Lockdown Mode in VMware vSphere, Not Easy to Decide!
Lockdown mode could be useful to achieved maximum restriction to ESXi hosts. Let’s decide to activate this mode in VMware vSphere together at this post.
What’s Lockdown Mode in VMware vSphere?
ESXi hosts managing via vCenter or directly in virtualization environment and who has network access to ESXi host be able to logon and change host’s configuration and virtual machine configuration as well. In other words, anyone can change your configuration and destroy your virtual machine and also affect whole virtualization environment by get access to one host.
Actually, changing some configurations on each host in a cluster, will affect other hosts too.
It doesn’t allow all users to logon to ESXi directly and perform operation. You have to perform configurations via vCenter.
Behavior of Lockdown Mode
This feature has two options, and these two options are different:
- Normal
- Strict
In both modes, privileged users can access the host through vCenter Server, from the vSphere Client, or by using the Web Services SDK. You cannot access to DCUI in strict mode.
However, accounts on the Exception User list can access the DCUI in nomal mode, if they have administrator privileges. In addition, all users who are specified in the DCUI.Access advanced system setting can access the DCUI. If your user is in exception list, your opening session will be remains.
Compare Without It vs Normal Mode vs Strict Mode
| Service | Without It | Normal Mode | Strict Mode |
|---|---|---|---|
| Web Services API | All users, based on permissions | vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available) | vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available) |
| CIM Providers | Users with administrator privileges on the host | vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available) | vCenter (vpxuser)Exception users, based on permissionsvCloud Director (vslauser, if available) |
| Direct Console UI (DCUI) | Users with administrator privileges on the host, and users in the DCUI.Access advanced option | Users defined in the DCUI.Access advanced optionException users with administrator privileges on the host | DCUI service is stopped. |
| ESXi Shell (if enabled) and SSH (if enabled) | Users with administrator privileges on the host | Users defined in the DCUI.Access advanced optionException users with administrator privileges on the host | Users defined in the DCUI.Access advanced optionException users with administrator privileges on the host |
Enable lockdown mode to require that all configuration changes go through vCenter Server. vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode.
If you want to disallow all direct access to a host completely, you can select strict mode. However, if you disabled SSH or ESXi Shell, then you would not access to host.
Advantages vs Disadvantages
Firstly, security guys have no concern about virtualization administrators troubleshooting complexity, they want to keep secure their platform and services. Enabling will keep more secure services but has some disadvantages such as longer downtime when vCenter is unavailable completely.
Secondly, they will offer you to choose a user as exception user to use it in emergency cases but still attacker can logon to host by the user.
Thirdly, you have to accept responsibility of an important password for exception user.
Conclusion
As result, lockdown mode will add more safety to your environment but using this mode especially in strict mode add some concerns about configuration and troubleshooting.
However, you can keep your hosts isolated from other services and ask Security Guys to protect your hosts by putting them behind of strong firewall and restrict access to hosts.
Further Reading
Virtual Environments Vulnerability Assessment By GSM (OpenVAS)
External Links
Enabling or disabling Lockdown mode on an ESXi host (1008077)
