Applying VM Hardening using PowerCli

When your infrastructure has to meet a minimal security configuration it’s time to relay on the vSphere Hardening Guide. It covers several component layers like Hypervisors, VMs, SSO, etc. In this vSphere 5.5 version you’ll find an example of a detailed guide with specific commands and parameters to configure if you want to ensure a safety environment.

In this case I want to share a simple script that will apply as much parameters as you might need to all VMs listed on a csv file.

Script dependencies:

It’s important having the following txt files on the same folder:

– VM_Hardening_List.txt: Contains the list of Virtual Machines on which the settings will be applied.

– VM_Hardening_Specs.txt: Set of configuration settings according to the hardening excel file. This is basically the column “Configuration Parameter” and the “Desired Value” using the format (Name,Value) .

Example:

isolation.tools.autoInstall.disable,TRUE
isolation.tools.copy.disable,TRUE
isolation.tools.dnd.disable,TRUE
isolation.tools.setGUIOptions.enable,FALSE

What the script does:

Basically loads the settings from the VM_Hardening_Sceps.txt file and adds these settings on every Virtual Machine included on the VM_Hardening_List.txt file.

  • It shows a progress bar with VM Name and Options pending to be saved, so you can get an accurate evaluation of how long it will last.
  • It creates a log file on same running directory named Hardening_(TIME)_(DATE).log with VM Name, Keys and Values saved and error description if faulty.

Before Running:

You need PowerCLI 5.1 or above.

  • The VM_Hardening_List.txt file properly filled with the desired Virtual Machine Name to be hardened.
  • The VM_Hardening_Specs.txt file correctly verified with no empty lines.

Recommendations:

  • Complete the VM_Hardening_List.txt file with just one VM, run the script and check it is correctly updated using the following command: Get-Vm VmName | Get-AdvancedSetting
  • If everything went well, try the same step with a few VMs more in the txt file.

 

Script:


####################################
#
# Hardens VMs according a txt file
#
####################################

# VM List FileName
$VMList = Get-content 'VM_Hardening_List.txt' | foreach-object {Get-VM $_}

# Hardening Specifications FileName
$Hardening_Statement = Import-Csv ‘VM_Hardening_Specs.txt’ -Header Name,Value

# Result file
$DateStamp = Get-Date -format hhmmss_ddMMyyyy
$LogFile = "Hardening_$DateStamp.log"

# Global Vbles
$TotalOptions= $Hardening_Statement.count
$i=1
$TotalVM = $VMList.Count

#Apply each configuration line to every VM

ForEach ($VmName in $VMList) {

	$j=0
	ForEach( $line in $Hardening_Statement) {

		write-Progress -Activity "Securing $VMName ($i/$TotalVM)" -status "Option $j / $TotalOptions" -percentComplete ($j/ $TotalOptions*100)		

		Try {
			$R= $VmName | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value }
		Catch {
			$ErrorMessage = $_.Exception.Message
			$FailedItem = $_.Exception.ItemName
			$Rbad="Failed to set option : $Line.name. The error message was :$ErrorMessage"
			$Rbad | out-file -append $LogFile
			}

		$R= "Entity:" + $R.Entity +" `nName: " + $R.name + "`nValue: " + $R.Value
		$R | out-file -append $LogFile

	$j++
}
	$i++
}

EOL

Advertisements

2 thoughts on “Applying VM Hardening using PowerCli”

  1. Thanks for the post. When I run the script I’m seethe below in the logs:

    Failed to set option : .name. The error message was :Cannot validate argument on parameter ‘Name’. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
    Entity:
    Name:
    Value:

    1. HI Pham, thanks for posting.
      I’d need to know a bit more about the txt file you’re using. For now, please try to check there’s no blank space or another ASCII char between lines.
      Regards,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s