VMware ESXi Lockdown Mode

VMware ESXi Lockdown Mode

Reading Time: 4 minutes

VMware ESXi lockdown mode can increase the security of the ESXi host by restricting access to the host. To make your ESXi hosts more secure, you can put them in what is already known as lockdown mode.

When the lockdown mode is enabled, the ESXi host can only be accessed via the vCenter Server or Direct Console User Interface (DCUI).

In that case, the ESXi host can no longer be managed using the vSphere CLI, vSphere Management Assistant (vMA), or vSphere Client commands.

The best way is to manage your ESXi hosts through a vCenter server, even for a small environment. With VMware vSphere Essentials or Essentials Plus, which has a vMotion license, you can manage up to 3 ESXi hosts, which is more than enough for a small environment.

VMware ESXi lockdown mode is the perfect way to protect your infrastructure by restricting management only through the vCenter Server. Hackers and threads from inside a person will not pass. You can either enable or disable lockdown mode or configure lockdown mode setting, mainly.

What is the advantage of enabling lockdown mode on an ESXi host?

Lockdown mode can increase the security of the ESXi host by restricting access to the host. When this mode is permitted, the ESXi host can only be accessed via the vCenter Server or the Direct Console User Interface (DCUI).

When lockdown mode is enabled, the host is managed using the vSphere client connected to the controller vCenter server, VMware PowerCLI, or the VMware vSphere command-line interface (vCLI).

The only distinction is that access is authenticated via the vCenter Server instead of using a local ESXi host account. When lockdown mode is enabled, access to the host via SSH is unavailable except for configured users with an exception.

How does a lockdown mode in VMware ESXi work

Logging in to the host (ESXi or ESX) directly with the vSphere or VI client may make sense in certain troubleshooting situations. Lockdown mode removes root-level remote access to the host via the vSphere client.

For managed installations using vSphere with vCenter, this is a secure configuration. Lockdown mode will require all communications to use the vCenter agent on the ESXi system.

When running vCenter, communication between the ESXi host and vCenter uses a single user called vpxuser. If lockdown mode is used, the most visible indicator is that you can not log in to the ESXi host via the vSphere client directly as root.

Nonetheless, if the host is managed by vCenter, all client activity should be performed there. Another side effect of enabling lockdown mode would be virtualization-specific tools that use the root account to access the ESXi host directly.

How does Lockdown mode affect any troubleshooting regarding virtualization

We can still access the ESXi main screen with physical access to the console via a monitor, Dell DRAC, HP iLO, or direct access to the system console. It includes restarting the management network and restarting the management agents.

Furthermore, command-line access is still available if needed on the ESXi host, and the lockdown mode can be disabled immediately.

You can enable the Lockdown mode using vSphere Web Client. Here is how you can do that:

Select your ESXi host from the inventory and go to Manage > Settings > Security Profile and click the Edit button for the Lockdown mode:

In the Lockdown Mode window that opens, check the checkbox beside Enable Lockdown Mode and click OK:

Types of lockdown modes

There are:

  1. Normal lockdown modes
  2. Strict lockdown modes

You can activate the normal lockdown mode via DCUI or vCenter. When ESXi is in Normal lockdown mode, the DCUI is not stopped.

In normal lockdown mode, only the following accounts can access DCUI:

Accounts in the Exception

The list of user exceptions is intended for service accounts that perform specific tasks. Exceptional users do not lose their privileges when the host enters lockdown mode.

Users are defined in the DCUI

This option is for instant access to the Console Direct interface in case the connection to the vCenter Server is lost. These users do not require administrative privileges from the host.

If you lose the connection to the vCenter Server and the ESXi host client does not work, you can still log in with a privileged account via the direct console (via Normal Lockdown mode) and exit the lockdown mode there.

User exceptions need to be defined in the advanced DCUI. If not, activate the strict lockdown mode; hope exception users are limited—access option for the host. You can do this through the GUI via the vSphere client when connected to the vCenter Server.

Only users on the User Exceptions list and administrator privileges can log in to the Direct Console user interface.

Warning: if you can not restore the connection to your vCenter Server and do not have defined Exception users and SSH and Shell are disabled, you must reinstall the host.

Here is how to disable ESXi lockdown mode:

  • Direct to the host in the vSphere Web Client inventory;
  • Select the Manage tab and click Settings;
  • Under System, select Security Profile;
  • In the Lockdown Mode panel, click Edit;
  • Select Lockdown Mode and select one of the lockdown mode options.

Lockdown mode forces all operations to be performed through the vCenter Server. When you enable Lockdown mode, only the vpxuser has authentication permissions. Other users cannot perform any functions directly on the host.

Conclusion

The VMware ESXi is something different than lockdown mode. The lockdown mode generally adds another security layer to your installation.

If you allow lockdown mode, the ESXi can only be accessed via the vCenter Server. To enable the ESXi VMware for troubleshooting to reduce the risk of unauthorized access, you should know that even if the host is running in lockdown mode, you can still log in to the VMware ESXi if enabled.

When you enable lockdown mode, users can consequently log in directly to the host. ESXi lockdown mode is compelling, which does not influence the default root user.