• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Lockdown mode/Tech support mode

Can you explain (in low tech management freindly speak) the risk of

a) not enabling lockdown mode on ESXi hosts
b) not disabling tech support mode on ESXi hosts

I am not a vmware admin myself but for risk purposes we have seen the output of the vsphere compliance checker results. Management want to prioritise the non compliant settings in terms of risk and likelehood of risk being posed.

So for the above two, whats the ultimate risk, who can exploit the risk, what could the overall business impact be? Whats your view on the overall risk of these 2 exisitng configurations, i.e high risk, medium, low, not an issue?
0
pma111
Asked:
pma111
  • 7
  • 5
  • 2
2 Solutions
 
pma111Author Commented:
And are there any valid reasons why you wouldnt enable lockdown mode, or why you wouldnt disable tech support mode?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Tech Support Mode SHOULD be disabled at ALL times, it should only be enabled to perform low level diagnostic tasks, as advised by VMware.

SSH access should be disabled.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
lockdown mode should be enabled if you use an open datacentre to host your servers, so the console is not exposed to non authorised users.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pma111Author Commented:
Can you define" open data centre"?

In terms of tech support mode, you say it should be disabled, but if its not, whats the risk, ie what can someone do "maliciously" with tech support mode, and who can abuse this feature? i.e. anyone in the network, anyone with access to vcenter, etc.
0
 
pma111Author Commented:
If you disable tech support mode does it cause any operational/admin issues to admins? If you enable lockdown mode does it cause any operational/admin issues to admins?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
a datacentre you share with other companies, not your own property.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
no it does not cause any issues.
0
 
pma111Author Commented:
Could you try and sell me the benefits of enabling lockdown mode if the datacentre isnt open, and the benefits of disabling tech support mode. I.e. if management say thats going to cost $x to confgiure all our hosts to these settings, why should we invest, whats the risk if we dont etc
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Do you trust or have any security, as to who is allowed into your computer room.

if you do not trust people in the computer room lock the consoles.

Tech Support mode should only be used when required. It can be enabled per server very quickly, 5 seconds.
0
 
pma111Author Commented:
Sorry one more quick one, but how does the actual lockdown mode protect you if someone got unauthorised access to a console (and by console, are we on about a console to the esxi host, or a console to vcenter)? Ie what does the lock down actually do/prevent?

I.e. naughty user breaks in to data center, gets to the console, with lockdown mode he is stopped from doing a, b, or c. Without lockdown mode he can do a, b or c.
0
 
bandrisCommented:
With lockdown mode enabled a user with the server console access cant do anything harmful, even if the ESXi root password is known. An ESXi host in lockdown mode can only be managed through vcenter.
0
 
pma111Author Commented:
Does it cause any issues to administration, i.e. if its turned on, will it stop the admin doing anything?
0
 
pma111Author Commented:
So the risk is if someone directly targets the host, rather than tries breaking into vcenter and modifying the host from within vcenter, they go directly to the host for attack? My concern was if this is configured in vcenter, if they hack into vcenter, surely theyd just turn it off?
0
 
bandrisCommented:
Lockdown mode can be disabled from within vcenter (or having physical access to server and console and have the skills to crack ESXi).
Lockdown mode will not prevent any configuration changes, tasks which are driven from the vcenter.
If somebody can hack into vcenter, then it is already crap, he can do anything after then, even disabling lockdown mode.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now