VMware ESXi 4.1 Installable and vCenter Server 4.1 Edition


ESXi Configuration Guide : Security : Security Best Practices and Scenarios : ESXi Lockdown Mode

ESXi Lockdown Mode
To increase the security of your ESXi hosts, you can put them in lockdown mode.
When you enable lockdown mode, no users other than vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server.
When a host is in lockdown mode, you cannot run vCLI commands from an administration server, from a script, or from vMA against the host. External software or management tools might not be able to retrieve or modify information from the ESXi host.
Note
The root user is still authorized to log in to the direct console user interface when lockdown mode is enabled.
 
Enabling or disabling lockdown mode affects which types of users are authorized to access host services, but it does not affect the availability of those services. In other words, if Local Tech Support Mode, Remote Tech Support Mode (SSH), or the Direct Console User Interface (DCUI) services are enabled, they will continue to run whether or not the host is in lockdown mode.
You can enable lockdown mode using the Add Host wizard to add an ESXi host to vCenter Server, using the vSphere Client to manage a host, or using the direct console user interface.
Note
If you enable or disable lockdown mode using the direct console user interface, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Client connected to vCenter Server.
 
Lockdown mode is only available on ESXi hosts that have been added to vCenter Server.