Securing host management access
When it comes to managing ESXi hosts, there are a few interfaces available to perform management tasks:
- Common Information Model (CIM), which is used for vCenter Server access.
- Direct Console User Interface (DCUI), which is also known as the ESXi console.
- Tech Support Mode (TSM)
- Local—console access to the ESXi command line.
- Remote—SSH access to the ESXi command line.
- vSphere Application Programming Interface (API) such as vSphere Client, PowerCLI, vCLI, and so on.
Remote TSM has been covered in the Accessing hosts via SSH recipe in this chapter. Local TSM and DCUI are console options available if you have physical access to the host or remote console access such as iDRAC.
All interfaces except vSphere API can be managed from vCenter under host Configuration | Security Profile | Services:
Both TSM options can also be configured from the DCUI console.
The following table summarizes different management interfaces and where each one can be configured:
|
Management interface |
Description |
Configuration from vCenter |
Configuration from DCUI |
|---|---|---|---|
|
CIM |
vCenter access |
Host's Services | |
|
DCUI |
ESXi console |
Host's Services | |
|
Local TSM |
Console CLI |
Host's Services |
Troubleshooting menu |
|
Remote TSM |
SSH access to CLI |
Host's Services |
Troubleshooting menu |
|
APIs |
vSphere Client, PowerCLI, vCLI |
VMware offers a way to secure management access to hosts called Lockdown mode.
Lockdown mode is a security feature, which limits the administrator's ability to manage the ESXi host only through vCenter. When a host is in this mode, the administrator cannot use the command line or run scripts. Also, any third-party software cannot get or change any settings on this host.
Note
User root will still be able to access DCUI but not TSM.
The following table summarizes each management interface's behavior in Normal and Lockdown modes:
|
Management interface |
Normal mode |
Lockdown mode |
|---|---|---|
|
CIM |
User and group permissions |
Only vCenter server |
|
DCUI |
User root and users with administrator rights |
Only root user |
|
Local TSM |
Only root user |
None |
|
Remote TSM |
Only root user |
None |
|
APIs |
User and group permissions |
Only vCenter vpxuser |
Additional security always means inconvenience. If the vCenter VM crashed or didn't come up after the reboot, and access to vCenter has been lost, ESXi has to be reinstalled on hosts that are in Lockdown mode to restore access.
How to do it...
To enable lockdown mode from vCenter, execute the following steps:
- Lockdown mode can be enabled per host by going to Configuration | Security Profile:
- Click on Edit next to Lockdown Mode, select Enable Lockdown Mode, and click on OK:
Note
All the existing vCenter Client connections to the host will be dropped immediately.
Users that are currently logged in to DCUI or TSM will still have access after Lockdown mode has been enabled until they log off. Logged in users will not be able to switch Lockdown mode off in this case.
All the existing user and group permissions will be restored once Lockdown mode is disabled if it was enabled from vCenter.
To enable Lockdown Mode from Web Client, execute the following steps:
- Select a host.
- Go to Manage | Settings | Security Profile.
- Scroll down to the Lockdown Mode section.
- Click on the Edit next to the section.
- Check Enable Lockdown Mode.
- Click on OK.
Enable Lockdown mode from the ESXi console
To enable Lockdown mode from DCUI, press F2, log in with the root user, move the cursor to the Configure Lockdown Mode item, and press Enter.
Tip
All the existing user and group permissions will be lost once Lockdown mode is enabled from DCUI so the best practice is to use vCenter to enable Lockdown.
