2 Replies Latest reply on Aug 30, 2014 10:28 AM by esxi1979

    Powercli for VM hardening 5.5

    esxi1979 Hot Shot

      Can someone Please confirm below can be used for VM hardening :- (i got it from a post )

       

       

      Thanks for the tip, I was working on PowerCLI script the complies with disa stig and the hardening guide and this gave me the missing piece. Here it is in summary:

      I created d:\vmware stig\stig_vm.txt file with the following input taken from DISA stig:
      isolation.bios.bbs.disable,TRUE
      isolation.device.connectable.disable,TRUE
      isolation.monitor.control.disable,TRUE
      isolation.tools.diskShrink.disable,TRUE
      isolation.tools.diskWiper.disable,TRUE
      log.keepOld,10
      log.rotateSize,100000
      RemoteDisplay.maxConnections,1
      tools.guestlib.enableHostInfo,FALSE
      tools.setInfo.sizeLimit,1048576
      vmci0.unrestricted,FALSE
      isolation.tools.hgfsServerSet.disable,TRUE
      isolation.device.edit.disable,TRUE
      isolation.tools.autoInstall.disable,TRUE
      isolation.tools.copy.disable,TRUE
      isolation.tools.dnd.disable,FALSE
      isolation.tools.setGUIOptions.enable,FALSE
      isolation.tools.paste.disable,TRUE
      isolation.tools.ghi.autologon.disable,TRUE
      isolation.bios.bbs.disable,TRUE
      isolation.tools.getCreds.disable,TRUE
      isolation.tools.ghi.launchmenu.change,TRUE
      isolation.tools.memSchedFakeSampleStats.disable,TRUE
      isolation.tools.ghi.protocolhandler.info.disable,TRUE
      isolation.ghi.host.shellAction.disable,TRUE
      isolation.tools.dispTopoRequest.disable,TRUE
      isolation.tools.trashFolderState.disable,TRUE
      isolation.tools.ghi.trayicon.disable,TRUE
      isolation.tools.unity.disable,TRUE
      isolation.tools.unityInterlockOperation.disable,TRUE
      isolation.tools.unity.push.update.disable,TRUE
      isolation.tools.unity.taskbar.disable,TRUE
      isolation.tools.unityActive.disable,TRUE
      isolation.tools.unity.windowContents.disable,TRUE
      isolation.tools.vmxDnDVersionGet.disable,TRUE
      isolation.tools.guestDnDVersionSet.disable,TRUE
      isolation.tools.vixMessage.disable,TRUE
      tools.setinfo.sizeLimit,1048576

      $stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

      ::APPLY TO JUST MY_VM1
      foreach ($line in $stig_vm) {
      New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
      }

      ::APPLY TO ALL VM
      foreach ($line in $stig_vm) {
      Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
      }

       

       

       

      I tried to follow the xls published by vmware , but i am not getting in eg,

       

      # List the VMs and their current settings

      Get-VM | Get-AdvancedSetting -Name  "isolation.tools.autoInstall.disable"| Select Entity, Name, Value

       

      It gives me no o/p .. what does that mean ?

       

      Please help

       

      thanks

        • 1. Re: Powercli for VM hardening 5.5
          ssoliman02 Novice

          hi try something like the below.  not as effecient be effective...

           

          just fill in the "connect-viserver" ip and the "$targethost" ip

           

           

           

           

           

           

          # Connect to vCenter and target cluster
          #$vCenter = Read-Host "x.x.x.x"
          Connect-VIServer x.x.x.x
          #$targetcluster = "x.x.x.x"
          $targethost = "x.x.x.x"


          # Set up the VirtualMachineConfigSpec object
          $vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec

          # Add new options as necessary
          # —————————–

           

          # disable_intervm_vmci - Disable VM_to_VM communication through VMCI********************
          $disable_intervm_vmci = New-Object VMware.Vim.OptionValue
          $disable_intervm_vmci.Key = "vmci0.unrestricted"
          $disable_intervm_vmci.Value = "false"
          $vmConfigSpec.ExtraConfig += $disable_intervm_vmci


          # VMX03 – Disable copy/paste to remote console********************
          #VMX03a = New-Object VMware.Vim.OptionValue
          #$VMX03a.Key = "isolation.tools.copy.disable"
          #$VMX03a.Value = "TRUE"
          #$vmConfigSpec.ExtraConfig += $VMX03a

           

          # limit_console_connections_two – Limit sharing of console connections********************
          $limit_console_connections_two = New-Object VMware.Vim.OptionValue
          $limit_console_connections_two.Key = "RemoteDisplay.maxConnections"
          $limit_console_connections_two.Value = "2"
          $vmConfigSpec.ExtraConfig += $limit_console_connections_two

           

          # VMX03 – Disable copy/paste to remote console********************
          #VMX03a = New-Object VMware.Vim.OptionValue
          #$VMX03a.Key = "isolation.tools.copy.disable"
          #$VMX03a.Value = "TRUE"
          #$vmConfigSpec.ExtraConfig += $VMX03a

          #$VMX03b = New-Object VMware.Vim.OptionValue
          #$VMX03b.Key = "isolation.tools.paste.disable"
          #$VMX03b.Value = "TRUE"
          #$vmConfigSpec.ExtraConfig += $VMX03b

          #$VMX03c = New-Object VMware.Vim.OptionValue
          #$VMX03c.Key = "isolation.tools.dnd.disable"
          #$VMX03c.Value = "TRUE"
          #$vmConfigSpec.ExtraConfig += $VMX03c

          #$VMX03d = New-Object VMware.Vim.OptionValue
          #$VMX03d.Key = "isolation.tools.setGUIOptions.enable"
          #$VMX03d.Value = "FALSE"
          #$vmConfigSpec.ExtraConfig += $VMX03d

           

          # limit_setinfo_size – Limit informational messages from the VM to the VMX file********************
          $limit_setinfo_size = New-Object VMware.Vim.OptionValue
          $limit_setinfo_size.Key = "tools.setInfo.sizeLimit"
          $limit_setinfo_size.Value = "1048576"
          $vmConfigSpec.ExtraConfig += $limit_setinfo_size

           

          # disconnect_devices_floppy – Disconnect unauthorized devices (floppy)********************
          $disconnect_devices_floppy = New-Object VMware.Vim.OptionValue
          $disconnect_devices_floppy.Key = "floppyX.present"
          $disconnect_devices_floppy.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $disconnect_devices_floppy

           

          # disconnect_devices_ide – Disconnect unauthorized devices (IDE)********************
          $disconnect_devices_ide = New-Object VMware.Vim.OptionValue
          $disconnect_devices_ide.Key = "ideX:Y.present"
          $disconnect_devices_ide.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $disconnect_devices_ide

           

          # disconnect_devices_parallel – Disconnect unauthorized devices (parallel)********************
          $disconnect_devices_parallel = New-Object VMware.Vim.OptionValue
          $disconnect_devices_parallel.Key = "parallelX.present"
          $disconnect_devices_parallel.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $disconnect_devices_parallel

           

          # disconnect_devices_serial – Disconnect unauthorized devices (serial)********************
          $disconnect_devices_serial = New-Object VMware.Vim.OptionValue
          $disconnect_devices_serial.Key = "serialX.present"
          $disconnect_devices_serial.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $disconnect_devices_serial

           

          # prevent_device_interaction_connect – Prevent unauthorized removal, connection and modification of devices********************
          $prevent_device_interaction_connect = New-Object VMware.Vim.OptionValue
          $prevent_device_interaction_connect.Key = "isolation.device.connectable.disable"
          $prevent_device_interaction_connect.Value = "true"
          $vmConfigSpec.ExtraConfig += $prevent_device_interaction_connect

           

          # prevent_device_interaction_edit – Prevent unauthorized removal, connection and modification of devices********************
          $prevent_device_interaction_edit = New-Object VMware.Vim.OptionValue
          $prevent_device_interaction_edit.Key = "isolation.device.edit.disable"
          $prevent_device_interaction_edit.Value = "true"
          $vmConfigSpec.ExtraConfig += $prevent_device_interaction_edit

           

          # disable_console_copy – Explicitly disable copy/paste operations********************
          $disable_console_copy = New-Object VMware.Vim.OptionValue
          $disable_console_copy.Key = "isolation.tools.copy.disable"
          $disable_console_copy.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_console_copy

           

          # disable_console_dnd – Explicitly disable copy/paste operations********************
          $disable_console_dnd = New-Object VMware.Vim.OptionValue
          $disable_console_dnd.Key = "isolation.tools.dnd.disable"
          $disable_console_dnd.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_console_dnd

           

          # disable_console_gui_options – Explicitly disable copy/paste operations********************
          $disable_console_gui_options = New-Object VMware.Vim.OptionValue
          $disable_console_gui_options.Key = "isolation.tools.setGUIOptions.enable"
          $disable_console_gui_options.Value = "false"
          $vmConfigSpec.ExtraConfig += $disable_console_gui_options

           

          # disable_console_paste – Explicitly disable copy/paste operations********************
          $disable_console_paste = New-Object VMware.Vim.OptionValue
          $disable_console_paste.Key = "isolation.tools.paste.disable"
          $disable_console_paste.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_console_paste

           

          # disable_hgfs – Explicitly disable copy/paste operations********************
          $disable_hgfs = New-Object VMware.Vim.OptionValue
          $disable_hgfs.Key = "isolation.tools.hgfsServerSet.disable"
          $disable_hgfs.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_hgfs

           

          # disable_unexposed_features_autologon – Disable certain unexposed features********************
          $disable_unexposed_features_autologon = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_autologon.Key = "isolation.tools.ghi.autologon.disable"
          $disable_unexposed_features_autologon.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_autologon

           

          # disable_unexposed_features_biosbbs – Disable certain unexposed features********************
          $disable_unexposed_features_biosbbs = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_biosbbs.Key = "isolation.bios.bbs.disable"
          $disable_unexposed_features_biosbbs.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_biosbbs

           

          # disable_unexposed_features_getcreds – Disable certain unexposed features********************
          $disable_unexposed_features_getcreds = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_getcreds.Key = "isolation.tools.getCreds.disable"
          $disable_unexposed_features_getcreds.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_getcreds

           

          # disable_unexposed_features_launchmenu – Disable certain unexposed features********************
          $disable_unexposed_features_launchmenu = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_launchmenu.Key = "isolation.tools.ghi.launchmenu.change"
          $disable_unexposed_features_launchmenu.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_launchmenu

           

          # disable_unexposed_features_memsfss – Disable certain unexposed features********************
          $disable_unexposed_features_memsfss = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_memsfss.Key = "isolation.tools.memSchedFakeSampleStats.disable"
          $disable_unexposed_features_memsfss.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_memsfss

           

          # disable_unexposed_features_protocolhandler – Disable certain unexposed features********************
          $disable_unexposed_features_protocolhandler = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_protocolhandler.Key = "isolation.tools.ghi.protocolhandler.info.disable"
          $disable_unexposed_features_protocolhandler.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_protocolhandler

           

          # disable_unexposed_features_shellaction – Disable certain unexposed features********************
          $disable_unexposed_features_shellaction = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_shellaction.Key = "isolation.ghi.host.shellAction.disable"
          $disable_unexposed_features_shellaction.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_shellaction

           

          # disable_unexposed_features_toporequest – Disable certain unexposed features********************
          $disable_unexposed_features_toporequest = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_toporequest.Key = "isolation.tools.dispTopoRequest.disable"
          $disable_unexposed_features_toporequest.Value = "TRUE"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_toporequest

           

          # disable_unexposed_features_trashfolderstate – Disable certain unexposed features********************
          $disable_unexposed_features_trashfolderstate = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_trashfolderstate.Key = "isolation.tools.trashFolderState.disable"
          $disable_unexposed_features_trashfolderstate.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_trashfolderstate

           

          # disable_unexposed_features_trayicon – Disable certain unexposed features********************
          $disable_unexposed_features_trayicon = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_trayicon.Key = "isolation.tools.ghi.trayicon.disable"
          $disable_unexposed_features_trayicon.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_trayicon

           

          # disable_unexposed_features_unity – Disable certain unexposed features********************
          $disable_unexposed_features_unity = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unity.Key = "isolation.tools.unity.disable"
          $disable_unexposed_features_unity.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unity

           

          # disable_unexposed_features_unity_interlock – Disable certain unexposed features********************
          $disable_unexposed_features_unity_interlock = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unity_interlock.Key = "isolation.tools.unityInterlockOperation.disable"
          $disable_unexposed_features_unity_interlock.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unity_interlock

           

          # disable_unexposed_features_unitypush – Do not send host performance information to guests********************
          $disable_unexposed_features_unitypush = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unitypush.Key = "isolation.tools.unity.push.update.disable"
          $disable_unexposed_features_unitypush.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unitypush

           

          # disable_unexposed_features_unity_taskbar – Disable certain unexposed features********************
          $disable_unexposed_features_unity_taskbar = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unity_taskbar.Key = "isolation.tools.unity.taskbar.disable"
          $disable_unexposed_features_unity_taskbar.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unity_taskbar

           

          # disable_unexposed_features_unity_unityactive – Disable certain unexposed features********************
          $disable_unexposed_features_unity_unityactive = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unity_unityactive.Key = "isolation.tools.unityActive.disable"
          $disable_unexposed_features_unity_unityactive.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unity_unityactive

           

          # disable_unexposed_features_unity_windowcontents – Disable certain unexposed features********************
          $disable_unexposed_features_unity_windowcontents = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_unity_windowcontents.Key = "isolation.tools.unity.windowContents.disable"
          $disable_unexposed_features_unity_windowcontents.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_unity_windowcontents

           

          # disable_unexposed_features_versionget – Disable certain unexposed features********************
          $disable_unexposed_features_versionget = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_versionget.Key = "isolation.tools.vmxDnDVersionGet.disable"
          $disable_unexposed_features_versionget.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_versionget

           

          # disable_unexposed_features_versionset – Disable certain unexposed features********************
          $disable_unexposed_features_versionset = New-Object VMware.Vim.OptionValue
          $disable_unexposed_features_versionset.Key = "isolation.tools.guestDnDVersionSet.disable"
          $disable_unexposed_features_versionset.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_unexposed_features_versionset

           

          # verify_vmsafe_cpumem_enable – Control access to VMs through VMsafe CPU/memory APIs********************
          $verify_vmsafe_cpumem_enable = New-Object VMware.Vim.OptionValue
          $verify_vmsafe_cpumem_enable.Key = "vmsafe.enable"
          $verify_vmsafe_cpumem_enable.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $verify_vmsafe_cpumem_enable

           

          # disable_disk_shrinking_shrink – Disable virtual disk shrinking********************
          $disable_disk_shrinking_shrink = New-Object VMware.Vim.OptionValue
          $disable_disk_shrinking_shrink.Key = "isolation.tools.diskShrink.disable"
          $disable_disk_shrinking_shrink.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_disk_shrinking_shrink

           

          # disable_disk_shrinking_wiper – Disable virtual disk shrinking********************
          $disable_disk_shrinking_wiper = New-Object VMware.Vim.OptionValue
          $disable_disk_shrinking_wiper.Key = "isolation.tools.diskWiper.disable"
          $disable_disk_shrinking_wiper.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_disk_shrinking_wiper

           

          # disable_independent_nonpersistent – Disable virtual disk shrinking********************
          #$disable_independent_nonpersistent = New-Object VMware.Vim.OptionValue
          #$disable_independent_nonpersistent.Key = "scsiX:Y.mode"
          #$disable_independent_nonpersistent.Value = "independent nonpersistent"
          #$vmConfigSpec.ExtraConfig += $disable_independent_nonpersistent

           

          # disable_autoinstall – Disable virtual disk shrinking********************
          $disable_autoinstall = New-Object VMware.Vim.OptionValue
          $disable_autoinstall.Key = "isolation.tools.autoInstall.disable"
          $disable_autoinstall.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_autoinstall

           

          # disable_vix_messages – Disable VIX messages from the VM********************
          $disable_vix_messages = New-Object VMware.Vim.OptionValue
          $disable_vix_messages.Key = "isolation.tools.vixMessage.disable"
          $disable_vix_messages.Value = "true"
          $vmConfigSpec.ExtraConfig += $disable_vix_messages

           

          # limit_log_number – Limit VM logging********************
          $limit_log_number = New-Object VMware.Vim.OptionValue
          $limit_log_number.Key = "log.keepOld"
          $limit_log_number.Value = "10"
          $vmConfigSpec.ExtraConfig += $limit_log_number

           

          # limit_log_size – Limit VM logging********************
          $limit_log_size = New-Object VMware.Vim.OptionValue
          $limit_log_size.Key = "log.rotateSize"
          $limit_log_size.Value = "10000"
          $vmConfigSpec.ExtraConfig += $limit_log_size

           

          # restrict_host_info – Do not send host information to guests********************
          $restrict_host_info = New-Object VMware.Vim.OptionValue
          $restrict_host_info.Key = "tools.guestlib.enableHostInfo"
          $restrict_host_info.Value = "FALSE"
          $vmConfigSpec.ExtraConfig += $restrict_host_info

           

          $hostvm = Get-VMHost $targethost | Get-VM | %{
          $_.Extensiondata.ReconfigVM($vmConfigSpec)
          }

          • 2. Re: Powercli for VM hardening 5.5
            esxi1979 Hot Shot

            Thanks... The 1st method looks easy tho .. can someone confirm that ok to run ?

             

            I ran get-adv conf cmdlet & it gives something like this only

             

            ethernet0.pciSlotNumber
            evcCompatibilityMode
            guestCPUID.0
            guestCPUID.1
            guestCPUID.80000001
            hostCPUID.0
            hostCPUID.1
            hostCPUID.80000001
            hpet0.present
            migrate.hostlog
            migrate.hostLogState
            migrate.migrationId
            nvram
            pciBridge0.pciSlotNumber
            pciBridge0.present
            pciBridge4.functions
            pciBridge4.pciSlotNumber
            pciBridge4.present
            pciBridge4.virtualDev
            pciBridge5.functions
            pciBridge5.pciSlotNumber
            pciBridge5.present
            pciBridge5.virtualDev
            pciBridge6.functions
            pciBridge6.pciSlotNumber
            pciBridge6.present
            pciBridge6.virtualDev
            pciBridge7.functions
            pciBridge7.pciSlotNumber
            pciBridge7.present
            pciBridge7.virtualDev
            replay.filename
            replay.supported
            sched.scsi0:0.throughputCap
            sched.swap.derivedName
            scsi0.pciSlotNumber
            scsi0:0.redo
            snapshot.action
            softPowerOff
            toolsInstallManager.lastInstallError
            userCPUID.0
            userCPUID.1
            userCPUID.80000001
            virtualHW.productCompatibility
            vmci0.pciSlotNumber
            vmotion.checkpointFBSize
            vmware.tools.internalversion
            vmware.tools.requiredversion