#Uncomment if this SnapIn has not been added
#Add-PSSnapIn VMware.VimAutomation.Core
CLS
$a = “<style>”
$a = $a + “BODY{background-color:peachpuff;}”
$a = $a + “TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}”
$a = $a + “TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}”
$a = $a + “TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}”
$a = $a + “</style>”
$creds = Get-VICredentialStoreItem -file “C:\powercli\credfile.xml”
Connect-viserver -Server $creds.Host -User $creds.User -Password $creds.Password
function Get-VMAdvancedConfiguration {
param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
$vm,
[String]$key
)
process{
if ($key) {
$VM | Foreach {
$_.ExtensionData.Config.ExtraConfig | Select * -ExcludeProperty DynamicType, DynamicProperty | Where { $_.Key -eq $key }
}
} Else {
$VM | Foreach {
$_.ExtensionData.Config.ExtraConfig | Select * -ExcludeProperty DynamicType, DynamicProperty
}
}
}
}
Get-VM | Get-VMAdvancedConfiguration | Where-Object {($_.Key -eq ‘nvram’) `
-or ($_.Key -eq ‘isolation.tools.ghi.autologon.disable’)`
-or ($_.Key -eq ‘isolation.bios.bbs.disable’)`
-or ($_.Key -eq ‘isolation.tools.hgfsServerSet.disable’)`
-or ($_.Key -eq ‘isolation.monitor.control.disable’)`
-or ($_.Key -eq ‘floppyX.present’)`
-or ($_.Key -eq ‘serialX.present’)`
-or ($_.Key -eq ‘parallelX.present’)`
-or ($_.Key -eq ‘usb.present’)`
-or ($_.Key -eq ‘ideX:Y.present’)`
-or ($_.Key -eq ‘isolation.tools.unity.push.update.disable’)`
-or ($_.Key -eq ‘isolation.tools.ghi.launchmenu.change’)`
-or ($_.Key -eq ‘isolation.tools.memSchedFakeSampleStats.disable’)`
-or ($_.Key -eq ‘isolation.tools.getCreds.disable’)`
-or ($_.Key -eq ‘scsiX:Y.mode’)`
-or ($_.Key -eq ‘isolation.tools.autoInstall.disable’)`
-or ($_.Key -eq ‘tools.guestlib.enableHostInfo’)`
-or ($_.Key -eq ‘RemoteDisplay.maxConnections’)}`
| ConvertTo-Html -Head $a `
-pre “<h3>vSphere 5.0 Security Hardening Recommended VM Settings</h3> `
<b>Security Profile 3(Low)</b> <P>Limit sharing of console connections (RemoteDisplay.maxConnections=2)</P> `
<b>Security Profile 2(Median)</b> <P>Limit sharing of console connections (RemoteDisplay.maxConnections=1)<br> `
Disconnect unauthorized devices (floppyX.present=FALSE, serialX.present=FALSE, parallelX.present=FALSE, usb.present=FALSE, ideX:Y.present=FALSE)<br> `
Disable certain unexposed features (isolation.tools.unity.push.update.disable=TRUE, isolation.tools.ghi.launchmenu.change=TRUE, isolation.tools.memSchedFakeSampleStats.disable=TRUE, isolation.tools.getCreds.disable=TRUE)<br> `
Avoid using independent nonpersistent disks (scsiX:Y.mode=independent nonpersistent)<br> `
Disable tools auto install (isolation.tools.autoInstall.disable=TRUE)<br> `
Dont send host information to guests (tools.guestlib.enableHostInfo=FALSE)</P> `
<b>Security Profile 1(High)</b> <P>Disable certain unexposed features (isolation.tools.ghi.autologon.disable=TRUE, isolation.bios.bbs.disable=TRUE)<br> `
Disable HGFS file transfers (isolation.tools.hgfsServerSet.disable=TRUE)<br> `
Disable VM Monitor Control (isolation.monitor.control.disable=TRUE)</P>” `
| Set-Content c:\powercli\vm_security.html
Invoke-Expression C:\powercli\vm_security.html
This is the report sample:
Jackie Chen's IT Workshop 
One thought on “vSphere 5.0 Security Hardening Recommended VM Settings Check Script”