During the VCDX Defense panels one of the candidates mentioned using lock down mode for ESXi to add an extra layer of security. It seems that there is a common misunderstanding about the lockdown mode. Here’s how our documentation describes it:
Enabling lockdown mode disables all direct root access to ESXi machines. Any subsequent local changes to the host must be made in a vSphere Client session or vSphere CLI command to vCenter Server using a fully editable Active Directory account. You can also use a local user account defined by the host. By default, no local user accounts exist on the ESXi system. Such accounts can only be created prior to enabling lockdown mode in a vSphere Client session directly on the ESXi system. The changes to the host are limited to the privileges granted to that user locally on that host.
I guess this table explains it a bit better, I ripped this from “it’s all virtual” so credits where credits are due:
Access method | Lockdown Disabled Access granted | Lockdown Enabled Access granted |
vCenter | Yes | Yes |
Physical Console access with root | Yes | Yes |
Physical Console access with anyother user | No | No |
vSphere Client directly to ESXi with root | Yes | No |
vSphere Client directly to ESXi with anyother user | Yes | Yes |
PowerCLI / RCLI to ESXi with root | Yes | No |
PowerCLI / RCLI to ESXi with anyother user | Yes | Yes |