Details
Enabling lockdown mode disables direct local access to an ESXi host, requiring the host be
managed remotely from vCenter Server.
There are some operations, such as backup and troubleshooting, that require direct access
to the host. In these cases, lockdown mode can be disabled on a temporary basis for specific
hosts as needed, and then re-enabled when the task is completed.
Note: Lockdown mode does not apply to users who log in using authorized keys. Also, users
in the DCUI.Access list for each host are allowed to override lockdown mode and log in to
the DCUI. By default, the “root” user is the only user listed in the DCUI.Access list.
*Rationale*
Lockdown mode limits ESXi host access to the vCenter server to ensure the roles and
access controls implemented in vCenter are always enforced and users cannot bypass them
by logging into a host directly. By forcing all interaction to occur through vCenter Server,
the risk of someone inadvertently attaining elevated privileges or performing tasks that are
not properly audited is greatly reduced.
Solution
To enable lockdown mode, perform the following from the vSphere web client:
1. Select the host.
2. Select “Configure” -> “System” -> “Security Profile”.
3. Scroll down to “Lockdown Mode”.
4. Click “Edit…”.
5. Select the “Enable Lockdown Mode” checkbox.
6. Click “OK”.
Alternately, run the following PowerCLI command:
# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.