In doing some research about ESXi Lockdown Mode -- since the Security folks like the sound of it -- I've located a lot of bad information. I'm curious if anyone from VMware would care to chime in and clarify since the manuals I've seen don't really tell me anything except how to enable it.
First of all, what is VMware's goal for Lockdown Mode?
From the ESXi Installable and vCenter Server Setup Guide, page 36:
"Lockdown mode prevents remote personnel from logging in to the ESXi host by using the root login name."
Great, so that means that nobody can get into the box remotely as root. This is a good security practice since that god-level account is generic and we like auditability. If we're managing everything with vCenter, and don't create any other local accounts on the ESXi host, we should be golden -- no little roots running around and messing with the configs outside of the purview of vCenter.
What happens when I've got some weird problems with vCenter and need to login directly to the host? One obvious solution is that I can hit the host's 'real' console (Physical Monitor, KVM, DRAC, iLO, etc.), login as root there, disable Lockdown Mode, and then login to the host using the vSphere Client. Of course, that violates my "no root logins" policy and upsets the security folks.
So, what permissions do I need to give to a (non-root) local user to enable that user to login with the vSphere client while Lockdown mode is enabled?
If I cannot login remotely using the root login name, it can be implied from the above quote that I can login remotely using a different name, right? Time for another quote from the same section:
"If you enable lockdown mode and do not configure other local host user accounts to have standalone host access through the vSphere Client,
the root user does not have access through the vSphere API and CLI."
Hmmm... so, what if I enable lockdown mode and DO configure other local host user accounts? Aside from the logic nightmare implied by that sentence, I am not so crazy.
Unfortunately, each of my attempts there have been unsuccessful -- making the local user a member of the 'localadmins' group allows my new user to login to the actual yellow-and-black console screen, but I still cannot use the vSphere Client while Lockdown Mode is enabled -- without following the same procedure as the root user would (login wia the console, disable Lockdown, login w/ client). That, at least, enables me to do what I need without sharing the actual root password, so it is a little better.
The last quote can be interpreted as vague at best:
"When lockdown mode is enabled, you can create a user with administrator privileges to connect to a standalone host."
Technically, with Lockdown Mode enabled, I can't do anything, since I can't get into the box with the vSphere Client. However, assuming that the intent of this sentence was that I can create another local account to handle "root-type stuff", What permissions does that user need to be granted?
If the goal of lockdown mode is to prevent direct remote connections to the ESXi host using the vCLI/PowerCLI/vSphere Client, it seems to work great. Unfortunately, the documentation does not lead me to believe that, and I would prefer to disable remote root access yet maintain the ability to remotely administer my hosts via the various remote interfaces.
Thanks! 
You guys are making my point
There is a lot of confusion around this seemingly incorrectly-named feature.
To summarize:
1. Lockdown mode prevents direct connection to an ESXi host using the 'root' username. Whether this is via the vSphere Client, PowerCLI, vCLI/vMA, or any of the other public APIs.
2. Anyone with console access (physical console via direct-attached monitor, KVM, DRAC, iLO, whatever) can still login to the box as root -- and disable 'Lockdown Mode'
NOTE: Anyone in the 'localadmin' group on the ESXi host can login on the console this way, not just the root user
3. Once on the console, the tech support console may be loaded for further access.
4. it is possible to disable the tech support console by setting the advanced configuration option techSupportMode to False (VMware KB 1010549, referenced by RParker)
5. To grant another (non-root) user account the ability to attach DIRECTLY to an ESXi host using the API, Toolkits or, vSphere Client, you must create a local account on the ESXi host and grant it Administrator privileges to the host. (referenced by Joe)
Thanks again for helping clarify this one
Sorry to bring it up again but I'm still confused:
According to RParker lockdown mode disbales direct vSphere connections.
According to the rest, lockdown mode disables root user connections on any interface.
I'd test it myself but just can't bother running down intot the basement atm
Kind Regards,
Gerrit Lehr
If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".