Enabling or disabling Lockdown mode on an ESXi host
Details
To increase the security of your ESXi hosts, you can put them in Lockdown mode. This article provides information on enabling or disabling Lockdown mode on an ESXi host.
Solution
When you enable Lockdown mode, only the vpxuser has authentication permissions. Other users do not have authentication permissions and they cannot perform any operations directly on the host. Lockdown mode forces all operations to be performed through vCenter Server. When a host is in the Lockdown mode, you cannot run vCLI commands from an administration server, from a script, or from the vMA on the host. In addition, external software or management tools might not be able to retrieve or modify information from the ESXi hos
You can enable Lockdown mode from the Direct Console User Interface (DCUI).
Note: The host profile does not have a setting to enable or disable Lockdown mode.
If you enable or disable Lockdown mode using the DCUI, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable or disable Lockdown mode using the vSphere Client connected to vCenter Server.
To enable Lockdown mode:
-
Log in directly to the ESXi host.
-
Open DCUI on the host.
-
Press F2 for Initial Setup.
-
Toggle the Configure Lockdown Mode setting.
Using troubleshooting services
By default, troubleshooting services in ESXi hosts are disabled. You can enable these services if necessary. Troubleshooting services can be enabled or disabled irrespective of the Lockdown mode on the host.
The various troubleshooting services are:
- Local Tech Support Mode (TSM) – You can enable this service to troubleshoot issues locally.
- Remote Tech Support Mode Service (SSH) – You can enable this service to troubleshoot issues remotely.
- Direct Console User Interface Service (DCUI) – When you enable this service while running in Lockdown mode, you can log in locally to the direct console user interface as the root user and disable Lockdown mode. You can then troubleshoot the issue using a direct connection to the vSphere Client or by enabling Tech Support Mode.For information on Tech Support Mode, see Tech Support Mode for Emergency Support (1003677).
Enabling or disabling the Lockdown mode using vSphere CLI
You can run these commands from the vSphere CLI to verify the status of the Lockdown mode and to enable/disable it.
In ESXi 4.0:
- To check if Lockdown mode is enabled, run the command: – vim-cmd -U dcui vimsvc/auth/admin_account_is_enabled
- To disable Lockdown mode, run the command: – vim-cmd -U dcui vimsvc/auth/admin_account_enable
- To enable Lockdown mode, run the command: – vim-cmd -U dcui vimsvc/auth/admin_account_disable
In ESXi 4.1:
- To check if Lockdown mode is enabled, run the command: – vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
- To disable Lockdown mode, run the command: – vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
- To enable Lockdown mode, run the command: – vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
Note: If the Lockdown mode is already enabled, to check the status or to disable it, you must enter the Direct Console User Interface Service (DCUI) and then run these commands on the ESXi host.
For more information on the Lockdown mode, see the ESXi Configuration Guide.