Lockdown Mode
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all operations must be performed through vCenter Server. By default, only the vCenter Server system, represented by the vpxuser user, has authentication permissions. No other users can perform operations against a host in Lockdown Mode.
vSphere 5.x and later supports normal lockdown mode, as discussed in the vSphere 5.x documentation center. vSphere 6.0 and later supports finer grained management:
When a host is in normal or strict lockdown mode, you cannot run vSphere CLI commands against the host directly. Instead, you target the vCenter Server system that manages the host with the --server option and specify the ESXi host with the --vihost option.
When you enable strict lockdown mode, the Direct Console User Interface service is disabled.
You can enable lockdown mode using the Add Host wizard to add a host to vCenter Server, using the vSphere Web Client to manage a host, or using the Direct Console User Interface (DCUI).
See the vSphere Security documentation for details on Lockdown Mode in vSphere 6.0.