Lockdown is a new feature for VMware ESXi 4.x. It adds security by restricting access to your ESXi hosts to either the root user on the local console or from a vCenter management server. With Lockdown enabled, the vSphere client cannot be used to connect directly to the host, local and remote troubleshooting are disabled and existing direct vSphere client connections are dropped but existing local or remote troubleshooting sessions are not.
If you enable Lockdown Mode from the console, local accounts have their permissions/roles removed. However, this doesn’t happen if you enable it from vCenter.
To enable it from vCenter, navigate to Host/Configure/Security Profile
Click Edit in the Lockdown Mode section.
Note that if you connect directly to the host, Lockdown is not an option
To enable from the console, log in and select Lockdown Mode from the menu.
Check or uncheck Lockdown mode to toggle it on/off.
When Lockdown is enabled, existing vSphere Client connections get dropped:
Existing console logins are retained, but only the root account can initiate a new log in. Troubleshooting modes are disabled, but current logins are maintained.
If you enable lockdown from vCenter, local user accounts and permissions are retained (after you disable Lockdown). If you enable Lockdown from the local console, local users are retained but permissions are removed. If you enable and disable from the vCenter console, the status is updated correctly in the console, but if you enable/disable from the console vCenter doesn’t get updated.
Before and after vCenter-initiated Lockdown
Before console-initiated Lockdown
After console-initiated Lockdown
Best Practice:
Use Lockdown mode to enhance security.
Manage Lockdown mode from vCenter console.
Check my follow up post about local and remote troubleshooting with local users other than root.
One Response to ESXi Lockdown Mode