Basic VM Hardening via PowerCLI

Basic VM Hardening via PowerCLI

The used Hardening options are not an offical best practice but for me these selection is a good balance to protect the underlaying environment without loosing functionality.

More options:

VMware Security Hardening Guides | United States

# Create Options


$ExtraOptions = @{


    "isolation.tools.diskShrink.disable"="true";


    "isolation.tools.diskWiper.disable"="true";


    "isolation.tools.copy.disable"="true";


    "isolation.tools.paste.disable"="true";


    "isolation.tools.dnd.disable"="true";


    "isolation.tools.setGUIOptions.enable"="false";


    "log.keepOld"="10";


    "log.rotateSize"="100000"


    "RemoteDisplay.maxConnections"="2";


    "RemoteDisplay.vnc.enabled"="false";


}


$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec


Foreach ($Option in $ExtraOptions.GetEnumerator()) {


    $OptionValue = New-Object VMware.Vim.optionvalue


    $OptionValue.Key = $Option.Key


    $OptionValue.Value = $Option.Value


    $vmConfigSpec.extraconfig += $OptionValue


}


## Apply (Modify Filter)


ForEach ($vm in (get-folder -Name "TEST" | Get-VM )){


    $vmv = Get-VM $vm | Get-View


    $state = $vmv.Summary.Runtime.PowerState


         ($vmv).ReconfigVM_Task($vmConfigSpec)


if ($state -eq "poweredOn") {


$vmv.MigrateVM_Task($null, $_.Runtime.Host, 'highPriority', $null)


}


    }
Comments
sureshadmin2011
‎11-11-2015 05:35 PM
‎11-11-2015 05:35 PM

Thanks for the code.

But is a migrate VM task required for powered on VM's after hardening? I believe on and after powercli 5.5 and esxi 5.5 versions, these hardening applies on the fly. For example if i limit the remote console connections to 1, and try to take two console it immediately prohibits the second connection without reboot or migration of the VM. Even VMware support says no reboot / migration required anymore.

vMarkusK1985
‎12-01-2015 01:41 AM
‎12-01-2015 01:41 AM

Hi,

Thanks for your reply.


I am not sure if these Options in my example really need a Migrate. I wanted to make sure all options work (also some others) and added the Migrate.

But you are right the Console Session limit works on the fly.


To verify which option works without migrate a Support Case or additional tests are necessary…

vMarkusK1985
‎02-10-2016 01:01 AM
‎02-10-2016 01:01 AM

Hello,

an updatet version is now also available on my BLOG:

VM Hardening - Mit vRealize Orchestrator oder PowerCLI - my cloud-(r)evolution

Version history
Revision #:
1 of 1
Last update:
‎11-05-2015 11:25 AM
Updated by:
Expert
 
View Article History