VMware Cloud Community
cb122
Contributor
Contributor
‎10-21-2013 02:01 AM
Jump to solution

lockdown mode and DCUI

Can anyone give me a beginners guide to the risks associate with:

1) Not enabling lockdown mode on hosts

2) Not disabling DCUI on hosts

I am relatively new to vmware but as I work in risk these findings have been raised in a security healthcheck, I wanted some expert input into just how dangerous these findings are - perhaps in the context of whether they expose the data on the guests residing on those hosts? Please keep answers pretty basic.

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎10-21-2013 02:26 AM
Jump to solution

If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Client connected to vCenter Server. Procedure 1At the Direct Console User Interface of the host, press F2 and log in. 2Scroll to the Configure Lockdown Mode setting and press Enter. 3Press Esc until you return to the main menu of the Direct Console User Interface. also this is link http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc_50%2FGUID-F8F10...

View solution in original post

8 Replies
admin
Immortal
Immortal
‎10-21-2013 02:26 AM
Jump to solution

If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Client connected to vCenter Server. Procedure 1At the Direct Console User Interface of the host, press F2 and log in. 2Scroll to the Configure Lockdown Mode setting and press Enter. 3Press Esc until you return to the main menu of the Direct Console User Interface. also this is link http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc_50%2FGUID-F8F10...

admin
Immortal
Immortal
‎10-21-2013 02:30 AM
Jump to solution

1) Not enabling lockdown mode on hosts

  • To increase the security of your ESXi hosts, you can put them in Lockdown mode.
  • When Lockdown is enabled even when your ESXi hosts credentials are exposed to anyone, then who has permission on the vCenter server where the ESXI is locked-down to, only he will have the permissio to perform any task upon your ESXI host.
    • Which means if its not enabled whoever has the access to your ESXi host can manipulate the VMS hosted on it.

2) Not disabling DCUI on hosts

  • When you enable this service while running in Lockdown mode, you can log in locally to the DCUI as the root user and disable Lockdown mode.
    • This is threat if the root user credentials are exposed to any non-authoritative person.

~dGeorgey

vesej
Contributor
Contributor
‎05-23-2022 06:43 AM
Jump to solution

Hi, all

In a ESXI Host with Lockdown Mode enabled (Normal or Restrict Mode), is it possible to someone restart the server and access ESXi Shell using a "Safe Mode" or something like that? My point is: a malicious user could break Lockdown Mode security restarting the ESXi host?

Regards. 

Valter Junior

0 Kudos
mbufkin
Enthusiast
Enthusiast
‎05-23-2022 08:03 AM
Jump to solution

What version of ESXi?

0 Kudos
mbufkin
Enthusiast
Enthusiast
‎05-23-2022 08:05 AM
Jump to solution

I would expect that without the root password you could not change lockdown mode.

More info from VMware: https://kb.vmware.com/s/article/1008077

 

vesej
Contributor
Contributor
‎05-23-2022 09:55 AM
Jump to solution

Some Linux distros allows an administrator to recover the root password editing the bootloader machine. So, if an administrator do that, it can disable Lockdown Mode? 

Regards. 

0 Kudos
vesej
Contributor
Contributor
‎05-24-2022 10:19 AM
Jump to solution

Version 7 Update 3.

 

Thanks

mburger
Contributor
Contributor
‎05-26-2022 07:27 AM
Jump to solution

Thanks for sharing this data guys this is great information

0 Kudos