VMware Cloud Community
LeeMan310
Contributor
Contributor

Hardening Guide for ESXi 6.0

Hello All,

New poster here.

I'm using PowerCLI and the vSphere_6_0_Hardening_Guide_GA_15_Jun_2015 to harden some hosts. There is a cmdlet that I've come across a couple of times, Get-VMHostAdvancedConfiguration that seem to be on the outs. When I run my script, it says I should use Get-AdvancedSetting instead. Does this mean in future versions, Get-VMHostAdvancedConfiguration won't work?

Also, some parameters are mentioned, but there isn't any code to check/change them. Does this mean I need to find a different way? For example, Security.AccountUnlockTime and Security.AccountLockFailures. I can find those using esxcli in a shell script on the host, but I would rather use PowerCLI from another machine.

Since I'm here, some of the checks are for parameters that have no value, is there a way to check for that and write something out to a file instead of having the value just a blank?

Thanks for any help/pointers/links you can provide, I'm new to hardening and am stumbling a bit on this.

Lee

Reply
0 Kudos
2 Replies
likeahoss
Enthusiast
Enthusiast

As the yellow warning text indicates, use Get-AdvancedSetting instead.  As you may have guessed, it is capable of being executed more than 'vmhost'. When you use the -entity parameter you can specify VIServer, VirtualMachine, VMHost, DatastoreCluster, and Cluster objects.

# Get the Security.AccountUnlockTime option from a specific host:

Get-AdvancedSetting -Entity "name of host" -Name Security.AccountUnlockTime | ft -a

# For instance, to check the Security.AccountLockFailures option on all your hosts:

Get-AdvancedSetting -Entity (Get-VMHost) -Name Security.AccountLockFailures | ft -a

# Or if you wanted to find all the options that start with the word Security:

Get-AdvancedSetting -Entity (Get-VMHost) -Name Security.* | Sort Entity | ft -a

# Check all hosts for options that have no value and export to CSV.

Get-AdvancedSetting -Entity (get-vmhost) | ?{$_.Value -eq "$null"} | Select Entity, Name, Value | sort Entity | Export-Csv -Path c:\AllOptionsWithoutValues.csv -NoTypeInformation

LeeMan310
Contributor
Contributor

Thanks likeahoss,

All good info, glad for the pointers.

Reply
0 Kudos