VMware vSphere 6 – Enable Lockdown Mode in VMware ESXi 6.0

Maintain a high security environment for your Infrastructure is one of the great best practices in many ways. There are many ways which you can restrict access to your infrastructure just avoid any unexpected situations for your sensitive data. 
Here, what I’m going to show is one of the common and best way to restrict access to your VMware environment. We call it “VMware Lockdown Mode”. There are two types of Lockdown modes available in VMware so far. 
  • Normal – Host is accessible only through the DCUI (Direct Control User Interface) or the VMware vCenter server. If you lost the access to your vCenter server, still you have a chance to exit the host from the “Lockdown Mode” with a privileged user account
  • Strict – You are not able to access DCUI with the Strict mode and you must use the vCenter to access and remove the “Lockdown Mode”. If you lost access to the vCenter server while you enabled the “Strict Lockdown Mode” your host might be unavailable. Only option you have is re-install the ESXi from the scratch

To enable the “Lockdown Mode” Right-click on the host which you want to enable the lockdown mode and select “Settings” (I’m using the web console)

Go to “Manage” tab and select “Security Profile”, then you will be able to find the Lockdown mode. Click on “Edit” to change the setting

Then you will get the “Lockdown Mode” window and you can enable the Normal/Strict mode according to your requirement. I’m enabling the “Strict Mode” in my case. Click “OK” to accept the Warning message and enable the Strict Lockdown mode

Click “OK” and note the completed tasks in the “Recent Task” window 

Now you have enabled the “Lockdown Mode” and try to access it through the DCUI. DCUI is stopped in the “Strict Lockdown Mode”. You need to only use the vCenter to turn off the Strict Lockdown Mode

Adding Exception Users in to the Lockdown Mode

Still you can provide access to your host while you are in the Lockdown mode for some user accounts to continue the work and access. This might be helpful for third party applications or solutions to continue the functionality while in the Lockdown Mode. 
Once you get the Lockdown Mode window select the “Exception Users” and click on the green “+” sign to add the local users to the lockdown mode
Add the local user to the “Exception Users” list and click “OK” to add to the users
You can see the added users and “OK” to complete the user addition 

Use DCUI to disable the “Normal Lockdown Mode”

Let’s say you are on the “Normal Lockdown Mode” still you can use the DCUI to disable the lockdown mode without the vCenter. Again, if you are on the “Strict Lockdown Mode” you are not able to do this. 
I’m enabling the “Normal Lockdown Mode” 
Login to your DCUI with the root credentials and select the “Configure Lockdown Mode”, you can see it as enabled, hit “Enter” to change the mode
Use the “Space bar” to toggle the selection 

You can see it as Disabled once you change the Mode

 

Note : SSH and Shell is not affected by Lockdown Mode and you need to disable/enable it manually

Leave a Reply