A Look at ESXi 5 Lockdown Mode

by admin

As described in the vSphere Security Guide:

To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all operations must be performed through vCenter Server. Only the vpxuser user has authentication
permissions, no other users can perform operations against the host directly.

Lockdown mode basically means that your host is configured to allow connections only from vCenter, with the only user with permissions to log onto the host being the vpxuser account. As lockdown mode only allows connections from vCenter, vCLI and vMA will not be able to interact with the host directly and will need to be used with vCenter instead.

Lockdown mode can be enabled when adding the host to vCenter using the vSphere client, in the hosts security options in the vSphere client, or by using the dcui (Direct Console User Interface).

Using the vSphere Client to Configure Lockdown Mode

The Lockdown Mode configuration can be found under the Configuration | Security Profile settings:

lockdownmode

Once enabled, you will only be able to access the host by connecting to vCenter or directly, using the DCUI. To enable or disable using the DCUI, log in and then select ‘Configure Lockdown Mode’:

dcui_lockdown_mode

Configuring Lockdown Mode using the CLI

You can check if lockdown mode is enabled using the CLI by running:

vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled

To enable lockdown mode:

vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

And to disable lockdown mode:

vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit

Configuring Total Lockdown Mode

Total lockdown mode, in addition to the restrictions put in place by lockdown mode, further restricts access by disabling the DCUI. This means that there is no way to access the host, or disable lockdown mode, other than through vCenter. If access to vCenter is lost then the host would need to have ESXi reinstalled.

To enable total lockdown mode you first need to enable lockdown mode as shown above. Next you need to disable access to the DCUI by stopping the DCUI service and setting it to manual startup:

total_lockdown_mode

Once this has been done you will no longer be able to log into the DCUI:

disable_dcui

The only way to disable total lockdown mode is through vCenter.

Configuring Lockdown Mode using PowerCLI

To enable Lockdown Mode using PowerCLI you can run the following:

(get-vmhost esxi1.vmlab.loc | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown

To disable lockdown mode you can run:

(get-vmhost esxi1.vmlab.loc | get-view).ExitLockdownMode()

Useful Links and Resources

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008077


Keep up to date with new posts on Buildvirtual.net - Follow us on Twitter:
Be Sociable, Share!

Comments on this entry are closed.

Previous post:

Next post: