VMware Cloud Community
alfiek
Contributor
Contributor

vSphere Hardening powerCLI script

Hi all, I just finished this script using the new April 2011 Hardening guide. I search around for a script that would make some of the common changes that are needed. I couldn't find one so I wrote this. I know its kinda messy but it gets the job done (I'm new to powerCLI) any tips on making it better would be great - hope this help someone else.

Connect-VIServer -Server vCentername -Protocol HTTPS -User username -Password accountpasswork
$vmcsv = import-csv "c:\drop\hard.csv"
$vmx01 = “isolation.tools.diskShrink.disable”
$value2 = "True"
$vmx01part2 = “isolation.tools.diskWiper.disable”
$value3 = "True"
$vmx02 = "RemoteDisplay.maxConnections"
$value4 = "1"
$vmx11 = "isolation.device.connectable.disable"
$value5 = "true"
$vmx11part2 = "isolation.device.edit.disable"
$value6 = "true"
$vmx12 = "vmci0.unrestricted"
$value7 = "false"
$vmx20 = "log.rotateSize"
$value8 = "1000000"
$vmx20part2 = "log.keepOld"
$value9 = "10"
$vmx21 = "tools.setInfo.sizeLimit"
$value10 = "1048576"
$vmx23 = "isolation.tools.hgfsSeverSet.disable"
$value11 = "TRUE"
$vmx30 = "guest.command.enabled"
$value12 = "FALSE"
$vmx31 = "tools.guestlib.enableHostInfo"
$value13 = "FALSE"


foreach ($vmguest in $vmcsv){
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx01
     $vmConfigSpec.extraconfig[0].Value=$value2
    
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx01part2
     $vmConfigSpec.extraconfig[0].Value=$value3
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx02
     $vmConfigSpec.extraconfig[0].Value=$value4
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx11
     $vmConfigSpec.extraconfig[0].Value=$value5
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx11part2
     $vmConfigSpec.extraconfig[0].Value=$value6
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx12
     $vmConfigSpec.extraconfig[0].Value=$value7
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx20
     $vmConfigSpec.extraconfig[0].Value=$value8
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx20part2
     $vmConfigSpec.extraconfig[0].Value=$value9
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx21
     $vmConfigSpec.extraconfig[0].Value=$value10
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx23
     $vmConfigSpec.extraconfig[0].Value=$value11
     $vm.ReconfigVM($vmConfigSpec)
    
     $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx30
     $vmConfigSpec.extraconfig[0].Value=$value12
     $vm.ReconfigVM($vmConfigSpec)
    
          $vm = Get-VM $vmguest.vm | Get-View
     $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
     $vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
     $vmConfigSpec.extraconfig[0].Key=$vmx31
     $vmConfigSpec.extraconfig[0].Value=$value13
     $vm.ReconfigVM($vmConfigSpec)
}
Tags (1)
Reply
0 Kudos
4 Replies
LucD
Leadership
Leadership

Nice script, thanks for sharing.

There is a script for the older version of the Hardening Guide in my Security – Hardening – Part 1 – Virtual Machines post.

And there are snippets for the latest Security Guide in our book. The scripts can be found here.

A quick tip, you can do all this in 1 call to the ReconfigVM method per VM.

And you can construct the $vmConfigSpec object, which is the same for all the guests, outside the foreach loop.

It should make the script a bit faster.

Something like this

$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
...
$temp = New-Object VMware.Vim.optionvalue $temp.Key=$vmx02 $temp.Value=$value4
$vmConfigSpec.extraconfig += $temp
      $temp = New-Object VMware.Vim.optionvalue $temp.Key=$vmx11 $temp.Value=$value5 $vmConfigSpec.extraconfig += $temp

...

foreach ($vmguest in $vmcsv){

   $vm = Get-VM $vmguest.vm

   $vm.Extensiondata.ReconfigVM($vmConfigSpec)

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
alfiek
Contributor
Contributor

great tip! Thanks for the advice and link!

Reply
0 Kudos
bulletprooffool
Champion
Champion

Nice work - thanks for sharing - will drop that in my toolbox!

One day I will virtualise myself . . .
Reply
0 Kudos
JayScheponik
Contributor
Contributor

An even more simplified version would be a csv file with all of the changes you want to make and then pull one of these:

Connect-VIServer

-Server vCentername -Protocol HTTPS -User username -Password accountpasswork

$vmConfigSpec

= New-Object VMware.Vim.VirtualMachineConfigSpec

$values

= Get-Content PATH TO FILE\SetHarden.txt

foreach($val in $values)

{

$temp = new-object vmware.vim.optionvalue

$info = $val.Split(",")

$var = $info[0]

$temp.Key = $info[1]

$temp.Value = $info[2]

$vmConfigSpec.extraconfig += $temp

Write-Host $var

Write-Host $temp.Key

Write-Host $temp.Value

}

foreach($vmguest in Get-VM){

    $vm.ReconfigVM($vmConfigSpec)

}

Sample of text file:

vmx01,isolation.tools.diskShrink.disable,False
vmx01,isolation.tools.diskWiper.disable,False
vmx02,RemoteDisplay.maxConnections,1
vmx11,isolation.device.connectable.disable,false

Just a passing thought as your original script which is what i was looking for in the first place got a bit too long to manage. All in all nice work though. Thanks.

Reply
0 Kudos