To increase security of your ESXi hosts, you put them in Lockdown mode, so that administrative operations can be performed only from vCenter Server.

vSphere supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, these users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.

You repeat this procedure to enable normal lockdown mode for all  hosts in the data center. The table below lists all of the hosts.

Hosts in the data center

Host

FQDN

Management host 1

mgmt01esx01.sfo01.rainpole.local

Management host 2

mgmt01esx02.sfo01.rainpole.local

Management host 3

mgmt01esx03.sfo01.rainpole.local

Management host 4

mgmt01esx04.sfo01.rainpole.local

Shared Edge and Compute host 1

comp01esx01.sfo01.rainpole.local

Shared Edge and Compute host 2

comp01esx02.sfo01.rainpole.local

Shared Edge and Compute host 3

comp01esx03.sfo01.rainpole.local

Shared Edge and Compute host 4

comp01esx04.sfo01.rainpole.local

1

Log in to the Compute vCenter Server by using the vSphere Web Client.

a

Open a Web browser and go to https://comp01vc01.sfo01.rainpole.local/vsphere-client.

b

Log in using the following credentials.

Setting

Value

User name

administrator@vsphere.local

Password

vsphere_admin_password

2

In the Navigator, click Hosts and Clusters and expand the entire mgmt01vc01.sfo01.rainpole.local tree control.

3

Select the mgmt01esx01.sfo01.rainpole.local host.

4

Click Configure.

5

Under System, select Security Profile.

6

In the Lockdown Mode panel, click Edit.

7

In the Lockdown Mode dialog box, select the Normal radio button, and click OK

8

Repeat this procedure and enable normal lockdown mode for all remaining hosts in the data center.

Note

Lockdown Mode settings are not part of Host Profiles and must be manually enabled on all hosts.