Solved

Lockdown mode/Tech support mode

Posted on 2012-04-12
14
642 Views
Last Modified: 2012-04-20
Can you explain (in low tech management freindly speak) the risk of

a) not enabling lockdown mode on ESXi hosts
b) not disabling tech support mode on ESXi hosts

I am not a vmware admin myself but for risk purposes we have seen the output of the vsphere compliance checker results. Management want to prioritise the non compliant settings in terms of risk and likelehood of risk being posed.

So for the above two, whats the ultimate risk, who can exploit the risk, what could the overall business impact be? Whats your view on the overall risk of these 2 exisitng configurations, i.e high risk, medium, low, not an issue?
0
Comment
Question by:pma111
  • 7
  • 5
  • 2
14 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37837168
And are there any valid reasons why you wouldnt enable lockdown mode, or why you wouldnt disable tech support mode?
0
 
LVL 118

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 250 total points
ID: 37837174
Tech Support Mode SHOULD be disabled at ALL times, it should only be enabled to perform low level diagnostic tasks, as advised by VMware.

SSH access should be disabled.
0
 
LVL 118
ID: 37837181
lockdown mode should be enabled if you use an open datacentre to host your servers, so the console is not exposed to non authorised users.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837192
Can you define" open data centre"?

In terms of tech support mode, you say it should be disabled, but if its not, whats the risk, ie what can someone do "maliciously" with tech support mode, and who can abuse this feature? i.e. anyone in the network, anyone with access to vcenter, etc.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837198
If you disable tech support mode does it cause any operational/admin issues to admins? If you enable lockdown mode does it cause any operational/admin issues to admins?
0
 
LVL 118
ID: 37837202
a datacentre you share with other companies, not your own property.
0
 
LVL 118
ID: 37837205
no it does not cause any issues.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Author Comment

by:pma111
ID: 37837230
Could you try and sell me the benefits of enabling lockdown mode if the datacentre isnt open, and the benefits of disabling tech support mode. I.e. if management say thats going to cost $x to confgiure all our hosts to these settings, why should we invest, whats the risk if we dont etc
0
 
LVL 118
ID: 37837243
Do you trust or have any security, as to who is allowed into your computer room.

if you do not trust people in the computer room lock the consoles.

Tech Support mode should only be used when required. It can be enabled per server very quickly, 5 seconds.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837270
Sorry one more quick one, but how does the actual lockdown mode protect you if someone got unauthorised access to a console (and by console, are we on about a console to the esxi host, or a console to vcenter)? Ie what does the lock down actually do/prevent?

I.e. naughty user breaks in to data center, gets to the console, with lockdown mode he is stopped from doing a, b, or c. Without lockdown mode he can do a, b or c.
0
 
LVL 2

Assisted Solution

by:bandris
bandris earned 250 total points
ID: 37842091
With lockdown mode enabled a user with the server console access cant do anything harmful, even if the ESXi root password is known. An ESXi host in lockdown mode can only be managed through vcenter.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842164
Does it cause any issues to administration, i.e. if its turned on, will it stop the admin doing anything?
0
 
LVL 3

Author Comment

by:pma111
ID: 37842172
So the risk is if someone directly targets the host, rather than tries breaking into vcenter and modifying the host from within vcenter, they go directly to the host for attack? My concern was if this is configured in vcenter, if they hack into vcenter, surely theyd just turn it off?
0
 
LVL 2

Expert Comment

by:bandris
ID: 37842192
Lockdown mode can be disabled from within vcenter (or having physical access to server and console and have the skills to crack ESXi).
Lockdown mode will not prevent any configuration changes, tasks which are driven from the vcenter.
If somebody can hack into vcenter, then it is already crap, he can do anything after then, even disabling lockdown mode.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now