12 Replies Latest reply on Sep 9, 2009 4:59 AM by mojoe1717

    ESXi Lockdown Mode - Lots of Misinformation

    DougBaer Master
    VMware Employees

      In doing some research about ESXi Lockdown Mode -- since the Security folks like the sound of it -- I've located a lot of bad information.  I'm curious if anyone from VMware would care to chime in and clarify since the manuals I've seen don't really tell me anything except how to enable it.

       

      First of all, what is VMware's goal for Lockdown Mode?

       

      From the ESXi Installable and vCenter Server Setup Guide, page 36:

      "Lockdown mode prevents remote personnel from logging in to the ESXi host by using the root login name."

       

      Great, so that means that nobody can get into the box remotely as root.  This is a good security practice since that god-level account is generic and we like auditability. If we're managing everything with vCenter, and don't create any other local accounts on the ESXi host, we should be golden -- no little roots running around and messing with the configs outside of the purview of vCenter.

       

      What happens when I've got some weird problems with vCenter and need to login directly to the host?  One obvious solution is that I can hit the host's 'real' console (Physical Monitor, KVM, DRAC, iLO, etc.), login as root there, disable Lockdown Mode, and then login to the host using the vSphere Client.  Of course, that violates my "no root logins" policy and upsets the security folks.

       

      So, what permissions do I need to give to a (non-root) local user to enable that user to login with the vSphere client while Lockdown mode is enabled? 

       

      If I cannot login remotely using the root login name, it can be implied from the above quote that I can login remotely using a different name, right?  Time for another quote from the same section:

       

      "If you enable lockdown mode and do not configure other local host user accounts to have standalone host access through the vSphere Client,

      the root user does not have access through the vSphere API and CLI."

       

      Hmmm... so, what if I enable lockdown mode and DO configure other local host user accounts? Aside from the logic nightmare implied by that sentence, I am not so crazy.

       

      Unfortunately, each of my attempts there have been unsuccessful -- making the local user a member of the 'localadmins' group allows my new user to login to the actual yellow-and-black console screen, but I still cannot use the vSphere Client while Lockdown Mode is enabled -- without following the same procedure as the root user would (login wia the console, disable Lockdown, login w/ client).  That, at least, enables me to do what I need without sharing the actual root password, so it is a little better. 

       

      The last quote can be interpreted as vague at best:

      "When lockdown mode is enabled, you can create a user with administrator privileges to connect to a standalone host."

       

      Technically, with Lockdown Mode enabled, I can't do anything, since I can't get into the box with the vSphere Client. However, assuming that the intent of this sentence was that I can create another local account to handle "root-type stuff", What permissions does that user need to be granted?

       

      If the goal of lockdown mode is to prevent direct remote connections to the ESXi host using the vCLI/PowerCLI/vSphere Client, it seems to work great.  Unfortunately, the documentation does not lead me to believe that, and I would prefer to disable remote root access yet maintain the ability to remotely administer my hosts via the various remote interfaces.

       

      Thanks! 

        • 1. Re: ESXi Lockdown Mode - Lots of Misinformation
          mojoe1717 Enthusiast

           

          So I know this thread is a little old but may help some others....

           

           

          **Disclaimer**  I am very new to vmware so take everything with a grain of salt  **Disclaimer**

           

           

          MY understanding of Lockdown Mode's goal and the reason I enabled it is to prevent remote logons as "root"  not to disable remote logons.  This may help in brute force attacks as no one can pound my box guessing passwords for root.   So what I did, before enabling lock down mode is create two accounts one for myself and one for my co-worker.  They were created under the Users & Groups tab under inventory when connected directly to the ESXi host through vSphere (don't worry about assigning any group memberships here).  Next go to the Permissions tab click on Add under users and groups and select the user(s) that you just created, then select administrator from the drop down under Assigned Role.  Now you can enable lockdown mode.  This will not let anyone logon or SSH to your host using the root username, but you will be able to access both with the new user accounts you created.

           

           

          This may be far from the preferred method but find that it works ok for our location and may shed a little more understanding for you.  Please correct me if any of my information is wrong.

           

           

          Thanks,

           

           

          Joe

           

           

          1 person found this helpful
          • 2. Re: ESXi Lockdown Mode - Lots of Misinformation
            DougBaer Master
            VMware Employees

            Joe,

             

            Thanks!  If I understand your post correctly, the part I was missing was granting permission to the user acounts.  I was following the *nix group method, but you indicate that you assigned ESX permissions.  I'll give it a shot.

             

            Doug

            • 3. Re: ESXi Lockdown Mode - Lots of Misinformation
              RParker Guru

              Lockdown mode does not lock down machine

               

               

               

              Details

              The ESXi lockdown mode does not lock down the machine. It only prevents direct VMware vSphere client connections. 

              Solution

              The

              lockdown mode, only applies to direct vSphere client connections. To

              ensure a complete lock down, you must set the advanced configuration

              option techSupportMode to False. This disables the unsupported technical support shell.

               

               

               

               

               

               

               

              http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1010549&sliceId=1&docTypeID=DT_KB_1_1&dialogID=35010036&stateId=0%200%2032239427

               

               

               

               

              Permission Problem if Host Had Been in Lockdown Mode

                               

              Details

              You add a host to a VirtualCenter Datacenter or Cluster using the VI Client. As part of the Add Host operation,

              you choose Enable Lockdown Mode.

              If the VirtualCenter database is deleted after that operation, and you

              attempt to add the host to the VirtualCenter Server again, the

              following error message results:

               

              Permission to perform this operation was denied.   

              Solution

              Follow these steps to resolve the issue:

              1. Open the direct console (DCIU) on the host.

              2. Press F2 for Initial Setup.

              3. Select Configure Lockdown Mode and disable lockdown mode.

                 

              Keywords

              lockdown mode; permission denied; Permission to perform this operation was denied

              1 person found this helpful
              • 4. Re: ESXi Lockdown Mode - Lots of Misinformation
                DougBaer Master
                VMware Employees

                Understood.  I want to disable remote access for the root user, but I want to maintain the ability to access the machine remotely via the vMA or PowerCLI if I use a non-root user account.

                • 5. Re: ESXi Lockdown Mode - Lots of Misinformation
                  DougBaer Master
                  VMware Employees

                  Joe,

                   

                  I have tested your suggestion and it accomplished my goal:

                   

                  1) root is not able to login using the vCLI, vSphere client, or PowerCLI

                  2) my admin user is able to do all three.

                   

                  Question answered. Thanks.

                  • 6. Re: ESXi Lockdown Mode - Lots of Misinformation
                    bulletprooffool Virtuoso

                     

                    The way I understood it, you simply want to disable root access remotely using lockdown - this way, bruteforce password scripts can not be run against the root (default) username, but you can continue to run scripts using other accountrs (and assign permissions accordingly)

                     

                     

                    Of course if you have physical access (DRAC / ILO) , as root you can still performa all functions that you would need . . using the 'unsupported' mode.

                     

                     

                    It is very simple to create a brute force attack against root username in Powercli etc . . . If you wanted to . . .so lockdown mode really closes a big hole. Cracking a password with unknown username magnifies the permutations exponentially.

                     

                     

                    • 7. Re: ESXi Lockdown Mode - Lots of Misinformation
                      RParker Guru

                      The way I understood it, you simply want to disable root access remotely using lockdown

                       

                      The ESXi lockdown mode does not lock down the machine. It only prevents direct VMware vSphere client connections.

                       

                       

                      • 8. Re: ESXi Lockdown Mode - Lots of Misinformation
                        DougBaer Master
                        VMware Employees

                        You guys are making my point

                         

                        There is a lot of confusion around this seemingly incorrectly-named feature.

                         

                        To summarize:

                         

                        1. Lockdown mode prevents direct connection to an ESXi host using the 'root' username. Whether this is via the vSphere Client, PowerCLI, vCLI/vMA, or any of the other public APIs.

                        2. Anyone with console access (physical console via direct-attached monitor, KVM, DRAC, iLO, whatever) can still login to the box as root -- and disable 'Lockdown Mode'

                           NOTE: Anyone in the 'localadmin' group on the ESXi host can login on the console this way, not just the root user

                        3. Once on the console, the tech support console may be loaded for further access.

                        4. it is possible to disable the tech support console by setting the advanced configuration option techSupportMode to False (VMware KB 1010549, referenced by RParker)

                        5. To grant another (non-root) user account the ability to attach DIRECTLY to an ESXi host using the API, Toolkits or, vSphere Client, you must create a local account on the ESXi host and grant it Administrator privileges to the host. (referenced by Joe)

                         

                        Thanks again for helping clarify this one

                        • 9. Re: ESXi Lockdown Mode - Lots of Misinformation
                          Gerrit.Lehr Master

                           

                          Sorry to bring it up again but I'm still confused:

                           

                           

                          According to RParker lockdown mode disbales direct vSphere connections.

                           

                           

                          According to the rest, lockdown mode disables root user connections on any interface.

                           

                           

                          I'd test it myself but just can't bother running down intot the basement atm

                           

                           

                          Kind Regards,

                          Gerrit Lehr

                           

                          If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

                           

                           

                          • 10. Re: ESXi Lockdown Mode - Lots of Misinformation
                            DougBaer Master
                            VMware Employees

                            Lockdown mode does not disable connections via vCenter -- its goal is to restrict remote connections directly to the ESXi host (bypassing the vCenter management) such as vSphere Client or API calls directly to the host.

                             

                            RParker highlighted another common confusion that "Lockdown Mode" does not disable the 'unsupported' command line functionality on an ESXi console -- that needs to be additionally disabled using the advanced setting he mentioned.

                            • 11. Re: ESXi Lockdown Mode - Lots of Misinformation
                              Gerrit.Lehr Master

                              The ESXi lockdown mode does not lock down the machine. *It *only prevents direct VMware vSphere client connections.

                               

                              That sounds to me like no user can connect via vSphere Client, but other connections should still be available?! But lockdown mode only restricts root access doesn't it?

                               

                               

                              Kind Regards,

                              Gerrit Lehr

                               

                              If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

                              • 12. Re: ESXi Lockdown Mode - Lots of Misinformation
                                mojoe1717 Enthusiast

                                 

                                Your correct Gerrit, other users can connect using VSphere. When I enabled lock down here is what happened:

                                 

                                I could not connect using VSphere Client as root

                                I could not connect using ssh as root

                                 

                                 

                                 

                                 

                                 

                                 

                                 

                                 

                                I could connect using VSphere Client as a user I created

                                I could connect using ssh as a user I created

                                 

                                 

                                 

                                Thanks,

                                Joe