3.20 (L1) Host must enable normal lockdown mode

Information

Implementing normal lockdown mode restricts direct access to ESXi hosts, mandating management via vCenter Server to uphold defined roles and access controls, mitigating risks associated with unauthorized or insufficiently audited activities. Exception Users list serves as an override mechanism, permitting specified users direct access even in lockdown mode. This mode offers a balanced approach between security and operational flexibility compared to the stricter lockdown mode which, if connectivity to vCenter Server is lost, necessitates host rebuilding.

Enabling normal lockdown mode enforces centralized management through vCenter Server, ensuring adherence to organizational access controls and auditing policies. This measure significantly lowers the risk of unauthorized activities by restricting direct host access, promoting a more controlled and auditable operational environment.

Solution

To enable lockdown mode, perform the following from the vSphere web client:

- From the vSphere Web Client, select the host.
- Select Configure then expand System and select Security Profile
- Across from Lockdown Mode click on Edit
- Click the radio button for Normal
- Click OK

Alternately, run the following PowerCLI command:

# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }

Impact:

The activation of lockdown mode may impede direct host access for certain operations like backup and troubleshooting. Although temporary deactivation is an option, ensuring proper reactivation post-operation is crucial to maintain the intended security posture.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: VMware

Control ID: 3188d48e6e47e424e1b06e44275069b35ad0c5082a7217e90c33c283f3b095cb