5.5 Ensure Normal Lockdown mode is enabled

Information

Enabling lockdown mode disables direct local access to an ESXi host, requiring the host be managed remotely from vCenter Server.

There are some operations, such as backup and troubleshooting, that require direct access to the host. In these cases, lockdown mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed.

Note: Lockdown mode does not apply to users who log in using authorized keys. Also, users in the DCUI.Access list for each host are allowed to override lockdown mode and log in to the DCUI. By default, the 'root' user is the only user listed in the DCUI.Access list.

Rationale:

Lockdown mode limits ESXi host access to the vCenter server to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.

Impact:

With lockdown mode enabled the host will only be accessible through vCenter preventing 'local' access.

Solution

To enable lockdown mode, perform the following from the vSphere web client:

From the vSphere Web Client, select the host.

Select Configure then expand System and select Security Profile.

Across from Lockdown Mode click on Edit.

Click the radio button for Normal.

Click OK.

Alternately, run the following PowerCLI command:

# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }

See Also

https://workbench.cisecurity.org/benchmarks/12725