As a feature, lockdown mode has been added to vSphere 4.0 . Enabling it disables all remote root access to an ESXi machine. Any local changes to the host must be using:
- DCUI (Direct Console User Interface).
- vSphere Client or vCLI connecting to vCenter.
- vSphere Client or vCLI connecting to ESXi with a local user account on the host.
My colleague Duncan Epping has summarized a table showing whether you can change ESXi with different access methods in two modes.
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
As a general practice for better security, it’s recommended to enable lockdown mode. However the lockdown mode could be breached by adding root user to local groups, according to vSphere Hardening Guide ( see HCN03 on page 48). You may want to read it carefully.
You can manage lockdown mode through vSphere Client or DCUI, but not from public API until vSphere 4.1. As you would expect, there are two methods defined with the HostSystem type in vSphere Java API:
public void enterLockdownMode() throws HostConfigFault, RuntimeFault, RemoteException; public void exitLockdownMode() throws HostConfigFault, RuntimeFault, RemoteException;
These two methods are pretty straightforward. To call these methods, the user must connect to vCenter and have “Host.Config.Settings” privilege though.
How to tell whether an ESXi host is in lockdown mode? You can easily tell from the “config. adminDisabled” sub-property as shown in the following code:
boolean lockeddown = host.getConfig().getAdminDisabled();
Please note this code works *ONLY* while you connect to vCenter directly, the same requirement for calling the two methods.