Enable Lockdown Mode

To harden ESXi connected to a vCenter Server, one option is to use lockdown mode, which disables a direct connection to ESXi host. The host will only be accessible through the vCenter Server, or, depending on the lockdown mode, through the DCUI.

It's possible to modify lockdown mode in the host settings or from the DCUI (the usual method).

In vSphere 6.x, lockdown mode has different levels of protection; the following are the different configuration options available:

• Disabled: Lockdown mode is disabled.
• Normal: Lockdown mode is enabled, DCUI is not blocked, but the Host UI, ESXi shell, or ESXi SSH is disabled.
• Strict: Lockdown mode is enabled, and all local services are disabled (including the DCUI that is stopped). ESXi is only accessible through the vCenter Server.

You can configure ESXi lockdown mode from the vSphere Web Client, when you add a new host. It's also possible to change the setting later; in that case, select the Security Profile menu in the Configure tab of the desired ESXi.

Find the Lockdown Mode area (after Services), and click on the Edit... button, as follows:

In vSphere 6.x, there is a new feature for lockdown mode: the Exception Users list. Those users (or solutions) will be excluded from lockdown mode (if Normal mode is used). Exception users cannot be managed from the DCUI.

From the DCUI, press F2 and log in, then select Configure Lockdown Mode and press Enter:

For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.html).