ESXi 6.0:
Starting with vSphere 6.0, you can select normal Lockdown mode or strict Lockdown mode, which offer different degrees of lockdown.
Normal Lockdown mode:
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface:
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface:
- Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
- Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
For more information on Lockdown mode in vSphere 6.0, see the Lockdown Mode section in the vSphere Security Guide.
To enable or disable Lockdown mode from the DCUI:
- Log directly in to the ESXi host.
- Open the DCUI on the host.
- Press F2 for Initial Setup.
- Press Enter to toggle the Configure Lockdown Mode setting.
To enable or disable Lockdown mode from the vSphere Web Client:
- Browse to the host in the vSphere Web Client inventory.
- Click the Manage tab and click Settings.
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Lockdown Mode and select one of the lockdown mode options.
No comments:
Post a Comment