To enhance the security measures in a virtualized environment, it is often advisable to limit direct access to Esxi hosts and this is when lockdown mode concept comes into picture. Lockdown mode is used on Esxi hosts in order to improve security of the hosts which are centrally managed by vCenter server.
When the lockdown mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server instead of using a local account on the ESXi host.
When the lockdown mode is enabled, access to the host through SSH is unavailable except to configured exception users.
Lockdown mode in vSphere 6.0
With vSphere 6.0, VMware introduced a couple of new concepts into lockdown mode as listed below
- Normal Lockdown Mode
- Strict Lockdown Mode
- Exception Users
Lets understand about these concepts one by one.
Normal Lockdown mode
In this mode all direct connections to Esxi host is blocked. Any attempt to connect to Esxi host via C# client results in error shown below
However in this mode the DCUI service is not stopped and If the Esxi host connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host’s DCUI and exit lockdown mode.
In normal lockdown mode, only the following accounts can access the DCUI:
- Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Exception users do not lose their privileges when the host enters lockdown mode.
- Users defined in the DCUI.Access advanced option for the host: This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Strict Lockdown Mode
In strict lockdown mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
If “Strict Lockdown Mode” is enabled on an ESXi 6.0 host, you will get the following error messages when you try to connect to host via DCUI:
“Authentication Denied – Direct console access has been disabled by the administrator”
Enable/Disable Esxi host Lockdown mode from the vSphere Web Client
Login to vSphere Web Client and select the Esxi host and navigate to Manage > Settings > Security Profile.
In the Lockdown Mode panel, click Edit.
Click Lockdown Mode and select one of the lockdown mode options.
Lets say we have enabled Normal mode lockdown
In this mode we can’t connect to host via vSphere C# client
But we can login to host via DCUI and can manage host settings from there.
Lets change the mode to strict mode now. Web client will warn you about DCUI sevrices will be stopped in strict mode. Click OK to proceed.
In strict mode, access to DCUI will be denied.
Enable/Disable Lockdown mode from the DCUI:
Login to Esxi host directly via DCUI and under System Customization, select Configure Lockdown Mode setting to enable/disable the lockdown mode.
Note: You can only enable “Normal Lockdown mode” from the DCUI. Which makes sense, because if you do not have a vCenter Server, you will lock yourself out.
What happens to existing user sessions When Lockdown Mode Is Enabled?
If users are logged in to the ESXi Shell or access the host through SSH before lockdown mode is enabled, those users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. The session is terminated for all other users. This applies to both normal and strict lockdown mode.
Configure a User on the Lockdown Mode Exception Users List
Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. They are not members of an Active Directory group and are not vCenter Server users.
Exception users do not lose their privileges when the host enters lockdown mode. Usually these accounts represent third-party solutions and external applications that need to continue to function in lockdown mode.
To configure exception users, login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile > Lockdown mode.
Click on Edit button and select Exception Users tab and click the green + button to add a user.
Add Users To The DCUI.Access Advanced Option
The main purpose of the DCUI.Access advanced option is to allow you to exit lockdown mode in case of catastrophic failure, when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Web Client.
However, caution needs to be taken because this can directly impact the security posture of the host(s). Keep in mind, exception users can only perform tasks for which they have privileges for.
1: Browse to the host in the vSphere Web Client object navigator.
2: Click the Manage tab and select Settings.
3: Click Advanced System Settings and search for DCUI.Access.
Click Edit and enter the user names, separated by commas. By default, the root user is included.
Note: If you are adding a local user here, then that user should be present on Esxi host.
And thats it for this post.
Set Lockdown Mode in vSphere 6 via PowerCLI
vSphere 6 Security Guide
vSphere 6.0 Hardening Guide
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂