Lockdown Mode
To increase the
security of your
ESXi
hosts, you
can put them in lockdown mode.
In lockdown mode, all
operations must be performed through
vCenter Server
.
By default, only the
vCenter Server
system, represented by the vpxuser user, has authentication permissions. No
other users can perform operations against a host in lockdown mode.
- In normal lockdown mode, you can add users to theDCUI.Accessadvanced option, which can access the Direct Console User Interface regardless of their privileges on the host. You can also use thevSphere Clientto add Exception users, which can access the Direct Console User Interface if they have host management privileges.
- In strict lockdown mode, users cannot access the Direct Console User Interface. IfvCenter Serverbecomes unavailable, the host can no longer be managed.
When a host is in normal or strict lockdown mode, you
cannot run ESXCLI commands against the host directly. Instead, you target the
vCenter Server
system that manages the host with the
--server
option and specify the ESXi
host with the
--vihost
option. When you enable strict lockdown
mode, the Direct Console User Interface service is disabled.
You can enable lockdown mode by using the Add Host
wizard to add a host to
vCenter Server
, by
using the vSphere Client
to manage a
host, or by using the Direct Console User Interface (DCUI). See the
vSphere Security
documentation for
details on lockdown mode.