/
VMSecurityHardening.ps1
76 lines (70 loc) · 2.81 KB
/
VMSecurityHardening.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<#
.SYNOPSIS
Configure VM security hardening for your VMs
.DESCRIPTION
Thanks to andrew for the idea of creating a VM spec and pushing it to all the VMs. This
will create a VM spec using some security hardening best practices.
.NOTES
File Name : VMSecurityHardening.ps1
Author : andrew > gajendra d ambi
Prerequisite : Powercli 5.x, PowerShell V2 over Vista and upper.
Copyright - None
.LINK
Script posted over:
concept : http://practical-admin.com/blog/powercli-update-vmx-configuration-parameters-in-mass/
adaptation : http://tinyurl.com/ambigitvmware
http://www.stigviewer.com/stig/vmware_esxi_version_5_virtual_machine/2013-12-18/
#>
#Disconnect any other hosts or vcenters if they are already connected.
Write-Host "Let us disconnect any other ESXi hosts or vcenters if they are connected"
Disconnect-VIServer *
#connect to the host or vcenter server
Write-Host "Let us connect to the target host or vCenter"
connect-viserver
#start VMSecurity function
Function Fun_VMSecurity {
$ExtraOptions = @{
#http://practical-admin.com/blog/powercli-update-vmx-configuration-parameters-in-mass/
"isolation.tools.diskWiper.disable"="true";
"isolation.tools.diskShrink.disable"="true";
"RemoteDisplay.maxConnections"="1";
"isolation.tools.copy.disable"="true";
"isolation.tools.paste.disable"="true";
"isolation.tools.setGUIOptions.enable"="false";
"isolation.tools.dnd.disable"="true";
"isolation.device.connectable.disable"="true";
"isolation.device.edit.disable"="true";
"vmci0.unrestricted"="false";
"log.rotateSize"="1000000";
"log.keepOld"="10";
"tools.setInfo.sizeLimit"="1048576";
"guest.command.enabled"="false";
"tools.guestlib.enableHostInfo"="false";
"isolation.tools.unity.push.update.disable"="true";
"isolation.tools.ghi.launchmenu.change"="true";
"isolation.tools.memSchedFakeSampleStats.disable"="true";
"isolation.tools.getCreds.disable"="true";
"floppyX.present"="false";
"SerialX.present"="false";
"parallelX.present"="false";
"usb.present"="false";
"ideX:Y.present"="false";
}
# build our configspec using the hashtable from above.
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
# note we have to call the GetEnumerator before we can iterate through
Foreach ($Option in $ExtraOptions.GetEnumerator()) {
$OptionValue = New-Object VMware.Vim.optionvalue
$OptionValue.Key = $Option.Key
$OptionValue.Value = $Option.Value
$vmConfigSpec.extraconfig += $OptionValue
}
# Get all vm's not including templates
$VMs = Get-View -ViewType VirtualMachine -Property Name -Filter @{"Config.Template"="false"}
# Apply the new virtual machine spec with security hardening parameters
foreach($vm in $vms){
$vm.ReconfigVM_Task($vmConfigSpec)
Write-Host "Security hardening for $VM is complete"
}
} #End VMSecurity function
Fun_VMSecurity