Contributor
Contributor

vSphere hardening - gotchas?

We recently migrated from vSphere 5.5 to 6.5 for our production environments.  With the migration to the new environment, our security scanner (Qualys) has been flagging many of our VMs for not having the advanced hardening settings.  I'm planning on applying the settings via Powershell, but we have a diverse environment (Linux, Windows, ova appliances).  Has anyone run into issues with these settings being added to a VM?  I'm not concerned with most of our VMs, but the one-offs are giving me pause.  The settings involved are as follows:

New-AdvancedSetting -Entity $VM -Name "isolation.tools.setGUIOptions.enable" -value $false -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.diskShrink.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.diskWiper.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.ghi.autologon.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.ghi.launchmenu.change" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.memSchedFakeSampleStats.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.ghi.protocolhandler.info.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.ghi.host.shellAction.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.ghi.trayicon.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unity.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unityInterlockOperation.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unityActive.disable" -value $True -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unity.windowContents.disable" -value $True -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unity.push.update.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.unity.taskbar.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.vmxDnDVersionGet.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "isolation.tools.guestDnDVersionSet.disable" -value $true -Confirm:$false

New-AdvancedSetting -Entity $VM -Name "RemoteDisplay.maxConnections"  -value 2 -Confirm:$false }

I am interested in hearing of your experiences with this.

Thanks!

0 Kudos
1 Reply
Immortal
Immortal

Before listening to Qualys, read this article by Mike to understand if these changes are really necessary (hint: they're not all).

0 Kudos