Lockdown Mode in VMware vSphere, Decide to Activate!
Lockdown mode could be useful to achieved maximum restriction to ESXi hosts. Let’s decide to activate lockdown mode in VMware vSphere together at this post.
What’s Lockdown Mode in VMware vSphere?
ESXi hosts managing via vCenter or directly in virtualization environment and who has network access to ESXi host be able to logon and change host’s configuration and virtual machine configuration as well. In other words, anyone can change your configuration and destroy your virtual machine and also affect whole virtualization environment by get access to one host.
Actually, changing some configurations on each host in a cluster, will affect other hosts too.
Lockdown mode doesn’t allow all users to logon to ESXi directly and perform operation. You have to perform configurations via vCenter.
Behavior of Lockdown Mode in VMware vSphere
Lockdown mode has two options, and these two options are different:
- Normal Lockdown Mode
- Strict Lockdown Mode
In strict and normal lockdown mode, privileged users can access the host through vCenter Server, from the vSphere Client, or by using the vSphere Web Services SDK. You cannot access to DCUI in strict mode.
However, accounts on the Exception User list can access the DCUI in nomal mode, if they have administrator privileges. In addition, all users who are specified in the
DCUI.Access advanced system setting can access the DCUI. If your user is in exception list, your opening session will be remains.
Compare Normal Mode vs Lockdown Mode vs Strict Lockdown Mode
|Service||Normal Mode||Normal Lockdown Mode||Strict Lockdown Mode|
|vSphere Web Services API||All users, based on permissions||vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available)||vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available)|
|CIM Providers||Users with administrator privileges on the host||vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available)||vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available)|
|Direct Console UI (DCUI)||Users with administrator privileges on the host, and users in the ||Users defined in the ||DCUI service is stopped.|
|ESXi Shell (if enabled) and SSH (if enabled)||Users with administrator privileges on the host||Users defined in the ||Users defined in the |
Enable lockdown mode to require that all configuration changes go through vCenter Server. vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode.
If you want to disallow all direct access to a host completely, you can select strict lockdown mode. However, if you disabled SSH or ESXi Shell, then you would not access to host.
Advantages vs Disadvantages of Lockdown Mode in VMware vSphere
Firstly, security guys have no concern about virtualization administrators troubleshooting complexity, they want to keep secure their platform and services. Enabling lockdown mode will keep more secure services but has some disadvantages such as longer downtime when vCenter is unavailable completely.
Secondly, they will offer you to choose a user as exception user to use it in emergency cases but still attacker can logon to host by the user.
Thirdly, you have to accept responsibility of an important password for exception user.
As result, lockdown mode will add more safety to your environment but using lockdown mode especially in strict mode add some concerns about configuration and troubleshooting.
However, you can keep your hosts isolated from other services and ask Security Guys to protect your hosts by putting them behind of strong firewall and restrict access to hosts.
Virtual Environments Vulnerability Assessment By GSM (OpenVAS)
Enabling or disabling Lockdown mode on an ESXi host (1008077)