Security – Part Four: Enabling ESXi Lockdown Mode

Posted on by Dean Grant

To increase the security of an ESXi host system which is being managed by a vCenter Server system you can enable Lockdown Mode to restrict users from performing actions directly on an ESXi host using SSH or the ESXi shell. Also, users without the DCUI Access privelage will be restricted from accessing the DCUI. As Lockdown Mode restricts access all actions on managed ESXi host systems must be performed using a connection to the vCenter Server system using an account with necessary permissions.

Lockdown Mode is only available when an ESXi host system is managed by a vCenter Server and can be enabled and disabled using the following methods.

Configuring Lockdown Mode using the vSphere Web Client 

1) Select the ESXi host system you wish to configure Lockdown Mode.

2) Browse to Manage  > Security Profile > Lockdown Mode and select Edit

3) Enable or Disable the Lockdown Mode checkbox and select OK.

Configuring Lockdown Mode using the ESXi Shell Command Line

1) Connect to the ESXi host system using an SSH client.

2) To retrieve the status of Lockdown mode, invoke the following:

~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
false

3) To enable Lockdown Mode, invoke the following:

~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

4) To disable Lockdown Mode, invoke the following:

~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit

Configure Lockdown Mode Using the Direct Console User Interface

1) Connect to the ESXi host system using the DCUI.

2) Press F2 to customise the system.

3) Select Configure Lockdown Mode

4) Enable or Disable Lockdown Mode using the spacebar to toggle the configuration state.

5) Select OK.

Configure Lockdown Mode using PowerCLI

1) Connect to the ESXi host system using the Connect-VIServer cmdlet.

2) To retrieve the status of the Lockdown Mode, invoke the following using the Get-VMHost cmdlet.

Get-VMHost esxi1.dean.local | Select Name, @{N="Lockdown Mode";E={$_.ExtensionData.Config.adminDisabled}}

3) Invoke the following to enable Lockdown Mode using the Get-View cmdlet.

(Get-VMHost esxi1.dean.local | Get-View).EnterLockdownMode() | Get-VMHost | Select Name, @{N="Lockdown Mode";E=$_ExtensionData.Config.AdminDisabled}}

4) Invoke the following to disable Lockdown Mode using the Get-View cmdlet

(Get-VMHost esxi1.dean.local | Get-View).ExitLockdownMode()

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s