vHerseyVMware

Using ESXi Lockdown Mode

Recently Chris Wahl (@ChrisWahl) wrote a post on Using a Blank Initial ESXi Password to Your Advantage. If the root password on an ESXi hosts is blank the vSphere Client will place a warning on the hosts. The thought behind this method is that if you are using a non-complex password for the root user of ESXi hosts there is no warning, if the root password is blank there is. This warning provides a reminder that you need to go back and create complex passwords for your ESXi hosts. Great post and nice tip.

There is another option for reducing the security risks associated with simple root passwords (or even no root password) on the hosts, enabling Lockdown Mode.

Lockdown Mode can be enabled when adding a new host to the vCenter inventory or in the host Security Profile configuration. Lockdown Mode disables remote access to the host unless you have authenticated against vCenter.

Enabling Lockdown Mode in the vSphere Web Client
Enabling Lockdown Mode in the vSphere Web Client

Once enabled Lockdown Mode can be disabled from the Security Profile configuration or from the DCUI on the host console.

Configuring Lockdown Mode with DCUI
Configuring Lockdown Mode with DCUI

When Lockdown Mode is enabled the ESXi host can still be managed using vCLI, the VMA, or PowerCLI but all authentication must be done through the vCenter Server managing the host. Attempting to access the host directly will fail.

With Lockdown Mode enabled direct access to the hosts is denied.
With Lockdown Mode enabled direct access to the hosts is denied.

As Chris mentioned in his response to my comment oh his post, Lockdown mode is rarely used. Wonder why this is? Seems like a good security practice and provides a layer of defense against unauthorized host access.

2 thoughts on “Using ESXi Lockdown Mode

  • If your vCenter is a VM, it crashes and is unrecoverable, you’ll have to bring up another vCenter and attach your ESXi to to it to disable lockdown mode. This is especially problematic if your vCenter VM lives on the same ESXi host on which you have enabled lockdown mode.

    Reply
    • Mohammed,

      Thanks for stopping by and for the comment. Lockdown mode can also be disabled from the DCUI on the console. You would have to log into the host console as root. This assumes you have not disabled the DCUI. If the DCUI has been disabled (Total Lockdown Mode) then you are correct this would cause a problem if your vCenter VM lives on the same ESXi hosts that have been totally locked down (DCUI disabled).

      Hersey

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

two × four =