Solved

Lockdown mode/Tech support mode

Posted on 2012-04-12
14
650 Views
Last Modified: 2012-04-20
Can you explain (in low tech management freindly speak) the risk of

a) not enabling lockdown mode on ESXi hosts
b) not disabling tech support mode on ESXi hosts

I am not a vmware admin myself but for risk purposes we have seen the output of the vsphere compliance checker results. Management want to prioritise the non compliant settings in terms of risk and likelehood of risk being posed.

So for the above two, whats the ultimate risk, who can exploit the risk, what could the overall business impact be? Whats your view on the overall risk of these 2 exisitng configurations, i.e high risk, medium, low, not an issue?
0
Comment
Question by:pma111
  • 7
  • 5
  • 2
14 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37837168
And are there any valid reasons why you wouldnt enable lockdown mode, or why you wouldnt disable tech support mode?
0
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 250 total points
ID: 37837174
Tech Support Mode SHOULD be disabled at ALL times, it should only be enabled to perform low level diagnostic tasks, as advised by VMware.

SSH access should be disabled.
0
 
LVL 119
ID: 37837181
lockdown mode should be enabled if you use an open datacentre to host your servers, so the console is not exposed to non authorised users.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 3

Author Comment

by:pma111
ID: 37837192
Can you define" open data centre"?

In terms of tech support mode, you say it should be disabled, but if its not, whats the risk, ie what can someone do "maliciously" with tech support mode, and who can abuse this feature? i.e. anyone in the network, anyone with access to vcenter, etc.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837198
If you disable tech support mode does it cause any operational/admin issues to admins? If you enable lockdown mode does it cause any operational/admin issues to admins?
0
 
LVL 119
ID: 37837202
a datacentre you share with other companies, not your own property.
0
 
LVL 119
ID: 37837205
no it does not cause any issues.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837230
Could you try and sell me the benefits of enabling lockdown mode if the datacentre isnt open, and the benefits of disabling tech support mode. I.e. if management say thats going to cost $x to confgiure all our hosts to these settings, why should we invest, whats the risk if we dont etc
0
 
LVL 119
ID: 37837243
Do you trust or have any security, as to who is allowed into your computer room.

if you do not trust people in the computer room lock the consoles.

Tech Support mode should only be used when required. It can be enabled per server very quickly, 5 seconds.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837270
Sorry one more quick one, but how does the actual lockdown mode protect you if someone got unauthorised access to a console (and by console, are we on about a console to the esxi host, or a console to vcenter)? Ie what does the lock down actually do/prevent?

I.e. naughty user breaks in to data center, gets to the console, with lockdown mode he is stopped from doing a, b, or c. Without lockdown mode he can do a, b or c.
0
 
LVL 2

Assisted Solution

by:bandris
bandris earned 250 total points
ID: 37842091
With lockdown mode enabled a user with the server console access cant do anything harmful, even if the ESXi root password is known. An ESXi host in lockdown mode can only be managed through vcenter.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842164
Does it cause any issues to administration, i.e. if its turned on, will it stop the admin doing anything?
0
 
LVL 3

Author Comment

by:pma111
ID: 37842172
So the risk is if someone directly targets the host, rather than tries breaking into vcenter and modifying the host from within vcenter, they go directly to the host for attack? My concern was if this is configured in vcenter, if they hack into vcenter, surely theyd just turn it off?
0
 
LVL 2

Expert Comment

by:bandris
ID: 37842192
Lockdown mode can be disabled from within vcenter (or having physical access to server and console and have the skills to crack ESXi).
Lockdown mode will not prevent any configuration changes, tasks which are driven from the vcenter.
If somebody can hack into vcenter, then it is already crap, he can do anything after then, even disabling lockdown mode.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question