Information
Enable Strict lockdown mode to restrict access.
Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server.
This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.
Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are independent of lockdown mode. For lockdown mode to be an effective security measure, ensure that the ESXi Shell and SSH services are also disabled. Those services are disabled by default.
When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host and if these services are enabled. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and the SSH service disabled is the most secure option.
http://pubs.vmware.com/vsphere-65/topic/com.vmware.vsphere.security.doc/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.html
Solution
#Run this at the vCenter level or against an individual host -
#Create HostLockdownMode object
$level = New-Object VMware.Vim.HostLockdownMode
#Populate with level of lockdown:(lockdownDisabled,lockdownNormal,lockdownStrict)
$level = "lockdownStrict"
$esxihosts = get-vmhost
foreach ($esxihost in $esxihosts)
{
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
Write-Host ""
Write-Host "Setting Lockdown mode to " $level
$lockdown.ChangeLockdownMode($level)
$lockdown.UpdateViewData()
$lockdownstatus = $lockdown.LockdownMode
Write-Host "Lockdown mode on $esxihost is set to $lockdownstatus"
Write-Host ""
}