Lockdown Mode – vSphere 6

Lockdown Mode in ESXi host is around the corner since version 4. There were no ‘major’ changes to it untill version 6. VMware has come up with a more effective way of hardening the ESXi hosts in the vSphere 6 as there were ways to bypass lockdown mode in earlier versions. vSphere with version 6 introduced Strict Lockdown Mode and Exception Users to accomplish this. So without any delay, let’s get started with our discussion.

As a review, Lockdown Mode locks the ESXi to be managed directly and is a way of forcing to manage ESXi hosts using vCenter Server. Having said that, with version 6 and the changes it brought, we have to discuss a bit further and understand the Lockdown mode in-depth.

vSphere 6 has two lockdown modes

  • Normal Lockdown Mode
  • Strict Lockdown Mode

Before knowing further about the modes, let’s learn something about DCUI.Access and Exception Users list.

DCUI.Access – List of local user accounts which are granted unconditional access to DCUI. Note that this is local to ESXi host

2016-10-31-11_10_30-vsphere-web-client

Exception Users – A list of user accounts that keep their permissions when the host enters Lockdown mode. Only third-party solution accounts and service accounts should be made part of this list to respect Lockdown mode. Members here can be part of an AD.

2016-10-31-11_42_45-vsphere-web-client

In Normal Lockdown Mode, the DCUI service is not stopped and if the host is unmanageable from vCenter/web client, only the accounts specified in the DCUI.Access and those with administrative access in the Exception Users list will be able to access the DCUI console.

In Strict Lockdown Mode, the DCUI service is stopped and if the host is unmanageable from web client, the ESXi host becomes unavailable unless Shell and SSH are enabled and Exception Users are configured on it. If restoring ESXi fails, the only option here is to reinstall the ESXi. Yes, i warned you!

SSH and ESXi shell accesses are independent of the lockdown mode and to make hosts more secure, it is always recommended to disable these services.

You can enable lockdown mode in three ways

Using Add Host Wizard

Using the Add host wizard, you can enable lockdown mode as below

2016-10-31-12_59_48-vsphere-web-client

Using the Web Client to enable/disable lockdown mode is always the recommended way.

2016-10-31-13_02_07-vsphere-web-client

Select the host, click on the Mange tab and go to settings, Click on the Security Profile and on the right side scroll down to see the Lockdown Mode section. Click Edit button to enable or disable. Upon selecting the Strict mode, you will be given a warning about the DCUI being stopped.

2016-10-31-13_02_35-vsphere-web-client

Click OK to enable Strict lockdown mode.

Using the DCUI

It is only possible to enable and disable normal lockdown mode from the DCUI. Strict Lockdown mode can be changed only using web client.

To do this, use F2 on the console and login as root (or any other account with access) and go to configure lockdown mode and hist enter.

2016-10-31-13_11_48-esx-2-vmware-workstation

Use space to select the option and hit enter.

Note: In earlier version of ESXi hosts, user and group permissions on host were discarded when lockdown mode is enabled from DCUI. From version 6, permissions are preserved when lockdown is enabled and are restored when the lockdown mode is disabled. If you are upgrading hosts to version 6, things can get messed up so it is always a good idea to disable lockdown mode from web client prior to upgrade.

Hope this was informative. Thanks!

Advertisements

#dcui-access, #exception-users, #lockdown-mode, #strict-lockdown-mode, #vsphere-6