introduction
welcome to new article of vSphere security series which will discuss Lockdown Mode
how to access and manage ESXI host
option 01 : Direct Console user interface DCUI
- this option include work on ESXI servers physically from Datacenter
- which is good for
- first time to configure server identity
- enable or disable SSH , and some basic configurations
- also we could use this option for maintenance
option 02 : working on Shell directly [ESXI shell]
- direct hell : means to open SHELL from ESXI server it self on Datacenter
- working on SHELL is very powerful since it’s expand your capability to manage ESXI ,
- BUT the bad thing : you have to work on server physically on Datacenter
- don’t use direct shell until your have network issue and you are unable to work ESXI remotely
option 03 : working on Shell remotely [SSH]
- secure shell SSH , working on port 22
- it’s enable administrator to configure esxi shell remotely
- working on SHH , require to enable SSH from DCUI or from Web interface
Option 04 : ESXI web client
- http://172.16.100.151 or http://ESXI151
- HTML version of client management
Option 05 : vCenter
- VMware vCenterServer is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, …
network diagram
please have a look to network diagram above
we have :
- domain controller for AD DC101.pioneers.lab with IP address 172.16.100.
- ESXI151 with IP address 172.16.100.151
- ESXI152 with IP address 172.16.100.152
- ESXI153 with IP address 172.16.100.153
- VCenter server VCSA161.pioneers.lab with IP address 172.16.100.161
lockdown mode
The Lockdown mode is be used to increase the security of an ESXi host by limiting the access allowed to the host.
By default lockdown mode is disabled
When this mode is turned on, the ESXi host can only be accesses through vCenter Server or Direct Console User Interface (DCUI). The ESXi host can no longer be managed using other tools
types of lockdown mode
Disabled Lockdown mode:
this is default mode , which means ESXI host is accessible by all management tools
Normal Lockdown mode:
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available,
privileged accounts can log in to the ESXi host’s Direct Console Interface and exit lockdown mode.
Only these accounts can access the Direct Console User Interface:
- Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
- Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Strict Lockdown mode:
In strict lockdown mode the DCUI service is stopped.
If the connection to vCenter Server is lost and the vSphere Web Client is no longer available,
the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined.
If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
enable Lockdown mode from the DCUI:
- Log directly in to the ESXi host.
- Open the DCUI on the host.
- Press F2 for Initial Setup.
- Press Enter to toggle the Configure Lockdown Mode setting
enable Lockdown mode from the vSphere Web Client:
- Browse to the host in the vSphere Web Client inventory.
- Click the Manage tab and click Settings. (Click the Configure tab)
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Lockdown Mode and select one of the lockdown mode options.
enable Lockdown mode from the vcenter Web Client:
- Browse to the host in the vcenter Web Client inventory.
- Click the configure
- select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Lockdown Mode and select one of the lockdown mode options.
test SSH with normal Lockdown mode
access to remote secure shell SSH is denied with normal lockdown mode even SSH services is running
as seen below
Conclusion
Lockdown Mode is just another way you can secure your ESXi hosts
normal lockdown mode is more practical than strict lockdown mode
since If you cannot restore the connection to the vCenter Server system in strict mode >> you have to reinstall the host.
