Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Lockdown mode/Tech support mode

Posted on 2012-04-12
14
Medium Priority
?
673 Views
Last Modified: 2012-04-20
Can you explain (in low tech management freindly speak) the risk of

a) not enabling lockdown mode on ESXi hosts
b) not disabling tech support mode on ESXi hosts

I am not a vmware admin myself but for risk purposes we have seen the output of the vsphere compliance checker results. Management want to prioritise the non compliant settings in terms of risk and likelehood of risk being posed.

So for the above two, whats the ultimate risk, who can exploit the risk, what could the overall business impact be? Whats your view on the overall risk of these 2 exisitng configurations, i.e high risk, medium, low, not an issue?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37837168
And are there any valid reasons why you wouldnt enable lockdown mode, or why you wouldnt disable tech support mode?
0
 
LVL 123

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1000 total points
ID: 37837174
Tech Support Mode SHOULD be disabled at ALL times, it should only be enabled to perform low level diagnostic tasks, as advised by VMware.

SSH access should be disabled.
0
 
LVL 123
ID: 37837181
lockdown mode should be enabled if you use an open datacentre to host your servers, so the console is not exposed to non authorised users.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 3

Author Comment

by:pma111
ID: 37837192
Can you define" open data centre"?

In terms of tech support mode, you say it should be disabled, but if its not, whats the risk, ie what can someone do "maliciously" with tech support mode, and who can abuse this feature? i.e. anyone in the network, anyone with access to vcenter, etc.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837198
If you disable tech support mode does it cause any operational/admin issues to admins? If you enable lockdown mode does it cause any operational/admin issues to admins?
0
 
LVL 123
ID: 37837202
a datacentre you share with other companies, not your own property.
0
 
LVL 123
ID: 37837205
no it does not cause any issues.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837230
Could you try and sell me the benefits of enabling lockdown mode if the datacentre isnt open, and the benefits of disabling tech support mode. I.e. if management say thats going to cost $x to confgiure all our hosts to these settings, why should we invest, whats the risk if we dont etc
0
 
LVL 123
ID: 37837243
Do you trust or have any security, as to who is allowed into your computer room.

if you do not trust people in the computer room lock the consoles.

Tech Support mode should only be used when required. It can be enabled per server very quickly, 5 seconds.
0
 
LVL 3

Author Comment

by:pma111
ID: 37837270
Sorry one more quick one, but how does the actual lockdown mode protect you if someone got unauthorised access to a console (and by console, are we on about a console to the esxi host, or a console to vcenter)? Ie what does the lock down actually do/prevent?

I.e. naughty user breaks in to data center, gets to the console, with lockdown mode he is stopped from doing a, b, or c. Without lockdown mode he can do a, b or c.
0
 
LVL 2

Assisted Solution

by:bandris
bandris earned 1000 total points
ID: 37842091
With lockdown mode enabled a user with the server console access cant do anything harmful, even if the ESXi root password is known. An ESXi host in lockdown mode can only be managed through vcenter.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842164
Does it cause any issues to administration, i.e. if its turned on, will it stop the admin doing anything?
0
 
LVL 3

Author Comment

by:pma111
ID: 37842172
So the risk is if someone directly targets the host, rather than tries breaking into vcenter and modifying the host from within vcenter, they go directly to the host for attack? My concern was if this is configured in vcenter, if they hack into vcenter, surely theyd just turn it off?
0
 
LVL 2

Expert Comment

by:bandris
ID: 37842192
Lockdown mode can be disabled from within vcenter (or having physical access to server and console and have the skills to crack ESXi).
Lockdown mode will not prevent any configuration changes, tasks which are driven from the vcenter.
If somebody can hack into vcenter, then it is already crap, he can do anything after then, even disabling lockdown mode.
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question