VMware Cloud Community
DigitalOxide
Contributor
Contributor
Jump to solution

Set advanced setting as default for new VMs?

We are going through and attempting to harden our environment as much as possible. As a result, we are wanting to enable many advanced settings that are best practice weather it's more secure or just not necessary for vSphere environments (isolation.tools.paste.disable, isolation.bios.bbs.disable, isolation.tools.unity.disable, etc).

Is there a way to set it so any new VMs are set to automatically have these advanced settings set the way we want? Or do we just need to have a script perform the set for the VM as they are created?

I've looked around and found plenty of scripts to set the advanced settings across the environment (Get-VM | New-AdvancedSetting...), but any new VMs still need to have the settings applied after being built.

Reply
0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
Jump to solution

VM Templates is ideally how you'd maintain the set of configurations to ensure they're deployed consistently, this does require process change to ensure your organization is following IT guidelines for workload deployment ... tools like Aria Automation can help further to provide governance in case users are allowed to use vCenter Server directly or provision through API

You could also look at Event Driven approach, where you trigger off of a VM creation/clone (which would catch both UI/API scenarios) and automatically harden based on a specific set of configurations. Alan Renouf and I demonstrated this almost a decade ago https://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-a-vcenter-ala... and today, you can leverage modern solution like the VMware Event Broker Appliance (VEBA) https://vmweventbroker.io/ to easily subscribe to these events (rather than an Alarm) and then run any code you wish including PowerCLI

If process and automation can not be put in place (outside of manual intervention), a last resort which I don't typically recommend as it can easily be forgotten about and applies globally across ALL VMs on an ESXi host is to set the desired settings on ESXi host under /etc/vmware/config which would apply those settings to all VMs. This isn't ideal for several reasons but the biggest one is the inflexibility as this applies to all VMs running on a given ESXi host and I would use this type of configuration sparingly as you can easily forget that these settings are applied as you don't see it from VM view, its only enforced by ESXi which makes it difficult to audit as you'll typically go to VM to check for these settings but they're applied indirectly through this method

 

View solution in original post

4 Replies
lamw
Community Manager
Community Manager
Jump to solution

VM Templates is ideally how you'd maintain the set of configurations to ensure they're deployed consistently, this does require process change to ensure your organization is following IT guidelines for workload deployment ... tools like Aria Automation can help further to provide governance in case users are allowed to use vCenter Server directly or provision through API

You could also look at Event Driven approach, where you trigger off of a VM creation/clone (which would catch both UI/API scenarios) and automatically harden based on a specific set of configurations. Alan Renouf and I demonstrated this almost a decade ago https://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-a-vcenter-ala... and today, you can leverage modern solution like the VMware Event Broker Appliance (VEBA) https://vmweventbroker.io/ to easily subscribe to these events (rather than an Alarm) and then run any code you wish including PowerCLI

If process and automation can not be put in place (outside of manual intervention), a last resort which I don't typically recommend as it can easily be forgotten about and applies globally across ALL VMs on an ESXi host is to set the desired settings on ESXi host under /etc/vmware/config which would apply those settings to all VMs. This isn't ideal for several reasons but the biggest one is the inflexibility as this applies to all VMs running on a given ESXi host and I would use this type of configuration sparingly as you can easily forget that these settings are applied as you don't see it from VM view, its only enforced by ESXi which makes it difficult to audit as you'll typically go to VM to check for these settings but they're applied indirectly through this method

 

DCasota
Expert
Expert
Jump to solution

@lamw, isn't it already easier for new virtual machines to benefit from Skyline recommendations ? They are based on VMware’s ever-growing library of knowledge that include Knowledge Base articles, Best Practices and Security/Hardening Guidance. Reflecting the sweet spot of achievements during a decade, the health diagnostic finding platform empowers support engineers to cope with this multi-year wave of onboardings and IT security.

 

Reply
0 Kudos
lamw
Community Manager
Community Manager
Jump to solution

This does not actually help with what is being asked

Reply
0 Kudos
DCasota
Expert
Expert
Jump to solution

Of course, Set advanced setting as default for new VMs can be a technical goal only.
It was yet another perspective on we are wanting to enable many advanced settings that are best practice weather it's more secure or just not necessary for vSphere environments. Fighting against skills shortage, skyline is a good jumpstart, facing all the paperwork https://core.vmware.com/security-configuration-guide , kb57122 ++ .

 

Reply
0 Kudos