Sunday, March 15, 2015

vSphere 6.0 Lockdown Modes

Today when I was checking VMware blogs, I found this interesting blog thought to make note of it....

Lockdown Modes
In 5.1 only the “root” user could log into the DCUI. In 5.5 you could add users to the “DCUI.Access” list in the Host Advanced Settings. They did not need full administrative privileges. But they could bypass lockdown mode and access the DCUI. Starting with vSphere 6.0, you can select either Normal lockdown mode or Strict lockdown mode, depending on your security requirements. 

With vSphere 6 VMware is introducing a couple of new concepts about Lockdown modes, Now there are three lockdown modes...
  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users
Normal Lockdown Mode
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server system is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host’s Direct Console Interface and exit lockdown mode. Only the following accounts can access the Direct Console User Interface:
  • Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
  • Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Strict Lockdown Mode
In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and thevSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.

Exception Users
These are local accounts or Microsoft Active Directory accounts with permissions defined locally on the host where these users have host access. You can define those exception locally on the host, but it’s not recommended for normal user accounts, but rather for service accounts. You should set permissions on these accounts to strict minimum and anly what’s required for the application to do its task and with an account that needs only read-only permissions to the ESXi host.
This is basically the same principle of local server accounts on Windows member server, where you can create local accounts, but as a best practice to give them only the permissions they need…

Read the original full blog posts on VMware blogs: 

Restricting Access to the ESXi Host Console – Revisiting Lockdown Mode

No comments:

Post a Comment