Enable and Configure ESXi Host Lockdown Mode

To enhance the security measures in a virtualized environment, it is often advisable to limit direct access to Esxi hosts and this is when lockdown mode concept comes into picture. Lockdown mode is used on Esxi hosts in order to improve security of the hosts which are centrally managed by vCenter server.

When the lockdown mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server instead of using a local account on the ESXi host.

When the lockdown mode is enabled, access to the host through SSH is unavailable except to configured exception users.

Lockdown mode in vSphere 6.0

With vSphere 6.0, VMware introduced a couple of new concepts into lockdown mode as listed below

  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users

Lets understand about these concepts one by one.

Normal Lockdown mode

In this mode all direct connections to Esxi host is blocked. Any attempt to connect to Esxi host via C# client results in error shown below

lckmode-4.PNG

However in this mode the DCUI service is not stopped and If the Esxi host connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host’s DCUI and exit lockdown mode.

In normal lockdown mode, only the following accounts can access the DCUI:

  • Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Exception users do not lose their privileges when the host enters lockdown mode.
  • Users defined in the DCUI.Access advanced option for the host: This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.

Strict Lockdown Mode

In strict lockdown mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.

If “Strict Lockdown Mode” is enabled on an ESXi 6.0 host, you will get the following error messages when you try to connect to host via DCUI:

“Authentication Denied – Direct console access has been disabled by the administrator”

lckmode-7.PNG

Enable/Disable Esxi host Lockdown mode from the vSphere Web Client

Login to vSphere Web Client and select the Esxi host and navigate to Manage > Settings > Security Profile.

In the Lockdown Mode panel, click Edit.

lckmode-1.PNG

Click Lockdown Mode and select one of the lockdown mode options.

Lets say we have enabled Normal mode lockdown

lckmode-3.PNG

In this mode we can’t connect to host via vSphere C# client

lckmode-4

But we can login to host via DCUI and can manage host settings from there.

lckmode-5

Lets change the mode to strict mode now. Web client will warn you about DCUI sevrices will be stopped in strict mode. Click OK to proceed.

lckmode-6.PNG

In strict mode, access to DCUI will be denied. 

lckmode-7.PNG

Enable/Disable Lockdown mode from the DCUI:

Login to Esxi host directly via DCUI and under System Customization, select Configure Lockdown Mode setting to enable/disable the lockdown mode.

dcui-1.PNG

dcui-2.PNG

Note: You can only enable “Normal Lockdown mode” from the DCUI. Which makes sense, because if you do not have a vCenter Server, you will lock yourself out.

What happens to existing user sessions When Lockdown Mode Is Enabled?

If users are logged in to the ESXi Shell or access the host through SSH before lockdown mode is enabled, those users who are on the list of Exception Users and who have administrator privileges on the host remain logged in. The session is terminated for all other users. This applies to both normal and strict lockdown mode.

Configure a User on the Lockdown Mode Exception Users List

Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. They are not members of an Active Directory group and are not vCenter Server users.

Exception users do not lose their privileges when the host enters lockdown mode. Usually these accounts represent third-party solutions and external applications that need to continue to function in lockdown mode.

To configure exception users, login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile > Lockdown mode.

Click on Edit button and select Exception Users tab and click the green + button to add a user.

lckmode-8.PNG

Add Users To The DCUI.Access Advanced Option

The main purpose of the DCUI.Access advanced option is to allow you to exit lockdown mode in case of catastrophic failure, when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Web Client.

However, caution needs to be taken because this can directly impact the security posture of the host(s). Keep in mind, exception users can only perform tasks for which they have privileges for.

1: Browse to the host in the vSphere Web Client object navigator.

2: Click the Manage tab and select Settings.

3: Click Advanced System Settings and search for DCUI.Access.

lckmode-10.PNG

Click Edit and enter the user names, separated by commas.  By default, the root user is included. 

lckmode-13.PNG

Note: If you are adding a local user here, then that user should be present on Esxi host. 

lckmode-12.PNG

And thats it for this post. 

Additional Reading

Set Lockdown Mode in vSphere 6 via PowerCLI

VMware Docs

vSphere 6 Security Guide

vSphere 6.0 Hardening Guide

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂