Hi all, I just finished this script using the new April 2011 Hardening guide. I search around for a script that would make some of the common changes that are needed. I couldn't find one so I wrote this. I know its kinda messy but it gets the job done (I'm new to powerCLI) any tips on making it better would be great - hope this help someone else.
Connect-VIServer -Server vCentername -Protocol HTTPS -User username -Password accountpasswork
$vmcsv = import-csv "c:\drop\hard.csv"
$vmx01 = “isolation.tools.diskShrink.disable”
$value2 = "True"
$vmx01part2 = “isolation.tools.diskWiper.disable”
$value3 = "True"
$vmx02 = "RemoteDisplay.maxConnections"
$value4 = "1"
$vmx11 = "isolation.device.connectable.disable"
$value5 = "true"
$vmx11part2 = "isolation.device.edit.disable"
$value6 = "true"
$vmx12 = "vmci0.unrestricted"
$value7 = "false"
$vmx20 = "log.rotateSize"
$value8 = "1000000"
$vmx20part2 = "log.keepOld"
$value9 = "10"
$vmx21 = "tools.setInfo.sizeLimit"
$value10 = "1048576"
$vmx23 = "isolation.tools.hgfsSeverSet.disable"
$value11 = "TRUE"
$vmx30 = "guest.command.enabled"
$value12 = "FALSE"
$vmx31 = "tools.guestlib.enableHostInfo"
$value13 = "FALSE"
foreach ($vmguest in $vmcsv){
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx01
$vmConfigSpec.extraconfig[0].Value=$value2
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx01part2
$vmConfigSpec.extraconfig[0].Value=$value3
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx02
$vmConfigSpec.extraconfig[0].Value=$value4
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx11
$vmConfigSpec.extraconfig[0].Value=$value5
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx11part2
$vmConfigSpec.extraconfig[0].Value=$value6
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx12
$vmConfigSpec.extraconfig[0].Value=$value7
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx20
$vmConfigSpec.extraconfig[0].Value=$value8
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx20part2
$vmConfigSpec.extraconfig[0].Value=$value9
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx21
$vmConfigSpec.extraconfig[0].Value=$value10
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx23
$vmConfigSpec.extraconfig[0].Value=$value11
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx30
$vmConfigSpec.extraconfig[0].Value=$value12
$vm.ReconfigVM($vmConfigSpec)
$vm = Get-VM $vmguest.vm | Get-View
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=$vmx31
$vmConfigSpec.extraconfig[0].Value=$value13
$vm.ReconfigVM($vmConfigSpec)
}
Nice script, thanks for sharing.
There is a script for the older version of the Hardening Guide in my Security – Hardening – Part 1 – Virtual Machines post.
And there are snippets for the latest Security Guide in our book. The scripts can be found here.
A quick tip, you can do all this in 1 call to the ReconfigVM method per VM.
And you can construct the $vmConfigSpec object, which is the same for all the guests, outside the foreach loop.
It should make the script a bit faster.
Something like this
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
...
$temp = New-Object VMware.Vim.optionvalue
$temp.Key=$vmx02
$temp.Value=$value4
$vmConfigSpec.extraconfig += $temp
$temp = New-Object VMware.Vim.optionvalue
$temp.Key=$vmx11
$temp.Value=$value5
$vmConfigSpec.extraconfig += $temp
...
foreach ($vmguest in $vmcsv){
$vm = Get-VM $vmguest.vm
$vm.Extensiondata.ReconfigVM($vmConfigSpec)
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
great tip! Thanks for the advice and link!
Nice work - thanks for sharing - will drop that in my toolbox!
An even more simplified version would be a csv file with all of the changes you want to make and then pull one of these:
Connect-VIServer
-Server vCentername -Protocol HTTPS -User username -Password accountpasswork
$vmConfigSpec
= New-Object VMware.Vim.VirtualMachineConfigSpec
$values
= Get-Content PATH TO FILE\SetHarden.txt
foreach($val in $values)
{
$temp = new-object vmware.vim.optionvalue
$info = $val.Split(",")
$var = $info[0]
$temp.Key = $info[1]
$temp.Value = $info[2]
$vmConfigSpec.extraconfig += $temp
Write-Host $var
Write-Host $temp.Key
Write-Host $temp.Value
}
foreach($vmguest in Get-VM){
$vm.ReconfigVM($vmConfigSpec)
}
Sample of text file:
vmx01,isolation.tools.diskShrink.disable,FalseJust a passing thought as your original script which is what i was looking for in the first place got a bit too long to manage. All in all nice work though. Thanks.