Automating Hardening of Esxi Hosts

Automating Hardening of Esxi Hosts

Synopsis: Hardening of Esxi Hosts as per hardening guide.


Esxi 5.x

Powercli 5.x

plink (

Most Hardening points are covered which are used in my environment on the below script.

Any suggestions or modifications are encouraging as beginner in writing scripts.

$root = "root" 

$Passwd = "dontaskme"

$newserv = "10.xx.xx.xx"

Write-Host -Object "fetching content to execute using ssh"

$content = 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\content.txt'

foreach ($esxiHost in $newserv) {

Connect-VIServer $esxiHost -User  $root -Password $Passwd

Write-Host -Object "starting ssh services on $esxiHost"

$sshstatus= Get-VMHostService  -VMHost $esxiHost| where {$psitem.key -eq "tsm-ssh"}

if ($sshstatus.Running -eq $False) {

Get-VMHostService | where {$psitem.key -eq "tsm-ssh"} | Start-VMHostService }

#Hardening Esxi Host using remote ssh

Write-Host -Object "Hardening $esxiHost"

Write-Output "y" | & 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\plink.exe' -ssh root@$esxihost -P 22 -pw $passwd -m  $content

#Configuring SysLog

Write-Host -Object "Configuring SysLog on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name |Set-AdvancedSetting -Value 1024 -Confirm:$False

Get-AdvancedSetting -Entity $esxiHost -Name | Set-AdvancedSetting -Value '[] /folder/log'

Get-AdvancedSetting -Entity $esxiHost -Name | Set-AdvancedSetting -Value 'udp://10.xx.xx.xx:514' -Confirm:$False

Get-VMHostFirewallException -VMHost $esx -Name "syslog" |Set-VMHostFirewallException -Enabled $true -Confirm:$false

#Configuring NTP Server

Write-Host -Object "Configuring NTP on $esxiHost"

Add-VMHostNtpServer -VMHost -NtpServer

Get-VMHostFirewallException -VMHost $esxiHost | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true

#Start NTP client service and set to automatic

Get-VmHostService -VMHost $esxiHost | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService | Set-VMHostService -policy "automatic"

#Configuring Security Policy on Vswitch

Write-Host "Configuring Security Policy on $esxiHost"

Get-VirtualSwitch -Standard -VMHost $esxiHost | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false -ForgedTransmits $false -AllowPromiscuous $false

#Configuring EsxiShellTimeOut

Write-Host "Configuring EsxiShellTimeOut on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name UserVars.ESXiShellTimeOut |Set-AdvancedSetting -Value 600 -Confirm:$False



Hi vineeth‌,

good Script!

It seems, that we had the same intention:

Script - ESXi Hardening mit PowerCLI - my cloud-(r)evolution

Kind Regards,


That's Nice to HereSmiley Happy

Thank you very much for this script.

I have created almost same script to do ESXi hardening with min Knowledge in powershell.

Can you please let please me to get the output in html output. Like

Hardening control Name      Value

SSH                                   Disabled

Version history
Revision #:
1 of 1
Last update:
‎10-07-2015 08:05 AM
Updated by: