ESXi6.5 Security Hardening Guide
ESXi6.5 Security Hardening Guide
OK, take a seat… this is going to be a long script! I have put together a menu system that will report on all ESXi6.5 Security Hardening Guide settings that are NOT DEFAULT, if you have made additional changes to your configuration you should go through the entire SHG to ensure you are compliant.
Please see my updated guide for vSphere 7
This is using my usual variables e.g.
$global:DCChoice – Datacenter
$global:CLUChoice – Cluster
To run this, you need to start function VPF-Choice-65-SecurityGuide
Anyway… here we go
<code>######################################################################################### ######################################################################################### ####################################Security Hardening################################### ######################################################################################### ######################################################################################### #ESXi.audit-exception-users function ESXi-audit-exception-users { $esxusername = Read-Host "Please enter ESXi username" $esxpassword = Read-Host "Please enter ESXi password" #Ensure all connections are dropped. Disconnect-VIServer -Force -server * -Confirm:$false # You may need to provide the username and password of your vCenter server below connect-viserver $VCChoice $esxihosts = Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | get-vmhost foreach ($esxihost in $esxihosts) { Write-Host "Host is: " $esxihost Write-host "Exception Users from vCenter" $myhost = Get-VMHost $esxihost | Get-View $lockdown = Get-View $myhost.ConfigManager.HostAccessManager $LDusers = $lockdown.QueryLockdownExceptions() Write-host $LDusers # # Connect to each ESXi host in the cluster to retrieve the list of local users. Write-Host "Lockdown user: " $LDuser Write-host "Connecting to: " $esxihost Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword #Loop through the list of Exception Users and check to see if they have accounts on #the ESXi server and if that account in an administrator account. foreach ($LDuser in $LDusers) { Write-host "Get-vmhostaccount" $hostaccountname = get-vmhostaccount -ErrorAction SilentlyContinue $LDuser write-host "Check to see if user exists" if ($hostaccountname.Name) {Write-Host $hostaccountname.Name Write-Host "Get-VIPermission" $isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where {$_.Role –eq “Admin”} Write-host "Admin Role: " $isadmin.Role if ($isadmin.Role -eq "Admin") {Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost} } Disconnect-VIServer -Server $global:DefaultVIServer -Force -Confirm:$false } } Write-Host "Connecting to vCenter" connect-viserver $VCChoice } #ESXi.Audit-SSH-Disable function ESXi-Audit-SSH-Disable { foreach ($VMhost in ($esxihosts = Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost)) { $ServiceList = Get-VMHostService -VMhost $VMhost $SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"} If ($SSHservice.Running -eq $true) {Write-Output "SSH Server on host $VMhost is running"} else {Write-Output "SSH Server on host $VMhost is Stopped"} } } Write-Host "Unable to export CSV" #ESXi.config-ntp function ESXi-config-ntp { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}} | export-csv -path "$global:FilePath\SHG65 NTP $(get-date -f yyyy-MM-dd-hhmm).csv" Write-Host "CSV Export Complete" Start-Sleep -Second 1 } #ESXi.config-persistent-logs function ESXi-config-persistent-logs { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}} | export-csv -path "$global:FilePath\SHG65 Persistent Logs $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.config-snmp function ESXi-config-snmp { Write-Host "List the SNMP Configuration of a host (single host connection required) Get-VMHostSnmp" } #ESXi.Disable-oldtls-protocols function ESXi-Disable-oldtls-protocols { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 Disabled Protocols $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.enable-ad-auth function ESXi-enable-ad-auth { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus | export-csv -path "$global:FilePath\SHG65 AD Auth $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.enable-auth-proxy function ESXi-enable-auth-proxy { Write-Host "Only relevent if using Host profiles" } #ESXi.enable-chap-auth function ESXi-enable-chap-auth { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}} | export-csv -path "$global:FilePath\SHG65 CHAP Auth $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.enable-normal-lockdown-mode function ESXi-enable-normal-lockdown-mode { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} | export-csv -path "$global:FilePath\SHG65 Normal Lockdown Mode $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.enable-remote-syslog function ESXi-enable-remote-syslog { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Disabled Protocols $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.enable-strict-lockdown-mode function ESXi-enable-strict-lockdown-mode { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} | export-csv -path "$global:FilePath\SHG65 Strict Lockdown Mode $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.firewall-restrict-access function ESXi-firewall-restrict-access { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} | export-csv -path "$global:FilePath\SHG65 Firewall Access locked down ports $(get-date -f yyyy-MM-dd-hhmm).csv" Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} | export-csv -path "$global:FilePath\SHG65 Firewall access open ports $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-account-auto-unlock-time function ESXi-set-account-auto-unlock-time { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | export-csv -path "$global:FilePath\SHG65 Account unlock-time $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-account-lockout function ESXi-set-account-lockout { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Login attempts $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-dcui-access function ESXi-set-dcui-access { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | select entity, name, value | export-csv -path "$global:FilePath\SHG65 DCUI Access $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-password-policies function ESXi-set-password-policies { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Password Policy $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-shell-interactive-timeout function ESXi-set-shell-interactive-timeout { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Interactive Timeout $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.set-shell-timeout function ESXi-set-shell-timeout { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | select entity, name, value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Shell Timeout $(get-date -f yyyy-MM-dd-hhmm).csv" } #ESXi.verify-acceptance-level-supported function ESXi-verify-acceptance-level-supported { Write-Host "Pending...." } #VM.disable-console-drag-n-drop function VM-disable-console-drag-n-drop { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.dnd.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.dnd.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 DnD $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-disk-shrinking-shrink function VM-disable-disk-shrinking-shrink { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 shrinking shrink $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-disk-shrinking-wiper function VM-disable-disk-shrinking-wiper { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 disk shrinking wiper $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-independent-nonpersistent function VM-disable-independent-nonpersistent { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-HardDisk | where {$_.Persistence –ne “Persistent”} | Select Parent, Name, Filename, DiskType, Persistence Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-HardDisk | where {$_.Persistence –ne “Persistent”} | Select Parent, Name, Filename, DiskType, Persistence | export-csv -path "$global:FilePath\SHG65 independent nonpersistent $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-unexposed-features-memsfss function VM-disable-unexposed-features-memsfss { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" | where {$_.Value –eq “False”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" | where {$_.Value –eq “False”} | Select Entity, Name, Value } #VM.disable-unexposed-features-unity-unityactive function VM-disable-unexposed-features-unity-unityactive { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.unityActive.disable" | where {$_.Value –eq “False”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.unityActive.disable" | where {$_.Value –eq “False”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-unity $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-unexposed-features-versionget function VM-disable-unexposed-features-versionget { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-versionget $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disable-unexposed-features-versionset function VM-disable-unexposed-features-versionset { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-versionset $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disconnect-devices-floppy function VM-disconnect-devices-floppy { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState | export-csv -path "$global:FilePath\SHG65 disconnect-devices-floppy $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disconnect-devices-parallel function VM-disconnect-devices-parallel { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-ParallelPort Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-ParallelPort | export-csv -path "$global:FilePath\SHG65 disconnect-devices-parallel $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.disconnect-devices-serial function VM-disconnect-devices-serial { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-SerialPort Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-SerialPort | export-csv -path "$global:FilePath\SHG65 disconnect-devices-serial $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.Enable-VGA-Only-Mode function VM-Enable-VGA-Only-Mode { Write-Host "Pending...." } #VM.TransparentPageSharing-inter-VM-Enabled function VM-TransparentPageSharing-inter-VM-Enabled { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name "Mem.ShareForceSalting" Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name "Mem.ShareForceSalting" | export-csv -path "$global:FilePath\SHG65 TransparentPageSharing-inter-VM-Enabled $(get-date -f yyyy-MM-dd-hhmm).csv" } #VM.VM.verify-network-filter function VM-verify-network-filter { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "ethernet*.filter*.name*" | Select Entity, Name, Value Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "ethernet*.filter*.name*" | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 verify-network-filter $(get-date -f yyyy-MM-dd-hhmm).csv" } #vNetwork.enable-bpdu-filter function vNetwork-enable-bpdu-filter { Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | export-csv -path "$global:FilePath\SHG65 enable-bpdu-filter $(get-date -f yyyy-MM-dd-hhmm).csv" } #vNetwork.reject-forged-transmit-StandardSwitch function vNetwork-reject-forged-transmit-StandardSwitch { Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualSwitch | Get-SecurityPolicy | export-csv -path "$global:FilePath\SHG65 vS SecurityPolicy $(get-date -f yyyy-MM-dd-hhmm).csv" Get-VirtualPortGroup | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy | export-csv -path "$global:FilePath\SHG65 vPG SecurityPolicy $(get-date -f yyyy-MM-dd-hhmm).csv" } #vNetwork.restrict-netflow-usage function vNetwork-restrict-netflow-usage { Write-Host "Pending...." } function TRF-Select-returnmenu { param ( [string]$ReturnMenu = 'Select Another Guideline' ) Write-Host "================ $ReturnMenu ================" Write-Host "1: Select Another Guideline" Write-Host "Q: Press 'Q' to quit" } function TRF-Choice-SHG65 { TRF-Select-returnmenu –Title 'Please make a selection' $selection = Read-Host "Please make a selection" switch ($selection) { '1' { 'You chose Select Another Guideline' TRF-Choice-65-SecurityGuide } 'q' { Write-Host "Goodbye" Start-Sleep -Second 2 Exit } } } #Security Guide Menu function TRF-65-SecurityGuide { param ( [string]$65SecurityGuide = 'Select Guideline ID' ) Clear-Host Write-Host Write-Host " ================ $65SecurityGuide ================" -ForegroundColor green Write-Host Write-Host " 1: ESXi.audit-exception-users" Write-Host " 2: ESXi.Audit-SSH-Disable" Write-Host " 3: ESXi.config-ntp" Write-Host " 4: ESXi.config-persistent-logs" Write-Host " 5: ESXi.config-snmp" Write-Host " 6: ESXi.Disable-oldtls-protocols" Write-Host " 7: ESXi.enable-ad-auth" Write-Host " 8: ESXi.enable-auth-proxy" Write-Host " 9: ESXi.enable-chap-auth" Write-Host " 10: ESXi.enable-normal-lockdown-mode" Write-Host " 11: ESXi.enable-remote-syslog" Write-Host " 12: ESXi.enable-strict-lockdown-mode" Write-Host " 13: ESXi.firewall-restrict-access" Write-Host " 14: ESXi.set-account-auto-unlock-time" Write-Host " 15: ESXi.set-account-lockout" Write-Host " 16: ESXi.set-dcui-access" Write-Host " 17: ESXi.set-password-policies" Write-Host " 18: ESXi.set-shell-interactive-timeout" Write-Host " 19: ESXi.set-shell-timeout" Write-Host " 20: ESXi.verify-acceptance-level-supported" Write-Host " 21: VM.disable-console-drag-n-drop" Write-Host " 22: VM.disable-disk-shrinking-shrink" Write-Host " 23: VM.disable-disk-shrinking-wiper" Write-Host " 24: VM.disable-independent-nonpersistent" Write-Host " 25: VM.disable-unexposed-features-memsfss" Write-Host " 26: VM.disable-unexposed-features-unity-unityactive" Write-Host " 27: VM.disable-unexposed-features-versionget" Write-Host " 28: VM.disable-unexposed-features-versionset" Write-Host " 29: VM.disconnect-devices-floppy" Write-Host " 30: VM.disconnect-devices-parallel" Write-Host " 31: VM.disconnect-devices-serial" Write-Host " 32: VM.Enable-VGA-Only-Mode" Write-Host " 33: VM.TransparentPageSharing-inter-VM-Enabled" Write-Host " 34: VM.verify-network-filter" Write-Host " 35: vNetwork.enable-bpdu-filter" Write-Host " 36: vNetwork.reject-forged-transmit-StandardSwitch" Write-Host " 37: vNetwork.restrict-netflow-usage" Write-Host Write-Host " Q: Press 'Q' to return to the previous menu." -ForegroundColor yellow } clear #Security Guide Choice function TRF-Choice-65-SecurityGuide { TRF-65-SecurityGuide –Title 'Select Check' $selection = Read-Host " Please make a selection" switch ($selection) { '1' { 'You chose ESXi.audit-exception-users' ESXi-audit-exception-users Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '2' { 'You chose ESXi.Audit-SSH-Disable' ESXi-Audit-SSH-Disable Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '3' { 'You chose ESXi.config-ntp' ESXi-config-ntp Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '4' { 'You chose ESXi.config-persistent-logs' ESXi-config-persistent-logs Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '5' { 'You chose ESXi.config-snmp' ESXi-config-snmp Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '6' { 'You chose ESXi.Disable-oldtls-protocols' ESXi-Disable-oldtls-protocols Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '7' { 'You chose ESXi.enable-ad-auth' ESXi-enable-ad-auth Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '8' { 'You chose ESXi.enable-auth-proxy' ESXi-enable-auth-proxy Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '9' { 'You chose ESXi.enable-chap-auth' ESXi-enable-chap-auth Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '10' { 'You chose ESXi.enable-normal-lockdown-mode' ESXi-enable-normal-lockdown-mode Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '11' { 'You chose ESXi.enable-remote-syslog' ESXi-enable-remote-syslog Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '12' { 'You chose ESXi.enable-strict-lockdown-mode' ESXi-enable-strict-lockdown-mode Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '13' { 'You chose ESXi.firewall-restrict-access' ESXi-firewall-restrict-access Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '14' { 'You chose ESXi.set-account-auto-unlock-time' ESXi-set-account-auto-unlock-time Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '15' { 'You chose ESXi.set-account-lockout' ESXi-set-account-lockout Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '16' { 'You chose ESXi.set-dcui-access' ESXi-set-dcui-access Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '17' { 'You chose ESXi.set-password-policies' ESXi-set-password-policies Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '18' { 'You chose ESXi.set-shell-interactive-timeout' ESXi-set-shell-interactive-timeout Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '19' { 'You chose ESXi.set-shell-timeout' ESXi-set-shell-timeout Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '20' { 'You chose ESXi.verify-acceptance-level-supported' ESXi-verify-acceptance-level-supported Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '21' { 'You chose VM.disable-console-drag-n-drop' VM-disable-console-drag-n-drop Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '22' { 'You chose VM.disable-disk-shrinking-shrink' VM-disable-disk-shrinking-shrink Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '23' { 'You chose VM.disable-disk-shrinking-wiper' VM-disable-disk-shrinking-wiper Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '24' { 'You chose VM.disable-independent-nonpersistent' VM-disable-independent-nonpersistent Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '25' { 'You chose VM.disable-unexposed-features-memsfss' VM-disable-unexposed-features-memsfss Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '26' { 'You chose VM.disable-unexposed-features-unity-unityactive' VM-disable-unexposed-features-unity-unityactive Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '27' { 'You chose VM.disable-unexposed-features-versionget' VM-disable-unexposed-features-versionget Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '28' { 'You chose VM.disable-unexposed-features-versionset' VM-disable-unexposed-features-versionset Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '29' { 'You chose VM.disconnect-devices-floppy' VM-disconnect-devices-floppy Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '30' { 'You chose VM.disconnect-devices-parallel' VM-disconnect-devices-parallel Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '31' { 'You chose VM.disconnect-devices-serial' VM-disconnect-devices-serial Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '32' { 'You chose VM.Enable-VGA-Only-Mode' VM-Enable-VGA-Only-Mode Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '33' { 'You chose VM.TransparentPageSharing-inter-VM-Enabled' VM-TransparentPageSharing-inter-VM-Enabled Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '34' { 'You chose VM.verify-network-filter' VM-verify-network-filter Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '35' { 'You chose vNetwork.enable-bpdu-filter' vNetwork-enable-bpdu-filter Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '36' { 'You chose vNetwork.reject-forged-transmit-StandardSwitch' vNetwork-reject-forged-transmit-StandardSwitch Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } '37' { 'You chose vNetwork.restrict-netflow-usage' vNetwork-restrict-netflow-usage Write-Host -NoNewLine " Press any key to continue..."; $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); TRF-Choice-65-SecurityGuide } 'Q' { 'You chose to go back' clear TRF-Choice-Select-Cluster-Commands } } } clear ######################################################################################### ######################################################################################### ######################################################################################### ######################################################################################### TRF-Choice-65-SecurityGuide</code>
As a side note, i noticed there was more than a couple errors in the SHG so make sure you’re checking the sample code before running it.
Hello Tony,
THANKS A LOT !
Exactly WHAT I WAS LOOKING FOR 🙂
lAURENT
Hi Laurent!
I’m glad it was useful, I’m hoping to put together a more comprehensive script soon that covers even default values
Thanks
Great post!
This will just check to see if those items are set right? THis won’t actually change anything, correct?
Thanks!
Hi Bryan
That’s correct, these will only check the settings and display them. If you need any more info, feel free to drop me a dm on Twitter @T180985