ESXi6.5 Security Hardening Guide

ESXi6.5 Security Hardening Guide

OK, take a seat… this is going to be a long script! I have put together a menu system that will report on all ESXi6.5 Security Hardening Guide settings that are NOT DEFAULT, if you have made additional changes to your configuration you should go through the entire SHG to ensure you are compliant.

Please see my updated guide for vSphere 7

This is using my usual variables e.g.

$global:DCChoice – Datacenter
$global:CLUChoice – Cluster


To run this, you need to start function VPF-Choice-65-SecurityGuide

Anyway… here we go

<code>#########################################################################################
#########################################################################################
####################################Security Hardening###################################
#########################################################################################
#########################################################################################

#ESXi.audit-exception-users
function ESXi-audit-exception-users
{
$esxusername = Read-Host "Please enter ESXi username"
$esxpassword = Read-Host "Please enter ESXi password"

#Ensure all connections are dropped.
Disconnect-VIServer -Force -server * -Confirm:$false

# You may need to provide the username and password of your vCenter server below
connect-viserver $VCChoice
$esxihosts =  Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | get-vmhost

foreach ($esxihost in $esxihosts)
{
Write-Host "Host is: " $esxihost
Write-host "Exception Users from vCenter"
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
$LDusers = $lockdown.QueryLockdownExceptions()
Write-host $LDusers
#
# Connect to each ESXi host in the cluster to retrieve the list of local users.
Write-Host "Lockdown user: " $LDuser
    Write-host "Connecting to: " $esxihost
    Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword

#Loop through the list of Exception Users and check to see if they have accounts on
#the ESXi server and if that account in an administrator account.
foreach ($LDuser in $LDusers)
    {

    Write-host "Get-vmhostaccount"
    $hostaccountname = get-vmhostaccount   -ErrorAction SilentlyContinue  $LDuser
    write-host "Check to see if user exists"
    if ($hostaccountname.Name)
    {Write-Host $hostaccountname.Name
        Write-Host "Get-VIPermission"
        $isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where {$_.Role –eq “Admin”} 
        Write-host "Admin Role: " $isadmin.Role
        if ($isadmin.Role -eq "Admin") {Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost}
        }
     Disconnect-VIServer -Server $global:DefaultVIServer -Force  -Confirm:$false
    
    } 
} 
Write-Host "Connecting to vCenter"
connect-viserver $VCChoice
}

#ESXi.Audit-SSH-Disable
function ESXi-Audit-SSH-Disable
{
foreach ($VMhost in ($esxihosts = Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost))
{
$ServiceList = Get-VMHostService -VMhost $VMhost
$SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"}
If ($SSHservice.Running -eq $true) {Write-Output "SSH Server on host $VMhost is running"}
else {Write-Output "SSH Server on host $VMhost is Stopped"}
}
}
Write-Host "Unable to export CSV" 

#ESXi.config-ntp
function ESXi-config-ntp
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}} | export-csv -path "$global:FilePath\SHG65 NTP $(get-date -f yyyy-MM-dd-hhmm).csv"
Write-Host "CSV Export Complete" 
Start-Sleep -Second 1
}

#ESXi.config-persistent-logs
function ESXi-config-persistent-logs
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}} | export-csv -path "$global:FilePath\SHG65 Persistent Logs $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.config-snmp
function ESXi-config-snmp
{
Write-Host "List the SNMP Configuration of a host (single host connection required) Get-VMHostSnmp"
}

#ESXi.Disable-oldtls-protocols
function ESXi-Disable-oldtls-protocols
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-vmhost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 Disabled Protocols $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.enable-ad-auth
function ESXi-enable-ad-auth
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus | export-csv -path "$global:FilePath\SHG65 AD Auth $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.enable-auth-proxy
function ESXi-enable-auth-proxy
{
Write-Host "Only relevent if using Host profiles"
}

#ESXi.enable-chap-auth
function ESXi-enable-chap-auth
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}} | export-csv -path "$global:FilePath\SHG65 CHAP Auth $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.enable-normal-lockdown-mode
function ESXi-enable-normal-lockdown-mode
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} | export-csv -path "$global:FilePath\SHG65 Normal Lockdown Mode $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.enable-remote-syslog
function ESXi-enable-remote-syslog
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Disabled Protocols $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.enable-strict-lockdown-mode
function ESXi-enable-strict-lockdown-mode
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} | export-csv -path "$global:FilePath\SHG65 Strict Lockdown Mode $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.firewall-restrict-access
function ESXi-firewall-restrict-access
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} 
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} | export-csv -path "$global:FilePath\SHG65 Firewall Access locked down ports $(get-date -f yyyy-MM-dd-hhmm).csv"
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)}
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost  | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} | export-csv -path "$global:FilePath\SHG65 Firewall access open ports $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-account-auto-unlock-time
function ESXi-set-account-auto-unlock-time
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | export-csv -path "$global:FilePath\SHG65 Account unlock-time $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-account-lockout
function ESXi-set-account-lockout
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Login attempts $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-dcui-access
function ESXi-set-dcui-access
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | select entity, name, value | export-csv -path "$global:FilePath\SHG65 DCUI Access $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-password-policies
function ESXi-set-password-policies
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Password Policy $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-shell-interactive-timeout
function ESXi-set-shell-interactive-timeout
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Interactive Timeout $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.set-shell-timeout
function ESXi-set-shell-timeout
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | select entity, name, value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | select entity, name, value | export-csv -path "$global:FilePath\SHG65 Shell Timeout $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#ESXi.verify-acceptance-level-supported
function ESXi-verify-acceptance-level-supported
{
Write-Host "Pending...."
}

#VM.disable-console-drag-n-drop
function VM-disable-console-drag-n-drop
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.dnd.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.dnd.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 DnD $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-disk-shrinking-shrink
function VM-disable-disk-shrinking-shrink
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value 
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 shrinking shrink $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-disk-shrinking-wiper
function VM-disable-disk-shrinking-wiper
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | where {$_.value –eq “false”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 disk shrinking wiper $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-independent-nonpersistent
function VM-disable-independent-nonpersistent
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-HardDisk | where {$_.Persistence –ne “Persistent”} | Select Parent, Name, Filename, DiskType, Persistence
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-HardDisk | where {$_.Persistence –ne “Persistent”} | Select Parent, Name, Filename, DiskType, Persistence | export-csv -path "$global:FilePath\SHG65 independent nonpersistent $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-unexposed-features-memsfss
function VM-disable-unexposed-features-memsfss
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" | where {$_.Value –eq “False”} |  Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" | where {$_.Value –eq “False”} |  Select Entity, Name, Value
}

#VM.disable-unexposed-features-unity-unityactive
function VM-disable-unexposed-features-unity-unityactive
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.unityActive.disable" | where {$_.Value –eq “False”} |  Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.unityActive.disable" | where {$_.Value –eq “False”} |  Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-unity $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-unexposed-features-versionget
function VM-disable-unexposed-features-versionget
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable"| where {$_.Value –eq “False”} | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-versionget $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disable-unexposed-features-versionset
function VM-disable-unexposed-features-versionset
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable"| where {$_.Value –eq “False”} |  Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable"| where {$_.Value –eq “False”} |  Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 unexposed-features-versionset $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disconnect-devices-floppy
function VM-disconnect-devices-floppy
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState | export-csv -path "$global:FilePath\SHG65 disconnect-devices-floppy $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disconnect-devices-parallel
function VM-disconnect-devices-parallel
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-ParallelPort
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-ParallelPort | export-csv -path "$global:FilePath\SHG65 disconnect-devices-parallel $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.disconnect-devices-serial
function VM-disconnect-devices-serial
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-SerialPort
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-SerialPort | export-csv -path "$global:FilePath\SHG65 disconnect-devices-serial $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.Enable-VGA-Only-Mode
function VM-Enable-VGA-Only-Mode
{
Write-Host "Pending...."
}

#VM.TransparentPageSharing-inter-VM-Enabled
function VM-TransparentPageSharing-inter-VM-Enabled
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name "Mem.ShareForceSalting"
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name "Mem.ShareForceSalting" | export-csv -path "$global:FilePath\SHG65 TransparentPageSharing-inter-VM-Enabled $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#VM.VM.verify-network-filter
function VM-verify-network-filter
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name  "ethernet*.filter*.name*" | Select Entity, Name, Value
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VM | Get-AdvancedSetting -Name  "ethernet*.filter*.name*" | Select Entity, Name, Value | export-csv -path "$global:FilePath\SHG65 verify-network-filter $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#vNetwork.enable-bpdu-filter
function vNetwork-enable-bpdu-filter
{
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU
Get-Datacenter $global:DCChoice | Get-Cluster $global:CLUChoice | Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | export-csv -path "$global:FilePath\SHG65 enable-bpdu-filter $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#vNetwork.reject-forged-transmit-StandardSwitch
function vNetwork-reject-forged-transmit-StandardSwitch
{
Get-VirtualSwitch | Get-SecurityPolicy
Get-VirtualSwitch | Get-SecurityPolicy | export-csv -path "$global:FilePath\SHG65 vS SecurityPolicy $(get-date -f yyyy-MM-dd-hhmm).csv"
Get-VirtualPortGroup | Get-SecurityPolicy
Get-VirtualPortGroup | Get-SecurityPolicy | export-csv -path "$global:FilePath\SHG65 vPG SecurityPolicy $(get-date -f yyyy-MM-dd-hhmm).csv"
}

#vNetwork.restrict-netflow-usage
function vNetwork-restrict-netflow-usage
{
Write-Host "Pending...."
}

function TRF-Select-returnmenu
{
    param (
        &#91;string]$ReturnMenu = 'Select Another Guideline'
    )
    Write-Host "================ $ReturnMenu ================"
    
    Write-Host "1: Select Another Guideline"
	Write-Host "Q: Press 'Q' to quit"
}
function TRF-Choice-SHG65
{
TRF-Select-returnmenu –Title 'Please make a selection'
 $selection = Read-Host "Please make a selection"
 switch ($selection)
  {
     '1' {
         'You chose Select Another Guideline'
		 TRF-Choice-65-SecurityGuide
     } 'q' {
	 	 Write-Host "Goodbye"
		 Start-Sleep -Second 2
		 Exit
     }
  }
 }

#Security Guide Menu
function TRF-65-SecurityGuide
{
    param (
        &#91;string]$65SecurityGuide = 'Select Guideline ID' 
    )
    Clear-Host
    Write-Host
	Write-Host " ================ $65SecurityGuide ================" -ForegroundColor green
    Write-Host
    Write-Host " 1:  ESXi.audit-exception-users"
    Write-Host " 2:  ESXi.Audit-SSH-Disable"
    Write-Host " 3:  ESXi.config-ntp"
	Write-Host " 4:  ESXi.config-persistent-logs"
	Write-Host " 5:  ESXi.config-snmp"
	Write-Host " 6:  ESXi.Disable-oldtls-protocols"
	Write-Host " 7:  ESXi.enable-ad-auth"
	Write-Host " 8:  ESXi.enable-auth-proxy"
	Write-Host " 9:  ESXi.enable-chap-auth"
	Write-Host " 10: ESXi.enable-normal-lockdown-mode"
	Write-Host " 11: ESXi.enable-remote-syslog"
	Write-Host " 12: ESXi.enable-strict-lockdown-mode"
	Write-Host " 13: ESXi.firewall-restrict-access"
	Write-Host " 14: ESXi.set-account-auto-unlock-time"
	Write-Host " 15: ESXi.set-account-lockout"
	Write-Host " 16: ESXi.set-dcui-access"
	Write-Host " 17: ESXi.set-password-policies"
	Write-Host " 18: ESXi.set-shell-interactive-timeout"
	Write-Host " 19: ESXi.set-shell-timeout"
	Write-Host " 20: ESXi.verify-acceptance-level-supported"
	Write-Host " 21: VM.disable-console-drag-n-drop"
	Write-Host " 22: VM.disable-disk-shrinking-shrink"
	Write-Host " 23: VM.disable-disk-shrinking-wiper"
	Write-Host " 24: VM.disable-independent-nonpersistent"
	Write-Host " 25: VM.disable-unexposed-features-memsfss"
	Write-Host " 26: VM.disable-unexposed-features-unity-unityactive"
	Write-Host " 27: VM.disable-unexposed-features-versionget"
	Write-Host " 28: VM.disable-unexposed-features-versionset"
	Write-Host " 29: VM.disconnect-devices-floppy"
	Write-Host " 30: VM.disconnect-devices-parallel"
	Write-Host " 31: VM.disconnect-devices-serial"
	Write-Host " 32: VM.Enable-VGA-Only-Mode"
	Write-Host " 33: VM.TransparentPageSharing-inter-VM-Enabled"
	Write-Host " 34: VM.verify-network-filter"
	Write-Host " 35: vNetwork.enable-bpdu-filter"
	Write-Host " 36: vNetwork.reject-forged-transmit-StandardSwitch"
	Write-Host " 37: vNetwork.restrict-netflow-usage"
	Write-Host
	Write-Host " Q:  Press 'Q' to return to the previous menu." -ForegroundColor yellow
	
}
clear
#Security Guide Choice
function TRF-Choice-65-SecurityGuide
{
TRF-65-SecurityGuide –Title 'Select Check'
$selection = Read-Host " Please make a selection"
 switch ($selection)
  {
     '1' {
         'You chose ESXi.audit-exception-users'
		 ESXi-audit-exception-users
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
     } '2' {
		 'You chose ESXi.Audit-SSH-Disable'
		 ESXi-Audit-SSH-Disable
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '3' {
		 'You chose ESXi.config-ntp'
		 ESXi-config-ntp
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '4' {
		 'You chose ESXi.config-persistent-logs'
		 ESXi-config-persistent-logs
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '5' {
		 'You chose ESXi.config-snmp'
		 ESXi-config-snmp
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '6' {
		 'You chose ESXi.Disable-oldtls-protocols'
		 ESXi-Disable-oldtls-protocols
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '7' {
		 'You chose ESXi.enable-ad-auth'
		 ESXi-enable-ad-auth
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '8' {
		 'You chose ESXi.enable-auth-proxy'
		 ESXi-enable-auth-proxy
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '9' {
		 'You chose ESXi.enable-chap-auth'
		 ESXi-enable-chap-auth
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '10' {
		 'You chose ESXi.enable-normal-lockdown-mode'
		 ESXi-enable-normal-lockdown-mode
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '11' {
		 'You chose ESXi.enable-remote-syslog'
		 ESXi-enable-remote-syslog
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '12' {
		 'You chose ESXi.enable-strict-lockdown-mode'
		 ESXi-enable-strict-lockdown-mode
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '13' {
		 'You chose ESXi.firewall-restrict-access'
		 ESXi-firewall-restrict-access
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '14' {
		 'You chose ESXi.set-account-auto-unlock-time'
		 ESXi-set-account-auto-unlock-time
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '15' {
		 'You chose ESXi.set-account-lockout'
		 ESXi-set-account-lockout
		 	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '16' {
		 'You chose ESXi.set-dcui-access'
		 ESXi-set-dcui-access
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '17' {
		 'You chose ESXi.set-password-policies'
		 ESXi-set-password-policies
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '18' {
		 'You chose ESXi.set-shell-interactive-timeout'
		 ESXi-set-shell-interactive-timeout
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '19' {
		 'You chose ESXi.set-shell-timeout'
		 ESXi-set-shell-timeout
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '20' {
		 'You chose ESXi.verify-acceptance-level-supported'
		 ESXi-verify-acceptance-level-supported
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '21' {
		 'You chose VM.disable-console-drag-n-drop'
		 VM-disable-console-drag-n-drop
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '22' {
		 'You chose VM.disable-disk-shrinking-shrink'
		 VM-disable-disk-shrinking-shrink
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '23' {
         'You chose VM.disable-disk-shrinking-wiper'
		 VM-disable-disk-shrinking-wiper
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '24' {
         'You chose VM.disable-independent-nonpersistent'
		 VM-disable-independent-nonpersistent
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '25' {
         'You chose VM.disable-unexposed-features-memsfss'
		 VM-disable-unexposed-features-memsfss
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '26' {
         'You chose VM.disable-unexposed-features-unity-unityactive'
		 VM-disable-unexposed-features-unity-unityactive
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '27' {
         'You chose VM.disable-unexposed-features-versionget'
		 VM-disable-unexposed-features-versionget
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '28' {
         'You chose VM.disable-unexposed-features-versionset'
		 VM-disable-unexposed-features-versionset
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		
     } '29' {
         'You chose VM.disconnect-devices-floppy'
		 VM-disconnect-devices-floppy
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '30' {
         'You chose VM.disconnect-devices-parallel'
		 VM-disconnect-devices-parallel
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '31' {
         'You chose VM.disconnect-devices-serial'
		 VM-disconnect-devices-serial
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '32' {
         'You chose VM.Enable-VGA-Only-Mode'
		 VM-Enable-VGA-Only-Mode
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '33' {
         'You chose VM.TransparentPageSharing-inter-VM-Enabled'
		 VM-TransparentPageSharing-inter-VM-Enabled
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '34' {
         'You chose VM.verify-network-filter'
		 VM-verify-network-filter
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '35' {
         'You chose vNetwork.enable-bpdu-filter'
		 vNetwork-enable-bpdu-filter
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '36' {
         'You chose vNetwork.reject-forged-transmit-StandardSwitch'
		 vNetwork-reject-forged-transmit-StandardSwitch
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
		 
     } '37' {
         'You chose vNetwork.restrict-netflow-usage'
		 vNetwork-restrict-netflow-usage
	Write-Host -NoNewLine " Press any key to continue...";
	$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
		 TRF-Choice-65-SecurityGuide
     } 'Q' {
         'You chose to go back'
		 clear
		 TRF-Choice-Select-Cluster-Commands
     } 
  }
 }
 clear

#########################################################################################
#########################################################################################
#########################################################################################
#########################################################################################

TRF-Choice-65-SecurityGuide</code>

As a side note, i noticed there was more than a couple errors in the SHG so make sure you’re checking the sample code before running it.

Loading

4 thoughts on “ESXi6.5 Security Hardening Guide

Leave a Reply to Tony Reardon Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.