1. AOMEI Cyber Backup >
  2. Enterprise Backup Solutions >
  3. Enable Lockdown Mode in vCenter Server for VMware Security

Enable Lockdown Mode in vCenter Server for VMware Security

Lockdown mode in VMware vSphere could be enabled to achieved maximum restriction to ESXi hosts, which increases the security of your ESXi hosts

Crystal

By Crystal / Updated on March 16, 2023

Share this: instagram reddit
Table of Contents

What Is vCenter Lockdown Mode

Lockdown mode restricts access to an ESXi host and requires that all configuration changes go through vCenter Server since it ensures the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly.

By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.

vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode. If you want to disallow all direct access to a host completely, you can select strict lockdown mode. However, the ESXi Shell and SSH services are independent of lockdown mode. When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host and if these services are enabled. The most secure way is to disable the ESXi Shell service and the SSH service. Generally, those services are disabled by default.

vcenter lockdown mode

Lockdown Mode Services for Different Users

In lockdown mode, some services are disabled, and some services are accessible only to certain users.

When the host is running, available services depend on whether lockdown mode is enabled, and on the type of lockdown mode.

  • In strict and normal lockdown mode, privileged users can access the host through vCenter Server, from the vSphere Client, or by using the vSphere Web Services SDK.
  • Direct Console Interface behavior differs for strict lockdown mode and normal lockdown mode.
    • In strict lockdown mode, the Direct Console User Interface (DCUI) service is disabled.
    • In normal lockdown mode, accounts on the Exception User list can access the DCUI if they have administrator privileges. In addition, all users who are specified in the DCUI.Access advanced system setting can access the DCUI.
  • If the ESXi Shell or SSH is enabled and the host is placed in lockdown mode, accounts on the Exception Users list who have administrator privileges can use these services. For all other users, ESXi Shell or SSH access is disabled. ESXi or SSH sessions for users who do not have administrator privileges are closed.

All access is logged for both strict and normal lockdown mode.

How to Enable Lockdown Mode in vCenter Server

In this part, we will introduce how to enable lockdown mode in VMware vSphere 7.0.

1. Browse to the host in the vSphere Client inventory.

2. Click Configure.

3. Under System, select Security Profile.

4. In the Lockdown Mode panel, click Edit.

edit lockdown mode

5. Click Lockdown Mode and select one of the lockdown mode options.

Normal: The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible.

Strict: The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI. Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are closed.

select lockdown mode

6. Click OK.

For VM data security, many administrators choose to utilize a professional VM backup software to protect virtual machines from threats.

Seamless Data Protection for Your VMs in vCenter

As stated above, data protection has always been a hot topic since it is considered as the life of company.

AOMEI Cyber Backup is a comprehensive VMware backup solution that can easily manage backups of virtual machines with one console and accommodate different virtual environment scales.

With its powerful features, it has gained a good reputation among customers. It supports not only VMware vSphere backups, but also Hyper-V backups.

Auto Backup: Automatically backup virtual machines on regular basis - daily, weekly, monthly.
Easy-to-use: Manage VM backup and recovery from central console without complicated reinstallation and complication.
Flexible Backup Strategy: Create full / incremental/ differential backups to protect data comprehensively and save storage.
Multiple Storage Destinations: Easily backup to local or network destinations.
Email notification: Send email notification when the task is completed or abnormal.

dashboard manage view

AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. You can click the following button to download the 30-day free trial.

Download Free TrialVMware ESXi & Hyper-V
Secure Download

*You can choose to install this VM backup software on either Windows or Linux system.

5 easy steps to backup and restore VMware ESXi VMs

1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device > VMware > + Add VMware vCenter or Standalone ESXi host. And then click Bind Device.

bind device

2. Create Backup Task: Navigate to Backup Task > + Create New Task, and then select VMware ESXi Backup as the Device Type.

  • Task Name: you can change the task name or use the default name with an ordinal.
  • Device: batch select large numbers of VMs managed by vCenter Server for centralized backup.
  • Target: select to back up to a local path, or to a network path.
  • Schedule: choose to perform full, differential or incremental backup, and automate execution according to the frequency you specified.
  • Cleanup: automatically delete the old backup copies that exceed the retention period you specified.

schedule backup cleanup

3. Run Backup: Click Start Backup and select Add the schedule and start backup now, or Add the schedule only.

start backup

4. Restore from Backup: Navigate to the backup task you want to restore, click Restore to open the wizard.

Or you can click Backup Management > History Versions. Specify a VM and select a restore point from the left list.

restore vm

5. Start Restore: Choose to Restore to original location or Restore to new location. And click Start Restore to recover the virtual machine in place.

Restore to new location: Create a new VM in the same or another datastore/host directly from the backup to perform out-of-spacre recovery, saves the trouble of re-configuring the new VM.

restore to new location

Summary

Enabling Lockdown mode can increase the security of your ESXi hosts. In today’s article, it explains the lockdown mode services and how to put ESXi hosts in lockdown mode.

Crystal
Crystal · Editor
Crystal is an editor from AOMEI Technology. She mainly writes articles about virtual machine. She is a positive young lady likes to share articles with peolpe. Off work she loves travelling and cooking which is wonderful for life.

Related Articles

vCenter Enhanced Linked Mode Requirements and Setup Guide

What is vCenter Enhanced Linked Mode? What are the benefits and how is it different from the previous linked mode? Get clear ideas, as well as a step-by-step guide to set up vCenter 7 Enhanced Linked Mode.

How to Boot VMware Windows 10 into Safe Mode [4 Easiest Ways]

When your VMware virtual machine stops responding or has performance problems, you cannot figure out the exact reason immediately. So you will boot Windows into Safe Mode that disables all third party applications and non-essential Windows services.

How to Downgrade VMware ESXi Host in ESXi Recovery Mode

Do you know that the VMware ESXi recovery mode prompt when loading ESXi host is used to roll back the host to a previous version? In this article, I will introduce all the basic knowledges about VMware ESXi recovery mode.

What Is VMware vCenter Agent and How to Restart It

VMware vCenter agent allows a vCenter Server to connect to a ESX host. For troubleshooting ESXi connectivity issue, you should restart the VMware vCenter agents on your ESXi host.