vSphere 5.0 Security Hardening Recommended VM Settings Check Script

#Uncomment if this SnapIn has not been added
#Add-PSSnapIn VMware.VimAutomation.Core


$a = “<style>”
$a = $a + “BODY{background-color:peachpuff;}”
$a = $a + “TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}”
$a = $a + “TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}”
$a = $a + “TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}”
$a = $a + “</style>”

$creds = Get-VICredentialStoreItem -file “C:\powercli\credfile.xml”
Connect-viserver -Server $creds.Host -User $creds.User -Password $creds.Password

function Get-VMAdvancedConfiguration {

    if ($key) {
        $VM | Foreach {
            $_.ExtensionData.Config.ExtraConfig | Select * -ExcludeProperty DynamicType, DynamicProperty | Where { $_.Key -eq $key }
    } Else {
        $VM | Foreach {
                $_.ExtensionData.Config.ExtraConfig | Select * -ExcludeProperty DynamicType, DynamicProperty

Get-VM | Get-VMAdvancedConfiguration | Where-Object {($_.Key -eq ‘nvram’) `
-or ($_.Key -eq ‘isolation.tools.ghi.autologon.disable’)`
-or ($_.Key -eq ‘isolation.bios.bbs.disable’)`
-or ($_.Key -eq ‘isolation.tools.hgfsServerSet.disable’)`
-or ($_.Key -eq ‘isolation.monitor.control.disable’)`
-or ($_.Key -eq ‘floppyX.present’)`
-or ($_.Key -eq ‘serialX.present’)`
-or ($_.Key -eq ‘parallelX.present’)`
-or ($_.Key -eq ‘usb.present’)`
-or ($_.Key -eq ‘ideX:Y.present’)`
-or ($_.Key -eq ‘isolation.tools.unity.push.update.disable’)`
-or ($_.Key -eq ‘isolation.tools.ghi.launchmenu.change’)`
-or ($_.Key -eq ‘isolation.tools.memSchedFakeSampleStats.disable’)`
-or ($_.Key -eq ‘isolation.tools.getCreds.disable’)`
-or ($_.Key -eq ‘scsiX:Y.mode’)`
-or ($_.Key -eq ‘isolation.tools.autoInstall.disable’)`
-or ($_.Key -eq ‘tools.guestlib.enableHostInfo’)`
-or ($_.Key -eq ‘RemoteDisplay.maxConnections’)}`
| ConvertTo-Html -Head $a `
-pre “<h3>vSphere 5.0 Security Hardening Recommended VM Settings</h3> `
<b>Security Profile 3(Low)</b> <P>Limit sharing of console connections (RemoteDisplay.maxConnections=2)</P> `
<b>Security Profile 2(Median)</b> <P>Limit sharing of console connections (RemoteDisplay.maxConnections=1)<br> `
Disconnect unauthorized devices (floppyX.present=FALSE, serialX.present=FALSE, parallelX.present=FALSE, usb.present=FALSE, ideX:Y.present=FALSE)<br> `
Disable certain unexposed features (isolation.tools.unity.push.update.disable=TRUE, isolation.tools.ghi.launchmenu.change=TRUE, isolation.tools.memSchedFakeSampleStats.disable=TRUE, isolation.tools.getCreds.disable=TRUE)<br> `
Avoid using independent nonpersistent disks (scsiX:Y.mode=independent nonpersistent)<br> `
Disable tools auto install (isolation.tools.autoInstall.disable=TRUE)<br> `
Dont send host information to guests (tools.guestlib.enableHostInfo=FALSE)</P> `
<b>Security Profile 1(High)</b> <P>Disable certain unexposed features (isolation.tools.ghi.autologon.disable=TRUE, isolation.bios.bbs.disable=TRUE)<br> `
Disable HGFS file transfers (isolation.tools.hgfsServerSet.disable=TRUE)<br> `
Disable VM Monitor Control (isolation.monitor.control.disable=TRUE)</P>” `
| Set-Content c:\powercli\vm_security.html

Invoke-Expression C:\powercli\vm_security.html


This is the report sample:



One thought on “vSphere 5.0 Security Hardening Recommended VM Settings Check Script

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s