Hardening your ESXi hosts the PowerCLI way

Posted on Updated on

While we are fast-pacing towards the container world and its security, it is never too late to be concerned about the traditional platform. Hardening is a day-2 activity that can really be cumbersome in an enterprise environment, for the amount of repetition involved and the human effort required to perform the same.

As an attempt to save time and effort, I have put together 5 configuration parameters from the vSphere 6.5 Hardening guide (which you can find here) into one PowerCLI script that will do the job for you on all the hosts in your environment.

The chosen 5 hardening parameters are:

  1. SSH-Configuration – Will be stopped if running and if stopped already, will throw a message stating the same
  2. Add NTP servers if not present already – (NTP User input to be modified in the script)
  3. Configure Log Directory to a persistent location – (Log location to be modified)
  4. Disable TLS older versions
  5. Add Host to Active Directory domain – (AD details to be modified)

The output of the script would look something like the below image.

This image has an empty alt attribute; its file name is image1.jpg
$vCenterServer = "***"
connect-viserver $vCenterServer -user "administrator@vsphere.local" -pass "VMware1!"
$NTPServers ='pool.ntp.org','pool2.ntp.org'
$logLocation = "[]/vmfs/volumes/99c2c1e2-b767bcc2/Logs"
$ADdomain = "mycloud.lab"
$ADusername = "domainuser@mycloud.lab"
$ADpassword = "****"
$esxihosts = get-vmhost
$esxusername = "root"
$esxpassword = "VMware1!"
$i = 1
foreach ($esxihost in $esxihosts)
{
	#DisableSSH-ESXI-06-000035
	Write-Color "HOST ITERATION:", $i -Color Yellow,Green -LinesBefore 1 -LinesAfter 1
	Write-Host "CURRENT HOST: " $esxihost `n 
	Write-Host "1.Checking SSH configuration.." `n 
	$ServiceList = Get-VMHostService -VMhost $esxihost
	$SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"}
	If ($SSHservice.Running -eq $true) 
	{
		Write-Output "SSH Server on host $esxihost is running" `n 
		Get-VMHostService -VMHost $esxihost | Where-Object {$_.Key -eq "TSM-SSH" } | Set-VMHostService -Policy Off -Confirm:$false > $null
		Get-VMHostService -VMHost $esxihost | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false > $null
		if($?) 
		{            
			Write-Host "SSH disabled on host" : $esxihost `n     
		}	
	}
	else 
	{
		Write-Output "SSH Server on host $esxihost is already stopped" `r 
	}
	#AddNTPServers-ESXI-06-000046,ESXI-06-100046
	Write-Host "2.Checking NTP Servers.." `n 
	$isNTP = Get-VMHost $esxihost | Get-VMHostNtpServer
	if (!$isNTP)
	{
		Get-VMHost $esxihost | Add-VmHostNtpServer $NTPServers > $null
		Write-Host "NTP server $NTPServers added" `n 
		Get-VMHostService -VMHost $esxihost | Where-Object -Property Key -EQ ntpd | Set-VMHostService -Policy On -Confirm:$false > $null
		Get-VMHostService -VMHost $esxihost | Where-Object -Property Key -EQ ntpd | Start-VMHostService -Confirm:$false > $null
		Write-Host "NTP Daemon Enabled" `n 
	}
	else
	{
		Write-Host "NTP server $isNTP already added and enabled" `n 
	}
	#SyslogLocation-ESXI-06-000045
	Write-Host "3.Checking Syslog Configuration.." `n 
	$syslogdir = Get-VMHost $esxihost | Get-AdvancedSetting Syslog.global.logDir | Select -ExpandProperty Value
	if (($syslogdir -match "/scratch/log") -Or (!$syslogdir))
	{
		Write-Host "Log location not persistent.. Updating to new location" `n 
		Get-VMHost $esxihost | Get-AdvancedSetting Syslog.global.logDir | Set-AdvancedSetting -Value $logLocation -Confirm:$false > $null
		Write-Host "Log location updated to $logLocation" `n 
	}
	else
	{
		Write-Host "Syslog directory already set to $syslogdir... Check if it is persistent" `n 
	}
	#DisabledProtocols
	Write-Host "4.Checking TLS settings" `n 
	$disProtocols = Get-VMHost $esxihost | Get-AdvancedSetting UserVars.ESXiVPsDisabledProtocols | Select -ExpandProperty Value
	if (($disProtocols -eq "sslv3,tlsv1,tlsv1.1") -Or ($disProtocols -eq "sslv3,tlsv1"))
	{
		Write-Host "Already disabled required protocols:" $disProtocols `n 
	}
	else
	{
		Write-Host "One or more protocol needs to be disabled..Updating" `n 
		Get-VMHost $esxihost | Get-AdvancedSetting UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "sslv3,tlsv1" -Confirm:$false > $null
		Write-Host "All required protocols disabled..Check host connectivity" `n 
	}
	#ActiveDirectoryDomainStatus-ESXI-06-000037,ESXI-06-100037,ESXI-06-200037,ESXI-06-300037
	Write-Host "5.Checking Domain Status.." `n 
	$isAD = Get-VMHost $esxihost | Get-VMHostAuthentication | Select DomainMembershipStatus -ExpandProperty DomainMembershipStatus
	$domain = Get-VMHost $esxihost | Get-VMHostAuthentication | Select Domain -ExpandProperty Domain
	if ($isAD -eq "Ok")
	{
		Write-Host "Already part of AD:" $domain `n
	}
	else
	{
		Write-Host "Host not part of AD..joining domain"
		Get-VMHost $esxihost | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain $ADdomain -User $ADusername -Password $ADpassword -JoinDomain -Confirm:$false > $null
		$domain = Get-VMHost $esxihost | Get-VMHostAuthentication | Select Domain -ExpandProperty Domain
		Write-Host "Host added to:" $domain `n
	}
	$i = $i+1
}
Disconnect-VIServer -Server $global:DefaultVIServer -Force  -Confirm:$false

Happy learning 🙂

Please follow and like my content:
error
fb-share-icon
Tweet

Leave a Reply

Your email address will not be published. Required fields are marked *

error

Enjoy this blog? Please spread the word :)