##################################################################################
#
# Script: configure_host.ps1
# Author: Fabio Irigoyen
# Date: 09.11.2022
# Desc: Script to configure a new ESXi Hosts.
# Specify the ESXIHost variable with the hostname
# Specify the NTPServer variables
# Tested on ESXi Version 7.X
# Version: 1.0
# History:
#
#
##################################################################################
#-------------------------------------------------------------------------------------------
# Variables
#-------------------------------------------------------------------------------------------
$ESXiHost = "Hostname"
$NtpServer1 = "0.ch.pool.ntp.org"
$NtpServer2 = "1.ch.pool.ntp.org"
$SyslogServer = "xxx.xxx.xxx.xxx:514"
#-------------------------------------------------------------------------------------------
# Main
#-------------------------------------------------------------------------------------------
Connect-VIServer $ESXiHost
# Set the count of maximum failed login attempts before the account is locked out. Desired value = 3
get-vmhost | Get-AdvancedSetting Security.AccountLockFailures | Set-AdvancedSetting -Value 3 -Confirm:$False
# Automatically unlock a locked account after a specific amount of time. Desired value = 900
get-vmhost | Get-AdvancedSetting Security.AccountUnlockTime | Set-AdvancedSetting -Value 900 -Confirm:$False
# Do not permit password reuse.
get-vmhost | Get-AdvancedSetting Security.PasswordHistory | Set-AdvancedSetting -Value 5 -Confirm:$False
# Establish a policy for password complexity.
Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "retry=3 min=disabled,disabled,disabled,14,14" -Confirm:$False
# Warning for potential hyperthreading security vulnerability is suppressed.
get-vmhost | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value 0 -Confirm:$False
# Set a timeout to automatically terminate idle DCUI sessions.
get-vmhost | Get-AdvancedSetting UserVars.DcuiTimeOut |Set-AdvancedSetting -Value 600 -Confirm:$False
# Configure remote logging.
Get-VMHost | Get-AdvancedSetting Syslog.global.logHost | Set-AdvancedSetting -Value udp://$SyslogServer -Confirm:$False
# Block guest OS BPDU transmissions.
Get-vmhost | Get-AdvancedSetting Net.BlockGuestBPDU |Set-AdvancedSetting -Value 1 -Confirm:$False
# Set a timeout to automatically terminate idle ESXi Shell and SSH sessions.
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$False
# Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run.
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$False
# Warning for support and troubleshooting interfaces is suppressed.
Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0 -Confirm:$False
# Only run binaries delivered via VIB.
Get-VMHost | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value True -Confirm:$False
#Configure NTP server
Add-VmHostNtpServer -VMHost $ESXiHost -NtpServer $NtpServer1 -Confirm:$False
Add-VmHostNtpServer -VMHost $ESXiHost -NtpServer $NtpServer2 -Confirm:$False
#Allow NTP queries outbound through the firewall
#Get-VMHostFirewallException -VMHost $esx | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true
#Start NTP client service and set to automatic
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService -Confirm:$False
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -policy "on" -Confirm:$False
#Stop CIM service and set policy to manually
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "sfcbd-watchdog"} | Stop-VMHostService -Confirm:$False
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "sfcbd-watchdog"} | Set-VMHostService -policy "Off" -Confirm:$False
#Stop SNMP service and set policy to manually
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "snmpd"} | Stop-VMHostService -Confirm:$False
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "snmpd"} | Set-VMHostService -policy "Off" -Confirm:$False
#Stop slpd service and set policy to manually
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "slpd"} | Stop-VMHostService -Confirm:$False
Get-VmHostService -VMHost $ESXiHost | Where-Object {$_.key -eq "slpd"} | Set-VMHostService -policy "Off" -Confirm:$False
#Set Power management to High Performance
$view = (Get-VMHost $ESXiHost | Get-View)
(Get-View $view.ConfigManager.PowerSystem).ConfigurePowerPolicy(1)
#Set "Syslog.loggers.vpxa.rotate" to 20
Get-VMHost | Get-AdvancedSetting Syslog.loggers.vpxa.rotate | Set-AdvancedSetting -Value 20 -Confirm:$False
#Configure Firewall
Get-VMHostFirewallException $ESXiHost -Name 'ssh server' | Set-VMHostFirewallException -Enabled:$True -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'CIM Server' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'CIM Secure Server' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'DVSSync' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'DHCP Client' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'Fault Tolerance' | Set-VMHostFirewallException -Enabled:$True -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'SNMP Server' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'HBR' | Set-VMHostFirewallException -Enabled:$False -Verbose
Get-VMHostFirewallException $ESXiHost -Name 'WOL' | Set-VMHostFirewallException -Enabled:$False -Verbose