Enable lockdown mode to increase security of ESXi hosts and to further mitigate the risk of unauthorized access to the ESXi console by limiting it to only the appropriate operational team through vCenter Server.

In previous releases of vSphere, there was one version of lockdown mode. However, with the release of vSphere 6.0, two different lockdown mode options exist.

With “normal lockdown mode,” no users other than the vpxuser account have authentication permission. So other accounts cannot perform any actions against a host directly. Normal lockdown mode forces all operations to be carried out through the vCenter Server, although DCUI access is not stopped, and users on the DCUI.Access list can access the DCUI. However, in vSphere 6, “strict lockdown mode,” the DCUI access is stopped.

vSphere 6 also introduces a new functionality called “Exception Users.” These can be local accounts or Active Directory accounts with permissions defined locally on the host, where these users have host access. Exception Users are not recommended for general user accounts but are recommended for use only by third-party applications. For example, “Service Accounts,” where the host needs access when either normal or strict lockdown mode is enabled. Permissions on these accounts must be configured as the absolute minimum required for the application in question to carry out its task and with an account that needs only read-only permissions to the host.