You could only specify users, not groups, just to narrow the scope of authorization. The “Exception Users” list was introduced in vSphere 6.0 it’s used to specify the user accounts that will be granted access to hosts (via shell/SSH) while a lock-down mode is configured. Now, go to DCUI, you will find it’s been disabled by enabling the strict mode.Ĭonfiguring Lock-down mode with exception users list confirm the warning message, and then click “ok”. Repeat the same steps above, but choose “strict mode” this time. Then click Ok.ģ- Make sure that the status has changed to the desired mode.Ĥ- Now, “root” account (and other user accounts) will fail to login directly to the host via Shell/SSH. In this example, I will proceed with “Normal mode”. Please refer to the references mentioned by the end of this article for further details about accessibility.ġ- login to your vSphere 6.x web console, select the desired host for enabling lock-down mode, and then click configure > Security profile > scroll down till you get to the “lockdown mode” section > click “Edit”.Ģ- Select the desired mode. Restricted to “exception users list” users only. Root and “DCUI.Access” defined local users
There’s no safety breaker for strict mode according to VMware. Note: losing access to ESXi with – “Strict mode” enabled – from vCenter while having both shell and SSH disabled will require re-installing ESXI. Strict mode: the same as normal mode, but the DCUI is disabled as well.Managing ESXi is mainly performed via vCenter server. Normal mode: in this mode, every interface is restricted, except for shell interfaces where the exception users list must be used, and only the root account is allowed to access DCUI.Configuring Lock-down mode with exception users list.With the “Exception Users” list, you can specify the user accounts who could still access ESXi hosts directly while the lock-down mode is enabled. vCenter server will be the main management console for ESXi hosts. Leveraging lock-down feature adds more security to ESXi hosts, as well as the whole vSphere environment by stricting the direct access (DCUI, ESXi web client, SSH), which reduces the chances of your hosts being compromised.