PowerShell script for ESXi hardening

PowerCLI

With each release of VMware new hypervisor vmware releases its security hardening guide. It contains various best practices according to which customers need to set up their environment. However not all the customer (I know) follow all the best practice steps – because sometimes their environment doesn’t allow them to make certain changes  or due to hardening parameters conflicting with their compliance policies. In either of the case it becomes a potential area of risk for vulnerabilities to attack at that piece of their infrastructure. 

However many things can be standardized using host profiles where admins deploy one esxi host, make all necessary configuration changes to it and export its Host-Profile. So that going forward it can be imported to next host joining the cluster and within no time it is good to go. Most of the times this approach fits perfectly alright until you have to make some ad-hoc changes in your environment. If the environment is huge then making sure that the changes made are consistent and error-free becomes top priority.

Scripting plays importan part at this point and it can make the job easier and less time-consuming without compromising on the quality of work. Personally – I’m not a pure scripting guy so I don’t like lengthy scripts however if few lines of code can solve the purpose then its more than enough.

So here is the agenda which came to me by one of our customer who wanted these set of tasks to be performed by PowerCLI/PowerShell so I’ll take the same reference here as well. They wanted to have a script which can do following tasks for them:

  1. Automate ESXi Shell, SSH & DCUI service to Stop (or Start) on all ESXi hosts using script
  2. Enable/Disable ESXi-Lockdown mode
  3. Change setting of parameters MacAddressChange, ForgedTransmit & PromiscuousMode to Reject on one of their vSwitch (standard)

Below is the script to perform this action, keep in mind that the text in AMBER color needs to be replaced before hand as per your environmental details.

 

<#
.Notes
###################################################
Created by:                 Sidharth Swami
Organization:               VMware
Blog:                       vrealize.wordpress.com
Twitter:                    @sid_swami
###################################################
#>

Add-PSSnapin VMware.VimAutomation.Core -ErrorAction 'SilentlyContinue'
Connect-VIServer -Server vCenter_Server_FQDN -User Username -Password Password #Supply vCenter FQDN, Username & Password
$a = Get-VMHost | sort Name
$cluster = Get-VMHost -Location Cluster_Name #Specify the Cluster Name on which this script to run
foreach ($a in $cluster) {

    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "DCUI"} | Set-VMHostService -policy "on" -Confirm:$false 
    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "DCUI"} | Stop-VMHostService -Confirm:$false          #Replace with Start-VMHostService to start service via script
    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "TSM"} | Set-VMHostService -policy "on" -Confirm:$false
    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "TSM"} | Stop-VMHostService -Confirm:$false          #Replace with Start-VMHostService to start service via script
    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "TSM-SSH"} | Set-VMHostService -policy "on" -Confirm:$false 
    Get-VMHostService -VMHost $a | Where-Object {$_.Key -eq "TSM-SSH"} | Stop-VMHostService -Confirm:$false #Replace with Start-VMHostService to start service via script
Get-VMHost $a| Set-VmHostAdvancedConfiguration -Name UserVars.SuppressShellWarning -Value 1
Write-Host "Hardening completed on $a" -ForegroundColor Green
    }
foreach($vSwitch in $a) {
    Get-VirtualSwitch -Name "vSwitch0" | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false #Specify on which vSwitch (Standard) this script will make changes
    Get-VirtualSwitch -Name "vSwitch0" | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false #Specify on which vSwitch (Standard) this script will make changes
    Get-VirtualSwitch -Name "vSwitch0" | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false #Specify on which vSwitch (Standard) this script will make changes
Write-Host "$vSwitch Security Configurations are changed to Reject" -ForegroundColor Green

    }
foreach ($a in $cluster) {
    (Get-VMHost $a | Get-View).EnterLockdownMode() #Replace with .ExitLockdownMode() if you wish this script to disable lockdown mode
    Write-Host "$a ESXi host is in LockDown Mode" -ForegroundColor Green
    }

Incase your environment has DVSwitch (Distributed Virtual Switch) then following lines needs to be replaced & rest of the script will remain the same

foreach($VDSwitch in $a) {
 Get-VDSwitch -Name "VDSwitch" | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false #Specify on which VDSwitch this script will make changes
 Get-VDSwitch -Name "VDSwitch" | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false #Specify on which VDSwitch this script will make changes
 Get-VDSwitch -Name "VDSwitch" | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false #Specify on which VDSwitch this script will make changes
Write-Host "$VDSwitch Security Configurations are changed to Reject" -ForegroundColor Green

 }

 

With this I end this blog…. I hope it helps… till then Happy Reading.. 🙂

Advertisements

One thought on “PowerShell script for ESXi hardening

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: