vSphere Security: Understanding ESXi 5.x Lockdown Mode
This is the first article in a series of vSphere Security articles that I have planned. The majority of this article is based on vSphere/ESXi 5.1, though I will include any 5.5 information that I find relevant.
I think lockdown mode is a feature that is rarely understood, and even more rarely used. Researching this article I’ve already encountered several different definitions that weren’t quite right. As far as I can see there are no differences between lockdown more in 5.5 and 5.1.
The vSphere Security guide says (emphasis mine):
To increase the security of your ESXi hosts, you can put them in lockdown mode. _In lockdown mode, all
operations must be performed through vCenter Server_. Only the vpxuser user has authentication
permissions, no other users can perform operations against the host directly.
In short, lockdown mode means you can ONLY manage the host via vCenter. The only exception is via the DCUI.
Enabling lockdown mode
Enabling lockdown mode is really simple, it’s a tick box on the vSphere Client, WebClient or the DCUI.
Select a host, select “Configuration” (vSphere Client) or “Manage” then “Settings” (Web Client) and then “Security Profile”
To do it via the DCUI, log in to the host and select “Configure Lockdown Mode”
One thing to note here is enabling lockdown mode via the DCUI behaves differently to the vSphere or Web clients! As per the documentation:
If you enable or disable lockdown mode using the Direct Console User Interface (DCUI), _permissions
for users and groups on the host are discarded._ To preserve these permissions, you must enable and disable
lockdown mode using the vSphere Web Client connected to vCenter Server.
When you disable lockdown mode using the DCUI, all users with the DCUI Access privilege
are granted the Administrator role on the host
Testing access with lockdown mode
I tested each of these options on one of my domain joined hosts using the following tests:
- SSH – I enabled SSH and the Firewall exception on the host and tested using PuTTY to log in.
- PowerCLI* – I connected to the host directly using Connect-VIServer
- vSphere Client – I connected using the vSphere Client, for domain users I tested with Windows session credentials and manually entered credentials.
- DCUI – I tested logging on at the console of the server.
*Note that PowerCLI connected through vCenter can still manage hosts, you can even use Get-EsxCli.
The below chart is the results of my testing, which matches the table in VMware’s document pretty well:
With lockdown mode enabled, Direct Console User Interface (DCUI) access is allowed for root, and any user specified with the DCUI.Access advanced option. My testing showed this can include domain users.
Total Lockdown Mode
VMware’s document also describes a “Total Lockdown Mode”, which basically means using a combination of Lockdown mode enabled and disabling the services for SSH, DCUI and ESXi Shell. There is no “enable total lockdown mode” button. In this configuration if you lose your vCenter Server you have one option only: rebuild ESXi. This would be an extremely secure configuration, but it would negate the possibility of troubleshooting if you lost contact with your vCenter Server.
Why use lockdown mode?
I think this is the most difficult aspect of lockdown mode. In my opinion you need a clear set of security requirements to implement it (as with all security). You need to consider usability – would you rather SSH into a host to troubleshoot than stand in the unpleasant environment of a data center? You can argue that OOB management such as iLO, DRAC or IMM allows you to remotely access the console, but then how secure is your remote management password? Are you closing off one attack vector in favour of another?
The use case that makes most sense to me for lockdown mode is for hosts in the DMZ. Even then I favour a properly isolated management network that mitigates the risk and allows you to keep the management of your hosts separate from Virtual Machine traffic. If you follow VMware’s design best practices a “Fully Collapsed DMZ” does just that.
I’d love to hear from any reader who uses lockdown mode in a production environment, and the use case for it, I personally have never heard from anyone who does!