VMware: What is the Difference Between Normal and Strict Lockdown Mode for ESXi hosts

Lockdown mode is configured in two ways:

• Normal Lockdown Mode 
• Strict Lockdown Mode

Note: By default, lockdown mode is disabled. Lockdown mode is enabled using the vSphere Client when creating an ESXi host or modifying an existing host's security profile.

Normal Lockdown Mode:
In normal lockdown mode, users who are listed in the DCUI Access advanced system setting can log in to the Direct Console User Interface (DCUI). By being on this list, users have emergency access to the DCUI if the connection to vCenter Server is lost. These users do not require administrative privileges on the host. Nonadministrative DCUI.Access users can only disable or enable lockdown.

What happens when normal lockdown mode is enabled on an ESXi host?

• The host is accessed only by vCenter Server, for example, by using the vSphere Client.
• Access to the DCUI is restricted to certain users: Users on the Exception Users list, but they must have administrator privileges, Users that are defined in the DCUI. Access advanced system setting.
• By default, the root user is defined in this setting.
• Nonadministrative users are also defined in this setting.
• Nonadministrative users are only able to enable or disable lockdown mode.
• If vSphere ESXi Shell and SSH services are enabled, users with administrator privileges who are on the Exception Users list can log in to the host directly using SSH or the local vSphere ESXi Shell. 

Strict Lockdown Mode:
For strict or normal lockdown mode to be an effective security measure, ensure that vSphere ESXi Shell and SSH services are disabled. If vCenter Server is unavailable, the vSphere Client is also unavailable. Hosts that are in strict lockdown mode are not manageable.

What happens when strict lockdown mode is enabled on an ESXi host?

• The host is accessed only by vCenter Server, for example, by using the vSphere Client.
• The DCUI service is disabled and cannot be started. No users can log in to the DCUI.
• If vSphere ESXi Shell and SSH services are enabled, users with administrator privileges who are on the Exception Users list can log in to the host directly using SSH or the local vSphere ESXi Shell.

See related article:
How to enable or disable Lockdown Mode on a VMware vSphere ESXi Host .