In order to make your ESXi hosts more secure, you can put them what's called Lockdown mode. This post will explain What is VMware ESXi Lockdown Mode, what's the main benefits and the configuration steps. The config is a simple radio button via vSphere web client, but there is also a possibility to activate it through the Direct Console User Interface (DCUI). This is another post for our Tips category.
This is the first time we treat this topic and It's important to know what services and restrictions apply in each mode. VMware ESXi Lockdown Mode applies not only to users but also to CIM providers or applications using which needs to keep running (ex. backups).
ESXi lockdown mode has been introduced in ESXi 5.0 in its simpler version, which has been expanded with ESXi 6.0 and ESXi 6.5. If you put the host into a lockdown mode, you can only connect and manage your hosts and your VMs through vCenter Server. Your connection is denied if you want to connect directly to the host via host client.
In lockdown mode, operations must be performed through vCenter Server by default. It was in vSphere 6.0 first where you can choose either between a normal lockdown mode or strict lockdown mode.
ESXi user accounts which are on a special list called Exception Users, which has administrator's privileges and those users can also log in to the ESXi shell through DCUI, or Host client.
Where to Activate VMware ESXi Lockdown Mode?
In order to activate lockdown mode, you can use vSphere Web client or vSphere HTML5 Client.
Select your host > Configure > System > Security Profile > Edit.
VMware ESXi Lockdown Mode – two different modes.
Let's have a look what's the difference between Normal and Strick Lockdown Mode:
Normal Lockdown Mode – The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible.
Strict Lockdown Mode – The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are terminated.
In addition, when selecting the Strict Lockdown mode, the DCUI service is completely stopped.
What are the Exception Users?
VMware says that those are users that…
A list of user accounts that keep their permissions when the host enters lockdown mode. The accounts are used by third-party solutions and external applications that must continue their function in lockdown mode. To keep lockdown mode uncompromised, you should add only user accounts that are associated with applications.
Where to add an account to the Exception Users list?
You'd have to first create a local ESXi user and then specify this advanced settings on per-host base. So in my case, I created a sample local ESXi user called “disaster” through ESXi host client which is a local ESXi user.
So in order to modify the Exception users list, you'll have to use the vSphere HTML5 client of vSphere Web Client. To access this setting you Select your host > System > Advanced System Settings > within the list find the DCUI.Access > click to add another local ESXi user there. The root user is already present there by default.
The exception users can only perform tasks for which they have privileges for. So even if you create your local user and put him on the Exceptions list, the user won't be able to connect unless you give him a privilege.
Connect to the ESXi host via ESXi Host Client > Actions > Permissions.
Then Click Add User
The UI will change and here you have the possibility to pick the user you have previously created and then assign a privilege to this user.
VMware has a nice table showing exactly which services or which behaviors are different for Normal and for a Strict Locked mode. This behavior has an influence on the vSphere Web services API, CIM providers, DCUI, ESXi Shell and SSH…..
The table can be found at VMware Documentation Center – Link.
So In which mode I'll be able to log in through the DCUI?
Only if the Standard lockdown mode is activated. Not in the Strict mode.
What if vCenter server is unavailable?
Configure Lockdown Mode will be grayed out if vCenter is down or the host is disconnected from vCenter.
Enable/Disable ESXi lockdown mode from DCUI
Note: This applies if a host is in Normal lockdown mode only. Otherwise you would be able to lock yourself out from within the DCUI.
In the server room:
Open server console > Press F2 to Customize System/View Logs > Open Configure Lockdown Mode > Press SPACE to enable or disable lockdown mode
VMware ESXi Lockdown Mode users from logging directly to the host. The host will only be accessible through a local console or vCenter Server. If there are local ESXi users configured, if they have enough privileges to log in locally AND if they are on the Exceptions list of the lockdown more, then they CAN login locally via Host client.
A very powerful mode indeed, which does not influence on the default root user (unless you remove the root user from the Exceptions list).
You have to think twice before activating the VMware ESXi Lockdown Mode, the “strict” one. If this mode is ON, you removed ALL users from Exceptions AND you lost vCenter server connection between this particular host and your vCenter, then have a big problem. You won't be able to log in locally.
More from ESX Virtualization:
- What is VMware CEIP Program And How It Helps An IT Admin With Troubleshooting vSphere
- How To Reset ESXi Root Password via Microsoft AD
- How-to Create a Security Banner for ESXi
- Patch vCenter Server Appliance configured with High Availability (HA)
- How To Create VMware ESXi ISO With Latest Patches
- What is VMware Hot-Add RAM and How to use it?