With LucD help I created this script in order to secure ESXi based on VMware recommandation
I will need assistance and collaboration in order to:
Connect-VIServer -Server "vcenter1", "vcenter2"
# vCenter Login
$vCUser="login"
$vCPass="password"
$StartTime = Get-Date
$report = @()
Foreach ($Host in Get-VMHost)
{
$tab = @{}
$date=Get-Date -format "ddMMyy_HHmm"
Get-AdvancedSetting -Entity $Host | ForEach-Object -Process {
$tab.Add($_.Name,$_.Value)
}
}
$NTPServers = "NTP1", "NTP2" Get-VMHost | Add-VmHostNtpServer $NTPServers
Foreach ($vm in Get-VM)
{
$tab = @{}
$date=Get-Date -format "ddMMyy_HHmm"
Get-AdvancedSetting -Entity $vm | ForEach-Object -Process {
$tab.Add($_.Name,$_.Value)
}
New-AdvancedSetting -Entity $vm -Name isolation.device.edit.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.device.connectable.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.autologon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.bios.bbs.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.protocolhandler.info.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.taskbar.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unityActive.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.windowContents.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.push.update.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.vmxDnDVersionGet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.guestDnDVersionSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.ghi.host.shellAction.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.dispTopoRequest.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.trashFolderState.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.trayicon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.unityInterlockOperation.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.getCreds.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.hgfsServerSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.launchmenu.change -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.memSchedFakeSampleStats.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.dnd.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.setGUIOptions.enable -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name RemoteDisplay.vnc.enabled -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name svga.vgaOnly -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name mks.enable3d -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.diskShrink.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.diskWiper.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name isolation.tools.vixMessage.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name log.keepOld -value 10 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name tools.guestlib.enableHostInfo -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name log.rotateSize -value 102400 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name Remove-FloppyDrive -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
New-AdvancedSetting -Entity $vm -Name tools.setInfo.sizeLimit -value 1048576 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value
# repeat for other settings
$report += Get-AdvancedSetting -Entity $vm |
Select @{N='VM';E={$vm.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}
}
$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture
$EndTime = Get-Date
$duration = [math]::Round((New-TimeSpan -Start $StartTime -End $EndTime).TotalMinutes,2)
Write-Host "================================"
Write-Host "Hardening VMs By vCenter Completed!" -Foregroundcolor "Green"
Write-Host "Hardening Hosts By vCenter Completed!" -Foregroundcolor "Cyan"
Write-Host "StartTime: $StartTime"
Write-Host "EndTime: $EndTime"
Write-Host "Duration: $duration minutes"
Write-Host "================================"
You could do, similar to the VM script, something like this.
This only shows 1 Advanced setting, the others will have to follow the same structure.
Not sure how you are going to document changes beyond Advanced settings (for example the NTP servers).
Btw, this has been an issue in all attempts to write a script that handles all security hardening guidelines
$date = Get-Date -format "ddMMyy_HHmm"
Get-VMHost -PipelineVariable esx | ForEach-Object -Process {
$tab = @{}
Get-AdvancedSetting -Entity $esx | ForEach-Object -Process {
$tab.Add($_.Name,$_.Value)
}
$changed = 0
Get-AdvancedSetting -Entity $esx -Name UserVars.DcuiTimeOut |
where{$_.Value -ne 600} | ForEach-Object -Process {
Set-AdvancedSetting -AdvancedSetting $_ -Value 600 -Confirm:$False | Out-Null
$changed++
}
# Other settings with similar structure
Write-Host "On $($esx.Name) there were $changed changes."
$report += Get-AdvancedSetting -Entity $esx |
Select @{N='VMHost';E={$esx.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}
}
$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
1. With 'hosts' do you mean VMs or ESXi nodes?
2. How will you provide the 'desired settings'?
3. I suspect you mean 'not set'?
4. What should be in that report?
5.2 Why would there be VMs remaining to be hardened?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
1. With 'hosts' do you mean VMs or ESXi nodes? ESXi NODES
2. How will you provide the 'desired settings'? like the parametre that I added to VMs in the script
Like this:
Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("PartnerSupported") }
$NTPServers = "pool.ntp.org", "pool2.ntp.org" Get-VMHost | Add-VmHostNtpServer $NTPServers
3. I suspect you mean 'not set'? Yep you are right
4. What should be in that report? Juste one excel file which inclue worksheet | one for VMs - One for Node and they should include the below details in column
vcenter Node VM ParametreName OldValue NewValue
5.2 Why would there be VMs remaining to be hardened? my bad, I mean nombre of VMs hardned and number of nodes hardned
for sure output log is required, espacialy if something happen
if you have any other suggestion, I am interested. after all I'm trying to do something that could be of use to the community.
You could do, similar to the VM script, something like this.
This only shows 1 Advanced setting, the others will have to follow the same structure.
Not sure how you are going to document changes beyond Advanced settings (for example the NTP servers).
Btw, this has been an issue in all attempts to write a script that handles all security hardening guidelines
$date = Get-Date -format "ddMMyy_HHmm"
Get-VMHost -PipelineVariable esx | ForEach-Object -Process {
$tab = @{}
Get-AdvancedSetting -Entity $esx | ForEach-Object -Process {
$tab.Add($_.Name,$_.Value)
}
$changed = 0
Get-AdvancedSetting -Entity $esx -Name UserVars.DcuiTimeOut |
where{$_.Value -ne 600} | ForEach-Object -Process {
Set-AdvancedSetting -AdvancedSetting $_ -Value 600 -Confirm:$False | Out-Null
$changed++
}
# Other settings with similar structure
Write-Host "On $($esx.Name) there were $changed changes."
$report += Get-AdvancedSetting -Entity $esx |
Select @{N='VMHost';E={$esx.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}
}
$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference