1) Create 3 text files, one for each security profile:
profile3_Low.txt
RemoteDisplay.maxConnections,2
profile2_Med.txt
RemoteDisplay.maxConnections,1
floppyX.present,FALSE
serialX.present,FALSE
parallelX.present,FALSE
usb.present,FALSE
ideX:Y.present,FALSE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
tools.guestlib.enableHostInfo,FALSE
profile1_High.txt
RemoteDisplay.maxConnections,1
floppyX.present,FALSE
serialX.present,FALSE
parallelX.present,FALSE
usb.present,FALSE
ideX:Y.present,FALSE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
tools.guestlib.enableHostInfo,FALSE
isolation.tools.ghi.autologon.disable,TRUE
isolation.bios.bbs.disable,TRUE
isolation.tools.hgfsServerSet.disable,TRUE
isolation.monitor.control.disable,TRUE
2) Create the ‘vSphere_Security_Configure.ps1’ script
#Uncomment if this SnapIn has not been added
#Add-PSSnapIn VMware.VimAutomation.Core
CLS
#Specify the VM name here
$VM = Get-VM “DEV-LINUX-01”
#Specify the security profile file
$file = Import-Csv c:\powercli\profile3_Low.txt -Header Key,Value
$creds = Get-VICredentialStoreItem -file “C:\powercli\credfile.xml”
Connect-viserver -Server $creds.Host -User $creds.User -Password $creds.Password
function Set-VMAdvancedConfiguration {
<#
.SYNOPSIS
Sets an advanced configuration setting (VMX Setting) for a VM
or multiple VMs
.DESCRIPTION
The function will set a VMX setting for a VM
or multiple VMs
.NOTES
Source: Automating vSphere Administration
Authors: Luc Dekens, Arnim van Lieshout, Jonathan Medd,
Alan Renouf, Glenn Sizemore
Adjusted: 07 June 2012 by Alan Renouf to accept a list of options
.PARAMETER VM
A virtual machine or multiple virtual machines
.PARAMETER Key
The Key to use for the advanced configuration
.PARAMETER Value
The value of the key
.EXAMPLE 1
PS> Set-VMAdvancedConfiguration -key log.rotatesize -value 10000
.EXAMPLE 2
PS> $file = Import-Csv c:\tmp\Settings.txt -Header Key,Value
PS> Set-VMAdvancedConfiguration -vm $VM -OptionList $file
#>
param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
$vm,
[String]$key,
[String]$value,
[Array]$OptionList
)
process{
$vmConfigSpec = new-object VMware.Vim.VirtualMachineConfigSpec
If ($OptionList) {
$OptionList | Foreach {
$Values = new-object vmware.vim.optionvalue
$Values.key=$_.key
$Values.value=$_.value
$vmConfigSpec.ExtraConfig += $Values
Write-Host “Adding $($_.Key) = $($_.Value)”
}
} Else {
$vmConfigSpec.ExtraConfig += new-object VMware.Vim.OptionValue
$vmConfigSpec.ExtraConfig[0].key = $key
$vmConfigSpec.ExtraConfig[0].value = $value
Write-Host “Adding $Key = $Value”
}
foreach ($singlevm in $vm) {
$Task = ($singlevm.ExtensionData).ReconfigVM_Task($vmConfigSpec)
Write “Set Advanced configuration for $($singleVM.Name)”
}
}
}
Set-VMAdvancedConfiguration -vm $VM -OptionList $file
3) Now let’s confirm the change has been made. Retrieve my ‘vSphere_Security_Check.ps1’ script. And add the VM name (it is DEV-LINUX-01 in my example) at the end of ‘Get-VM’. It should look like this:
Get-VM DEV-LINUX-01 | Get-VMAdvancedConfiguration | Where-Object {($_.Key -eq ‘nvram’) ` ….
4) Check the report
One thought on “vSphere 5.0 Security Hardening Recommended VM Settings Configure Script”