Securing ESXi with Lock-down mode | Step-by-Step

Leveraging lock-down feature adds more security to ESXi hosts, as well as the whole vSphere environment by stricting the direct access (DCUI, ESXi web client, SSH), which reduces the chances of your hosts being compromised. vCenter server will be the main management console for ESXi hosts.

With the “Exception Users” list, you can specify the user accounts who could still access ESXi hosts directly while the lock-down mode is enabled.

Points to be covered in this article:

Lock-down modes.
Configuring Lock-down mode.
Configuring Lock-down mode with exception users list.
Create a safety breaker.

Lock-down modes:

Normal mode: in this mode, every interface is restricted, except for shell interfaces where the exception users list must be used, and only the root account is allowed to access DCUI. Managing ESXi is mainly performed via vCenter server.
Strict mode: the same as normal mode, but the DCUI is disabled as well.

Note: losing access to ESXi with – “Strict mode” enabled – from vCenter while having both shell and SSH disabled will require re-installing ESXI. There’s no safety breaker for strict mode according to VMware.

Modes Quick Comparison

	Lock-down mode
Interface	Normal	Strict
vCenter control	allowed
ESXi web console	denied to all users including “root”
DCUI	root and “DCUI.Access” defined local users	DCUI service is disabled
Shell / SSH	restricted to “exception users list” users only. Root is denied access

Please refer to the references mentioned by the end of this article for further details about accessibility.

Let’s get starting!

Configuring Lock-down mode

1- login to your vSphere 6.x web console, select the desired host for enabling lock-down mode, and then click configure >> Security profile >> scroll down till you get to the “lockdown mode” section >> click “Edit”.

001

2- Select the desired mode. In this example, I will proceed with “Normal mode”. Then click Ok.

002

3- Make sure that the status has changed to the desired mode.

003

4- Now, “root” account (and other user accounts) will fail to login directly to the host via Shell/SSH.

004

The basic configuration is complete.

Now, let’s try the “strict mode”. Repeat the same steps above, but choose “strict mode” this time. confirm the warning message, and then click “ok”.

005

006

Now, go to DCUI, you will find it’s been disabled by enabling the strict mode.

007

Configuring Lock-down mode with exception users list

The “Exception Users” list was introduced in vSphere 6.0; it’s used to specify the user accounts that will be granted access to hosts (via shell/SSH) while a lock-down mode is configured. You could only specify users, not groups, just to narrow the scope of authorization. A local user account, or Active Directory account could be used; and the user must have local admin preventives on each ESXi host. In the following example I will be configuring lock-down mode with exception users list step by step.

2- on the left nav pane, click on “Exception Users”, and then click the plus “+” icon. This step could be performed while of after enabling lock-down mode.

008

3- choose the desired user account. In this example, I will be using Active Directory user account.

009

4- Make sure that the selected user(s) is now visible in the list, then click Ok.

010

5- Now, we need to grant the user local administrator privileges on the selected hosts. This step is performed via the ESXi direct web console, but to perform this step you need to disable the lock-down mode temporarily, or perform it before configuring the disabled mode. Login to a host using a web browser, and then select the “host” node from the left pane (as shown below) >> Actions >> Permissions.

In this example, I will be using a AD user account, so I wont need to create a local account on the host.

011

6- click “Add user”.

012

7- define the desired user. use this format in this example if you are going to use AD user account. Then, click “Add User”. Remember, the host must be a domain member first to be able to use AD user accounts, otherwise, you will use local user accounts.

013

8- Make sure that the user(s) is visible in the list.

014

We’ve granted the user a local admin privileges, and also added it to the Exception Users list. Now, let’s try to login using that account to the host via SSH, it works!.

015

Create a safety breaker

I suppose by reading this far that you are now familiar with how the feature works. The “root” account is the only account that is allowed to access the host DCUI while the lock-down mode is enabled, but what if the password for root got lost, or forgotten for any reason, or maybe you are the only one who knows it, and your team aren’t supposed to learn about it, in that case, you’d need a safety breaker, an alternate user to be used for disabling the lock-down mode in emergency cases. You may keep the password of that user account in a safe place, to be used only whenever required according to a defined procedure.

This user must be a local user account on each host, and cannot be an active directory account.

In the following example, I will create a local account.

BE CAREFUL, THIS USER ACCOUNT DOESN’T NEED TO BE A LOCAL ADMIN, JUST A NORMAL LOCAL ADMIN. WHICH MEANS THAT YOU WILL BE GRANTING FULL PRIVILEGES TO A NORMAL USER. MAKE SURE THAT THE PASSWORD IS COMPLEX AND IN A SAFE PLACE.

Steps

1- Disable the lock-down mode temporary to be able to access the host web console.

2- login to the direct web console of the desired ESXi host, and then select Manage >> Security & More >> Users >> Add User.

016

3- create a user. I will call my user “safety”, define a complex password, finally click Add.

017

4- Now, we need to add the name of this host to the advanced parameter of the host, the parameter is named “DCUI.Access”. Go to the vCenter web client, select the host >> Configure >> Advanced System Settings >>Edit.

018