SCharchouf
Hot Shot
Hot Shot

Hardening ESXi Script

Jump to solution

With LucD help I created this script in order to secure ESXi based on VMware recommandation

I will need assistance and collaboration in order to:

  1. Get existant value for hosts
  2. Add advanced settings for Hosts
  3. if the required value is set, script must have the ability to compare existant value with the desired and made the required change
  4. get report
  5. Receive an email with information how many
    1. Hardened VMs & Hardned Hosts
    2. Remaining VMs & Host to hardned

Connect-VIServer -Server "vcenter1", "vcenter2"

# vCenter Login

$vCUser="login"

$vCPass="password"

$StartTime = Get-Date

$report = @()

Foreach ($Host in Get-VMHost)

{

    $tab = @{}

    $date=Get-Date -format "ddMMyy_HHmm"

    Get-AdvancedSetting -Entity $Host | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

}

}

$NTPServers = "NTP1", "NTP2" Get-VMHost | Add-VmHostNtpServer $NTPServers

Foreach ($vm in Get-VM)

{

    $tab = @{}

    $date=Get-Date -format "ddMMyy_HHmm"

    Get-AdvancedSetting -Entity $vm | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

    }

   

    New-AdvancedSetting -Entity $vm -Name isolation.device.edit.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name isolation.device.connectable.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.autologon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.bios.bbs.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.protocolhandler.info.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.taskbar.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unityActive.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.windowContents.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.push.update.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.vmxDnDVersionGet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.guestDnDVersionSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.ghi.host.shellAction.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.dispTopoRequest.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.trashFolderState.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.trayicon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unityInterlockOperation.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.getCreds.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.hgfsServerSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.launchmenu.change -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.memSchedFakeSampleStats.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.dnd.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.setGUIOptions.enable -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name RemoteDisplay.vnc.enabled -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name svga.vgaOnly -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name mks.enable3d -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.diskShrink.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.diskWiper.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.vixMessage.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name log.keepOld -value 10 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name tools.guestlib.enableHostInfo -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name log.rotateSize -value 102400 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name Remove-FloppyDrive -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name tools.setInfo.sizeLimit -value 1048576 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    # repeat for other settings

 

    $report += Get-AdvancedSetting -Entity $vm |

    Select @{N='VM';E={$vm.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}

}

$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture

$EndTime = Get-Date

$duration = [math]::Round((New-TimeSpan -Start $StartTime -End $EndTime).TotalMinutes,2)

Write-Host "================================"

Write-Host "Hardening VMs By vCenter Completed!" -Foregroundcolor "Green"

Write-Host "Hardening Hosts By vCenter Completed!" -Foregroundcolor "Cyan"

Write-Host "StartTime: $StartTime"

Write-Host "EndTime: $EndTime"

Write-Host "Duration: $duration minutes"

Write-Host "================================"

1 Solution

Accepted Solutions
LucD
Leadership
Leadership

You could do, similar to the VM script, something like this.

This only shows 1 Advanced setting, the others will have to follow the same structure.

Not sure how you are going to document changes beyond Advanced settings (for example the NTP servers).

Btw, this has been an issue in all attempts to write a script that handles all security hardening guidelines

$report = @()

$date = Get-Date -format "ddMMyy_HHmm"


Get-VMHost -PipelineVariable esx | ForEach-Object -Process {

    $tab = @{}


    Get-AdvancedSetting -Entity $esx | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

    }


    $changed = 0


    Get-AdvancedSetting -Entity $esx -Name UserVars.DcuiTimeOut |

    where{$_.Value -ne 600} | ForEach-Object -Process {

        Set-AdvancedSetting -AdvancedSetting $_ -Value 600 -Confirm:$False | Out-Null

        $changed++

    }


    # Other settings with similar structure


    Write-Host "On $($esx.Name) there were $changed changes."


    $report += Get-AdvancedSetting -Entity $esx |

    Select @{N='VMHost';E={$esx.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}


}


$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

3 Replies
LucD
Leadership
Leadership

1. With 'hosts' do you mean VMs or ESXi nodes?
2. How will you provide the 'desired settings'?
3. I suspect you mean 'not set'?

4. What should be in that report?

5.2 Why would there be VMs remaining to be hardened?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
SCharchouf
Hot Shot
Hot Shot

1. With 'hosts' do you mean VMs or ESXi nodes? ESXi NODES
2. How will you provide the 'desired settings'? like the parametre that I added to VMs in the script

Like this:

Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("PartnerSupported") }

$NTPServers = "pool.ntp.org", "pool2.ntp.org" Get-VMHost | Add-VmHostNtpServer $NTPServers


3. I suspect you mean 'not set'? Yep you are right

4. What should be in that report? Juste one excel file which inclue worksheet | one for VMs - One for Node and they should include the below details in column

vcenter Node VM    ParametreName    OldValue    NewValue

5.2 Why would there be VMs remaining to be hardened? my bad, I mean nombre of VMs hardned and number of nodes hardned

for sure output log is required, espacialy if something happen Smiley Happy

if you have any other suggestion, I am interested. after all I'm trying to do something that could be of use to the community.Smiley Happy

LucD
Leadership
Leadership

You could do, similar to the VM script, something like this.

This only shows 1 Advanced setting, the others will have to follow the same structure.

Not sure how you are going to document changes beyond Advanced settings (for example the NTP servers).

Btw, this has been an issue in all attempts to write a script that handles all security hardening guidelines

$report = @()

$date = Get-Date -format "ddMMyy_HHmm"


Get-VMHost -PipelineVariable esx | ForEach-Object -Process {

    $tab = @{}


    Get-AdvancedSetting -Entity $esx | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

    }


    $changed = 0


    Get-AdvancedSetting -Entity $esx -Name UserVars.DcuiTimeOut |

    where{$_.Value -ne 600} | ForEach-Object -Process {

        Set-AdvancedSetting -AdvancedSetting $_ -Value 600 -Confirm:$False | Out-Null

        $changed++

    }


    # Other settings with similar structure


    Write-Host "On $($esx.Name) there were $changed changes."


    $report += Get-AdvancedSetting -Entity $esx |

    Select @{N='VMHost';E={$esx.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}


}


$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post