SCharchouf
Hot Shot
Hot Shot
‎09-16-2020 05:53 AM

Hardening ESXi Script

With LucD help I created this script in order to secure ESXi based on VMware recommandation

I will need assistance and collaboration in order to:

  1. Get existant value for hosts
  2. Add advanced settings for Hosts
  3. if the required value is set, script must have the ability to compare existant value with the desired and made the required change
  4. get report
  5. Receive an email with information how many
    1. Hardened VMs & Hardned Hosts
    2. Remaining VMs & Host to hardned

Connect-VIServer -Server "vcenter1", "vcenter2"

# vCenter Login

$vCUser="login"

$vCPass="password"

$StartTime = Get-Date

$report = @()

Foreach ($Host in Get-VMHost)

{

    $tab = @{}

    $date=Get-Date -format "ddMMyy_HHmm"

    Get-AdvancedSetting -Entity $Host | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

}

}

$NTPServers = "NTP1", "NTP2" Get-VMHost | Add-VmHostNtpServer $NTPServers

Foreach ($vm in Get-VM)

{

    $tab = @{}

    $date=Get-Date -format "ddMMyy_HHmm"

    Get-AdvancedSetting -Entity $vm | ForEach-Object -Process {

        $tab.Add($_.Name,$_.Value)

    }

   

    New-AdvancedSetting -Entity $vm -Name isolation.device.edit.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name isolation.device.connectable.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.autologon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.bios.bbs.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.protocolhandler.info.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.taskbar.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unityActive.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.windowContents.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.push.update.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.vmxDnDVersionGet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.guestDnDVersionSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.ghi.host.shellAction.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.dispTopoRequest.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.trashFolderState.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.trayicon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.unityInterlockOperation.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.getCreds.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.hgfsServerSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.launchmenu.change -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.memSchedFakeSampleStats.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.dnd.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.setGUIOptions.enable -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name RemoteDisplay.vnc.enabled -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name svga.vgaOnly -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name mks.enable3d -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.diskShrink.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.diskWiper.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name isolation.tools.vixMessage.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name log.keepOld -value 10 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name tools.guestlib.enableHostInfo -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    New-AdvancedSetting -Entity $vm -Name log.rotateSize -value 102400 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name Remove-FloppyDrive -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

   

    New-AdvancedSetting -Entity $vm -Name tools.setInfo.sizeLimit -value 1048576 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

    # repeat for other settings

 

    $report += Get-AdvancedSetting -Entity $vm |

    Select @{N='VM';E={$vm.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}

}

$report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture

$EndTime = Get-Date

$duration = [math]::Round((New-TimeSpan -Start $StartTime -End $EndTime).TotalMinutes,2)

Write-Host "================================"

Write-Host "Hardening VMs By vCenter Completed!" -Foregroundcolor "Green"

Write-Host "Hardening Hosts By vCenter Completed!" -Foregroundcolor "Cyan"

Write-Host "StartTime: $StartTime"

Write-Host "EndTime: $EndTime"

Write-Host "Duration: $duration minutes"

Write-Host "================================"

Reply