Similar pages:
– ESXi – Hardening –
VM Hardening
vCenter Hardening
In-Guest Hardening
Automatically unlock a locked account after a specific amount of time.
Desired Value: 900
get-vmhost | Get-AdvancedSetting Security.AccountUnlockTime | Format-Table Entity, Name, Value
Set new value:
get-vmhost | Get-AdvancedSetting Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
Set the count of maximum failed login attempts before the account is locked out.
Desired Value: 3
get-vmhost | Get-AdvancedSetting Security.AccountLockFailures | Format-Table Entity, Name, Value
Set new value:
get-vmhost | Get-AdvancedSetting Security.AccountLockFailures | Set-AdvancedSetting -Value 3
Do not permit password reuse.
Desired Value: 5
get-vmhost | Get-AdvancedSetting Security.PasswordHistory | Format-Table Entity, Name, Value
Set new value:
get-vmhost | Get-AdvancedSetting Security.PasswordHistory | Set-AdvancedSetting -Value 5
Establish a policy for password complexity.
Desired Value:
– mix of at least three from the following four character classes:
– lowercase letters
– uppercase letters
– numbers
– and special characters such as underscore or dash
– least 7 characters and less than 40
– Passwords must not contain a dictionary word or part of a dictionary word.
Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Format-Table Entity, Value
Use the Authentication Proxy to protect passwords during Active Directory domain joins.
Get-VMHost | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus
Use Active Directory for ESXi user authentication.
Get-VMHost | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus
Warning for potential hyperthreading security vulnerability is suppressed.
Desired value:0
get-vmhost | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Format-Table Entity, Name, Value
get-vmhost | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value 0
Set a timeout to automatically terminate idle DCUI sessions.
Desired value: 600
get-vmhost | Get-AdvancedSetting UserVars.DcuiTimeOut | Format-Table Entity, Name, Value
get-vmhost | Get-AdvancedSetting UserVars.DcuiTimeOut |Set-AdvancedSetting -Value 600
Configure or disable CIM.
Desired value: False
Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'sfcbd-watchdog'} | Format-Table VMHost, Label, Policy, Running
Enable Managed Object Browser (MOB).
Desired value: False
get-vmhost | Get-AdvancedSetting Config.HostAgent.plugins.solo.enableMob | Format-Table Entity, Value
Configure or disable SLP.
Desired value: False
Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'slpd'} | Format-Table VMHost, Label, Policy, Running
Disable SNMP.
Desired value: True
Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'snmpd'} | Format-Table VMHost, Running
Disable SSH / TSM-SSH
Desired value: true
get-vmhost | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"} | where {$_.Running -eq "True"} | Format-Table VMHost, Key
Check policy configuration
get-vmhost | get-vmhostservice | where-object {$_.key -eq "TSM-SSH" -or $_.key -eq "TSM"} | Format-Table VMhost, Key, Policy, Running
Configure the ESXi firewall for additional defense-in-depth.
Desired value:
List rules with “Allowed IP addresses” not set to “All”
Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} | Format-Table VMHost, Name, Enabled, IncomingPorts, OutgoingPorts, Protocols, ServiceRunning
List rules with “Allowed IP addresses” set to “All”
Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} | Format-Table VMHost, Name, Enabled, IncomingPorts, OutgoingPorts, Protocols, ServiceRunning
List not default rules
$ServiceName = @(
'rabbitmqproxy',
'HPProvider',
'vSphere High Availability Agent',
'NTP Client',
'SSH Server',
'syslog',
'vSphere Web Client',
'VMware vCenter Agent',
'vMotion',
'vCenter update manager',
'trusted-infrastructure-kmxa',
'iofiltervp',
'DNS Client',
'NFC',
'vvold',
'vSphere Web Access'
)
Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.Name -notin $ServiceName)} | Format-Table VMHost, Name, IncomingPorts, OutgoingPorts, Protocols
Enable UEFI Secure Boot.
Desired value: enabled
Ensure that a TPM 2.0 is installed and enabled on the host.
Desired value: enabled
Hardware firmware is up to date.
Enable bidirectional/mutual CHAP authentication for iSCSI traffic.
Desired value: enabled
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}
Set DCUI.Access to allow trusted users to override lockdown mode.
Get-VMHost | Get-AdvancedSetting DCUI.Access
Audit the users on the Exception Users List.
(Get-View -Id (Get-VMHost -Name * | Get-View).ConfigManager.HostAccessManager).QueryLockdownExceptions()
Enable normal lockdown mode to restrict access to ESXi.
(Get-VMHost -Name * | Get-View).Config.LockdownMode
Set the logging informational level.
Get-VMHost | Get-AdvancedSetting Config.HostAgent.log.level| Format-Table Entity, Value
Configure persistent logging.
Get-VMHost | Get-AdvancedSetting Syslog.global.logDir | Format-Table Entity, Value
Validate that the configured log target is successfully receiving information from the ESXi host
esxcli system syslog mark --message "Syslog Test Message"
Configure remote logging.
Get-VMHost | Get-AdvancedSetting Syslog.global.logHost | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting Syslog.global.logHost | Set-AdvancedSetting -Value udp://<IP ADDRESS>:514
Block guest OS BPDU transmissions.
Get-VMHost | Get-AdvancedSetting Net.BlockGuestBPDU | Format-Table Entity, Value
Get-vmhost | Get-AdvancedSetting Net.BlockGuestBPDU |Set-AdvancedSetting -Value 1
Audit use of dvfilter network APIs.
Get-VMHost | Get-AdvancedSetting Net.DVFilterBindIpAddress | Format-Table Entity, Value
Ensure hardware management controller interfaces are isolated on their own network segment and protected with perimeter access controls.
Ensure ESXi management interfaces are isolated on their own network segment.
Ensure vMotion interfaces are isolated on their own network segment and protected with perimeter access controls.
Ensure vSAN interfaces are isolated on their own network segment and protected with perimeter access controls.
Audit use of server hardware out-of-band management network interfaces.
Ensure that the “Forged Transmits” policy is set to reject on both the vSphere Standard Switch and on its port groups.
Get-VMHost | Get-VirtualSwitch -Standard | Get-SecurityPolicy | Format-List *
Get-VMHost | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Format-List *
Ensure that the “MAC Address Changes” policy is set to reject on both the vSphere Standard Switch and on its port groups.
Ensure that the “Promiscuous Mode” policy is set to reject on both the vSphere Standard Switch and on its port groups.
Disable ESXi Shell.
Set a timeout to automatically terminate idle ESXi Shell and SSH sessions.
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run.
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Format-Table Entity, Value
Set new value:
Get-VMHost | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
Warning for support and troubleshooting interfaces is suppressed.
Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0
ESXi is a version with active maintenance by VMware.
Configure NTP or PTP.
Get-VMHostService -VMHost * | Where-Object {$_.Key -eq 'ntpd'} | Format-Table VMHost, Running, Policy
List NTP Server
Get-VMHost |Sort Name|
Select Name, @{N=“NTPServer“;E={$_ |Get-VMHostNtpServer}},
@{N=“ServiceRunning“;E={(Get-VmHostService -VMHost $_ |Where-Object {$_.key-eq “ntpd“}).Running}},
@{N=“Policy”;E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key-eq “ntpd“} | Select -ExpandProperty Policy)}}
Ensure that deprecated SSL/TLS protocols are disabled.
Get-VMHost | Get-AdvancedSetting UserVars.ESXiVPsDisabledProtocols | Format-Table Entity, Value
Restrict transparent page sharing to VMs configured with sched.mem.pshare.salt.
Get-VMHost | Get-AdvancedSetting Mem.ShareForceSalting | Format-Table Entity, Value
ESXi is up to date.
Verify Image Profile and VIB Acceptance Levels.
Only run binaries delivered via VIB.
Get-VMHost | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Format-Table Entity, Value
Get-VMHost | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value TRUE
Sources and useful links
Configure Multiple Security Settings on the ESXi Hosts by Using PowerCLI