vSphere 6, Lockdown mode

What is Lockdown mode?

to improve security of ESXi host which is being managed by vCenter server, we enable lockdown mode on that host, that way it will restrict any operations to be carried out on that host directly but you will be forced to go via vCenter server only to be able to manage that host.

now what do I mean by doing something directly on that host?

  • Using vSphere client to connect to host directly and creating a new VM, removing an existing VM, powering on/off/suspending a VM, or making any configuration modification on host.
  • using vCLI to login directly into host to do any of the above activity
  • using ssh client to login directly into host and doing any of those activities listed in first bullet point.

Since the host is being managed to vCenter and vCenter has got it’s own central access and authentication mechanism in place. Why would I want above things to be done directly, I would like to use that vCenter server’s access and authentication mechanism to have centrally managed security. Where I create roles, and assign permissions on inventory objects of vCenter server to user/group accounts.

what vSphere 6 has to offer when it comes to enabling lockdown mode.

To reach upto this settings, Login in your vSphere Web client 6.0, Go to Host and Cluster Inventory, Select your Host, GO TO manage->Settings->Security Profile->Lockdown mode like it’s visible in following screenshot

Screen Shot 2015-06-05 at 4.19.04 pm


By Clicking on Edit button I can see following screen

Screen Shot 2015-06-05 at 4.19.21 pm

  1. Normal lockdown mode
  2. strict lockdown mode
  3. no lockdown mode (Disabled)

Along with that we have a discussion of Exception users list & users who have access to DCUI

  1. Normal Lockdown mode
  • this is same as we had in previous versions of vSphere prior to version 6.0, you enable lockdown mode, will leave vpxuser as only user account in host with full privileges on host and rest of the user account doesn’t have any privileges any more. Except root user who is part of DCUI.Access so root account still can access DCUI in case we lost connection to vCenter.

2) Strict Lockdown mode

  • This is where you will get DCUI service of host also being stopped, so now even people in DCUI.Access list will not have any control because DCUI is not running.

in above two case, Exception users list plays a specific role. Those uses will still have access to your SSH shell (Technical support mode). Like in following screenshot I have added root account as Exceptions users list. If I do that on all the esxi hosts than I don’t have to worry about disabling lockdown mode at the time when I want to connect to host directly via SSH etc.Screen Shot 2015-06-05 at 4.19.57 pm

VMware KB 1008077