Lockdown mode/Tech support mode

Can you explain (in low tech management freindly speak) the risk of

a) not enabling lockdown mode on ESXi hosts
b) not disabling tech support mode on ESXi hosts

I am not a vmware admin myself but for risk purposes we have seen the output of the vsphere compliance checker results. Management want to prioritise the non compliant settings in terms of risk and likelehood of risk being posed.

So for the above two, whats the ultimate risk, who can exploit the risk, what could the overall business impact be? Whats your view on the overall risk of these 2 exisitng configurations, i.e high risk, medium, low, not an issue?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pma111Author Commented:
And are there any valid reasons why you wouldnt enable lockdown mode, or why you wouldnt disable tech support mode?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Tech Support Mode SHOULD be disabled at ALL times, it should only be enabled to perform low level diagnostic tasks, as advised by VMware.

SSH access should be disabled.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
lockdown mode should be enabled if you use an open datacentre to host your servers, so the console is not exposed to non authorised users.
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

pma111Author Commented:
Can you define" open data centre"?

In terms of tech support mode, you say it should be disabled, but if its not, whats the risk, ie what can someone do "maliciously" with tech support mode, and who can abuse this feature? i.e. anyone in the network, anyone with access to vcenter, etc.
pma111Author Commented:
If you disable tech support mode does it cause any operational/admin issues to admins? If you enable lockdown mode does it cause any operational/admin issues to admins?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
a datacentre you share with other companies, not your own property.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
no it does not cause any issues.
pma111Author Commented:
Could you try and sell me the benefits of enabling lockdown mode if the datacentre isnt open, and the benefits of disabling tech support mode. I.e. if management say thats going to cost $x to confgiure all our hosts to these settings, why should we invest, whats the risk if we dont etc
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Do you trust or have any security, as to who is allowed into your computer room.

if you do not trust people in the computer room lock the consoles.

Tech Support mode should only be used when required. It can be enabled per server very quickly, 5 seconds.
pma111Author Commented:
Sorry one more quick one, but how does the actual lockdown mode protect you if someone got unauthorised access to a console (and by console, are we on about a console to the esxi host, or a console to vcenter)? Ie what does the lock down actually do/prevent?

I.e. naughty user breaks in to data center, gets to the console, with lockdown mode he is stopped from doing a, b, or c. Without lockdown mode he can do a, b or c.
With lockdown mode enabled a user with the server console access cant do anything harmful, even if the ESXi root password is known. An ESXi host in lockdown mode can only be managed through vcenter.
pma111Author Commented:
Does it cause any issues to administration, i.e. if its turned on, will it stop the admin doing anything?
pma111Author Commented:
So the risk is if someone directly targets the host, rather than tries breaking into vcenter and modifying the host from within vcenter, they go directly to the host for attack? My concern was if this is configured in vcenter, if they hack into vcenter, surely theyd just turn it off?
Lockdown mode can be disabled from within vcenter (or having physical access to server and console and have the skills to crack ESXi).
Lockdown mode will not prevent any configuration changes, tasks which are driven from the vcenter.
If somebody can hack into vcenter, then it is already crap, he can do anything after then, even disabling lockdown mode.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.