During the VCDX Defense panels one of the candidates mentioned using lock down mode for ESXi to add an extra layer of security. It seems that there is a common misunderstanding about the lockdown mode. Here’s how our documentation describes it:
Enabling lockdown mode disables all direct root access to ESXi machines. Any subsequent local changes to the host must be made in a vSphere Client session or vSphere CLI command to vCenter Server using a fully editable Active Directory account. You can also use a local user account defined by the host. By default, no local user accounts exist on the ESXi system. Such accounts can only be created prior to enabling lockdown mode in a vSphere Client session directly on the ESXi system. The changes to the host are limited to the privileges granted to that user locally on that host.
I guess this table explains it a bit better, I ripped this from “it’s all virtual” so credits where credits are due:
Access method | Lockdown Disabled Access granted | Lockdown Enabled Access granted |
vCenter | Yes | Yes |
Physical Console access with root | Yes | Yes |
Physical Console access with anyother user | No | No |
vSphere Client directly to ESXi with root | Yes | No |
vSphere Client directly to ESXi with anyother user | Yes | Yes |
PowerCLI / RCLI to ESXi with root | Yes | No |
PowerCLI / RCLI to ESXi with anyother user | Yes | Yes |
Mike Laverick says
Can you say what kind of confusion lockdown mode created…??? I’m not seeing their confusion… 😀
Luca Lo Castro says
can we not just say that lockdown mode prevent “root” to connect directly to an ESXi host via any client? If there is any confusion about it, of course
AJ Ciampa says
Just in addition, this setting presents a problem if you are virtualizing vCenter. If you lose VC and need to log into the ESX host that it was running on, you need to have an account other than root configured for access. This means maintaining local accounts. Something to think about when designing a solution with a virtualized VC.
FS says
I absolutely agree AJ. Hosting the systems used for authentication pose a risk not to be ignored. Local authentication or Domain authentication outside of the hosted environment is crucial.
VirtualRW says
Wrote this post in September of 2008 when ESXi was really taking off. I decided to write it at the time because it was new and I was running in to questions on what it did to a host and why it was better. It also caused me issues when it was turned on when I was creating my ESXi Utility. Let’s just say I found out the hard way of creating local ESXi users with the RCLI toolkit – eventually learning to use the vCenter authentication with the RCLI kit which made the lock down mode irrelevant. But lesson was learned so I decided to vent!
Thanks for the credit and the link.
AJ – I’ve also learned the hard way many years ago not to virtualize the vCenter server, the issue you describe is just one of many. vCenter Servers = physical pizza box.
AJ Ciampa says
VirtualRW – Thanks for the original post. It’s always nice to see people catch these things. Especially when it is something my customer is looking at deploying and I haven’t quite learned all the ins and outs of the feature yet 😉
I am hoping to see better AD authentication and integration into future releases that will allow you to use this setting without the need for local user account maintenance.
With regards to virtualizing VC, I actually have no problem recommending it to customers. I feel if done properly it can provide good benefits. That said, you REALLY need to understand the pitfalls associated with failure scenarios and plan accordingly. There is some give and take between going virtual and staying physical. Staying physical eliminates some potential issues but you do lose out on some of the advantages of virtualization which is why we virtualize in the first place. There is certainly nothing wrong with staying physical and may even be a better option based on your design. I guess I’m trying to say, don’t rule it out completely, there is a place for it and it can be done successfully.
AbeS says
http://blogs.vmware.com/esxi/2010/09/the-new-lockdown-mode-in-esxi-41.html
Updated to show that any user accessing through a vSphere API client, e.g. vSphere Client, vCLI, and PowerCLI is disabled to the ESXi hosts.
There is also a new table that shows the state of various services when Lockdown Mode is enabled.
Dan says
So is the assertion that lockdown mode “enhances security” wrong?
My understanding is that it will add a layer of security insofar that the root user can no longer be used (without physical console access) – which to my mind adds a layer of security?
Marco says
I need to configure a local account in esxi 5 enviroment for integration with Emc ECC, is it possible with lockdown mode enabled?