This week’s security tip is focused around vSpere ESXi and using the lockdown mode, this is a specific benefit of ESXi. In simplest terms this disables all direct root access to the ESXi machines. Once this is done you can only make changes by going through the vCenter Server that is managing that ESXi system.
Below is a diagram from “Its All Virtual” describing the different access types:
A big thing to take into account is that since this removes the root access if for whatever reason you vCenter is down or crashes you won’t have access to your ESXi hosts unless you have made another account besides root. This presents the obvious problem of trying to maintain a variety of local accounts (ESXi 4.0) and the related management hassle. The other thing that goes into this is that if you have any 3rd party or other tools that need root access they will be not work properly.
In 4.1, lockdown mode is even more secure because it actually removes those local accounts permissions. In effect making the ESXi host only accessible through your vCenter. If you want you can enable or recreate the 4.0 and previous version using CLI, Power CLI or manually. There is a good kb article on this giving all the details
- Use the VMware vSphere CLI to run the script vicfg-legacylockdown.pl against the host or against a vCenter Server system that is connected to one or more hosts.
- Use the VMware vSphere PowerCLI to run the script Set-LegacyLockdownMode.ps1 against the host or against a vCenter Server system that is connected to one or more hosts.
- Recreate vSphere 4.0 lockdown mode behavior manually.
There are cases when troubleshooting can be impacted by having this feature turned on. You may want to list a best practice to actually shut this feature off before spending more time on more complex issues. Lastly, this is a security feature but it doesn’t “truly” lockdown your machine. Please make sure you have a fully developed security plan and don’t depend on this one tool.