, ESXi Shell or SSH access is deactivated. ESXi or SSH sessions for users who do not have administrator privileges are closed.

All access is logged for both strict and normal lockdown mode.

Table 1. Lockdown Mode Behavior
Service Normal Mode Normal Lockdown Mode Strict Lockdown Mode
vSphere Web Services API All users, based on permissions vCenter (vpxuser)

Exception users, based on permissions

vCloud Director (vslauser, if available)

vCenter (vpxuser)

Exception users, based on permissions

vCloud Director (vslauser, if available)

CIM Providers Users with administrator privileges on the host vCenter (vpxuser) Exception users, based on permissions

vCloud Director (vslauser, if available)

vCenter (vpxuser) Exception users, based on permissions

vCloud Director (vslauser, if available)

Direct Console UI (DCUI) Users with administrator privileges on the host, and users in the DCUI.Access advanced system setting

Users defined in the DCUI.Access advanced system setting

Exception users with administrator privileges on the host 		DCUI service is stopped.
ESXi Shell (if activated) and SSH (if activated) Users with administrator privileges on the host

Users defined in the DCUI.Access advanced option

Exception users with administrator privileges on the host

Users defined in the DCUI.Access advanced system setting

Exception users with administrator privileges on the host

Lockdown Mode Behavior for Users Logged In to the ESXi Shell When Lockdown Mode Is Activated

Users might log in to the ESXi Shell or access the host through SSH before lockdown mode is activated. In that case, users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. The session is closed for all other users. Termination applies to both normal and strict lockdown mode.

How Can You Deactivate Lockdown Mode

You can deactivate lockdown mode as follows.
From the vSphere Client
Users can deactivate both normal lockdown mode and strict lockdown mode from the vSphere Client. See Deactivate Lockdown Mode from the vSphere Client.
From the Direct Console User Interface
Users who can access the Direct Console User Interface on the ESXi host can deactivate normal lockdown mode. In strict lockdown mode, the Direct Console Interface service is stopped. See Activate or Deactivate Normal Lockdown Mode from the Direct Console User Interface.

Activate Lockdown Mode from the vSphere Client

Select lockdown mode to require that all host configuration changes go through vCenter Server. vSphere supports normal lockdown mode and strict lockdown mode.

If you want to disallow all direct access to a host completely, you can select strict lockdown mode. Strict lockdown mode makes it impossible to access a host if the vCenter Server is unavailable and SSH and the ESXi Shell are deactivated. See Lockdown Mode Behavior.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Security Profile.
  4. In the Lockdown Mode panel, click Edit.
  5. Click Lockdown Mode and select one of the lockdown mode options.
    Option Description
    Normal The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is activated, access might be possible.
    Strict The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is activated, running sessions for accounts in the DCUI.Access advanced system setting and for Exception User accounts that have administrator privileges remain enabled. All other sessions are closed.
  6. Click OK.

Deactivate Lockdown Mode from the vSphere Client

Deactivate lockdown mode to allow configuration changes from direct connections to the ESXi host. Leaving lockdown mode activated results in a more secure environment.

Users can deactivate both normal lockdown mode and strict lockdown mode from the vSphere Client.

Procedure

  1. Browse to a host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Security Profile.
  4. In the Lockdown Mode panel, click Edit.
  5. Click Lockdown Mode and select Disabled to deactivate lockdown mode.
  6. Click OK.

Results

The system exits lockdown mode, vCenter Server displays an alarm, and an entry is added to the audit log.

Activate or Deactivate Normal Lockdown Mode from the Direct Console User Interface

You can activate and deactivate normal lockdown mode from the Direct Console User Interface (DCUI). You can activate and deactivate strict lockdown mode only from the vSphere Client.

When the host is in normal lockdown mode, the following accounts can access the Direct Console User Interface:
  • Accounts in the Exception Users list who have administrator privileges on the host. The Exception Users list is meant for service accounts such as a backup agent.
  • Users defined in the DCUI.Access advanced option for the host. This option can be used to activate access in a catastrophic failure.

User permissions are preserved when you activate lockdown mode. User permissions are restored when you deactivate lockdown mode from the Direct Console Interface.

Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible.

To retain permissions, deactivate lockdown mode for the host from the vSphere Client before the upgrade.

Procedure

  1. At the Direct Console User Interface of the host, press F2 and log in.
  2. Scroll to the Configure Lockdown Mode setting and press Enter to toggle the current setting.
  3. Press Esc until you return to the main menu of the Direct Console User Interface.

Specifying Accounts with Access Privileges in Lockdown Mode

You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list. You can specify a single user who can access the ESXi host in a catastrophic vCenter Server failure.

What Can Accounts Do When vSphere Is in Lockdown Mode

The vSphere version determines what different accounts can do by default when lockdown mode is activated, and how you can change the default behavior.
  • In vSphere 5.0 and earlier, only the root user can log in to the Direct Console User Interface on an ESXi host that is in lockdown mode.
  • In vSphere 5.1 and later, you can add a user to the DCUI.Access advanced system setting for each host. The setting is meant for a catastrophic failure of vCenter Server. Companies usually lock the password for the user with this access into a safe. A user in the DCUI.Access list does not need to have full administrative privileges on the host.
  • In vSphere 6.0 and later, the DCUI.Access advanced system setting is still supported. In addition, vSphere 6.0 and later supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, those users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.
    You specify Exception Users from the vSphere Client.
    Note: Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. Users that are members of an Active Directory group lose their permissions when the host is in lockdown mode.

Add Users to the DCUI.Access Advanced System Setting

If there is a catastrophic failure, the DCUI.Access advanced system setting allows you to exit lockdown mode when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Client.

Note: Users in the DCUI.Access list can change lockdown mode settings regardless of their privileges. The ability to change lockdown modes can impact the security of your host. For service accounts that need direct access to the host, consider adding users to the Exception Users list instead. Exception users can only perform tasks for which they have privileges. See Specify Lockdown Mode Exception Users later in this topic.
  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, click Advanced System Settings, and click Edit.
  4. Filter for DCUI.
  5. In the DCUI.Access text box, enter the local ESXi user names, separated by commas.
    Note: You cannot enter Active Directory users. Only local ESXi users are supported.

    By default, the root user is included. Consider removing the root user from the DCUI.Access list, and specifying a named account for better auditability.

  6. Click OK.

Specify Lockdown Mode Exception Users

You can add users to the Exception Users list from the vSphere Client. These users do not lose their permissions when the host enters lockdown mode.

Usually these users are accounts that represent third-party solutions and external applications that need to continue to function in lockdown mode. For example, it makes sense to add service accounts such as a backup agent to the Exception Users list.
Note: The Exception Users list is meant for service accounts that perform very specific tasks, and not for administrators. Adding administrator users to the Exception Users list defeats the purpose of lockdown mode.

Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. They are not members of an Active Directory group and are not vCenter Server users. These users are allowed to perform operations on the host based on their privileges. That means, for example, that a read-only user cannot deactivate lockdown mode on a host.

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Security Profile.
  4. In the Lockdown Mode panel, click Edit.
  5. Click Exception Users and click the Add User icon to add exception users.
  6. Click OK.