VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure Multiple Security Settings on the ESXi Hosts by Using PowerCLI

You perform the procedure on all ESXi hosts in all your workload domains to configure firewall settings, password policy, inactivity timeouts, failed login attempts, start up policies, join ESXi hosts to Active Directory domain, and remove ESX Admin group membership. Also, configure login banners for the Direct Console User Interface (DCUI) and SSH connections, deactivate warnings, configure persistent log location, remote logging, implement secure boot enforcement, enable TPM-based configuration encryption, enable audit logging, alocate storage record capacity, and activate bidirectional CHAP authentication by using PowerCLI commands.
To perform the procedure on the ESXi hosts for a workload domain, you connect to the vCenter Server for the respective workload domain. To run a task on all hosts for the domain, when you run commands, on the prompts to specify the object of a command, enter
[A] Yes to all
.
  1. Log in to the vCenter Server for the workload domain you want to reconfigure by using a PowerCLI console.​
    Setting
    Value
    Command
    Connect-VIServer -Server
    management-domain-vcenter-server-fqdn
    ​​ -Protocol https
    User name​
    administrator@vsphere.local​
  2. VMW-ESXI-00022
     Configure the password complexity policy for the ESXi host.
    The requirement is a length of minimum 15 characters (maximum of 64 characters) from 4 character classes that include lowercase letters, uppercase letters, numbers, special characters. Password difference is also mandatory.
    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64"
  3. VMW-ESXI-00028
     Configure the ESXi hosts firewall to only allow traffic from the authorized management networks.
    $esxiHosts = Get-VMHost
foreach($esxiHost in $esxiHosts){
$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
#This disables the allow all rule for the target service.The sshServer service is the target in this example.
$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
$arguments.rulesetid = "sshServer"
$arguments.allowedall = $false  
$esxcli.network.firewall.ruleset.set.Invoke($arguments)

#Next add the allowed IPs for the service. Note that executing the "vSphere Web Client" service this way may disable access but may be done through vCenter or through the console.
$arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() 
$arguments.rulesetid = "sshServer"
$arguments.ipaddress = "
    Site-specific networks
    "
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)}
    This must be done for each user-configurable enabled service.
  4. VMW-ESXI-00034
     Set the maximum number of failed login attempts before an account is locked to 3.
    Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
  5. VMW-ESXI-00038
     Configure the inactivity timeout to automatically close idle shell sessions to 600 seconds.
    Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
  6. VMW-ESXI-00039
     Configure the timeout to automatically stop ESXi shell and SSH services to 600 seconds.
    Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
  7. VMW-ESXI-00114
     To eliminate the need to create and maintain multiple local user accounts, join ESXi hosts to an Active Directory (AD) domain.
    Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "
    domain name
    " -User "
    username
    " -Password "
    password
    "
    If any local user accounts exist, apart from
    root
     and local service accounts, you can delete the local user accounts by going to the ESXi host UI
    Manage
    Security & Users
    Users
    .
  8. VMW-ESXI-00122
     Configure the login banner for the DCUI of the ESXi host.
    Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value "Site-Specific banner text"
  9. VMW-ESXI-00123
     Configure the login banner for the SSH connections.
    Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "Site-Specific banner text"
  10. VMW-ESXI-00136
     Configure a persistent log location for all locally stored logs.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value “New Log Location”
    Specify the log location as
    [datastorename] path_to_file
    , where the path is relative to the root of the volume, backing the datastore. For example, the path
    [storage1] /systemlogs
     maps to the path
    /vmfs/volumes/storage1/systemlogs
    .
    The new location should not include a subfolder as enabling audit logging will create a folder and will fail if a subfolder is specified.
  11. VMW-ESXI-00137
     For a host added to Active Directory, use an Active Directory group instead of the default
    ESX Admins
     group for the
    esxAdminsGroup
     property on the ESXi hosts.
    Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value 
    site specifc AD_Group
    Changing the group name does not remove the permissions of the previous group.
  12. VMW-ESXI-00164
     Configure a remote log server for the ESXi hosts.
    Use the following format when adding the remote log server. You can enter multiple, comma-separated values.
    udp://
    <IP/FQDN>
    :514
    tcp://
    <IP/FQDN>
    :514
    ssl://
    <IP/FQDN>
    :1514
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "
    <site-specific syslog server hostname>
    "
  13. VMW-ESXI-00564
     Configure idle session timeout for the ESXi host client to 600 seconds.
    Get-VMHost | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Set-AdvancedSetting -Value "600"
  14. VMW-ESXI-01102
     Activate bidirectional CHAP authentication for iSCSI traffic.
    
            
    Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName 
    chap_name
     -ChapPassword 
    password
     -MutualChapEnabled $true -MutualChapName 
    mutual_chap_name
     -MutualChapPassword 
    mutual_password
  15. VMW-ESXI-01121
     Activate strict x509 verification for SSL syslog endpoints.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Set-AdvancedSetting -Value "true"
  16. VMW-ESXI-01122
     Activate volatile key destruction on the host.
    Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZero | Set-AdvancedSetting -Value "1"
  17. VMW-ESXI-01123
     Configure the host with an appropriate maximum password age.
    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays | Set-AdvancedSetting -Value "90"
  18. VMW-ESXI-01124
     Enable TPM-based configuration encryption.
    • Ensure the TPM 2.0 chip is enabled in the BIOS and the ESX UI does not show any errors.
    • This setting cannot be configured until the TPM is properly enabled in firmware.
    • Configuration encryption uses the physical TPM at install or upgrade time. If the TPM is added or enabled later, you must reconfigure the ESXi host to use the newly available TPM. After you enable TPM configuration encryption is enabled, you cannot disable it.
    $esxiHosts = Get-VMHost
foreach($esxiHost in $esxiHosts){
$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
$arguments = $esxcli.system.settings.encryption.set.CreateArgs()
$arguments.mode="TPM"
$esxcli.system.settings.encryption.set.Invoke($arguments)
}
    You must evacuate the host and gracefully reboot for changes to take effect.
  19. VMW-ESXI-01125
     The ESXi host must implement Secure Boot enforcement.
    $esxiHosts = Get-VMHost
foreach($esxiHost in $esxiHosts){
$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
$arguments = $esxcli.system.settings.encryption.set.CreateArgs()
$arguments.requiresecureboot =$true
$esxcli.system.settings.encryption.set.Invoke($arguments)
}
    You must evacuate the host and gracefully reboot for changes to take effect.
  20. VMW-ESXI-01126
     Configure the startup policy for the CIM service on the host to "off".
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Set-VMHostService -Policy Off
  21. VMW-ESXI-01128
     Deactivate the startup policy for the SNMP service on the host.
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SNMP Server"} | Set-VMHostService -Policy Off
  22. VMW-ESXI-01152
     The ESXi host must disable virtual hardware management network interfaces.
    Get-VMHost | Get-AdvancedSetting -Name Net.BMCNetworkEnable | Set-AdvancedSetting -Value 0
  23. VMW-ESXI-01141
     The ESXi host must allocate audit record storage capacity to store audit records.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Set-AdvancedSetting -Value 100
  24. VMW-ESXI-01142
     ESXi host must enable audit logging.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnable | Set-AdvancedSetting -Value "true"
    VMW-ESXI-00136
     and
    VMW-ESXI-01141
     must be configured and validated before enabling audit logging.
  25. VMW-ESXI-01143
     ESXi host must off-load audit records via syslog.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnable | Set-AdvancedSetting -Value "true"
  26. VMW-ESXI-01145
     ESXi host must forward audit records containing information to establish what type of events occurred.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logLevel | Set-AdvancedSetting -Value "info"
  27. VMW-ESXI-01150
     The ESXi host must deny shell access for the dcui account.
    $esxiHosts = Get-VMHost
foreach($esxiHost in $esxiHosts){
$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
$arguments = $esxcli.system.account.set.CreateArgs()
$arguments.id = "dcui"
$arguments.shellaccess = "false"
$esxcli.system.account.set.invoke($arguments)
}
  28. VMW-ESXI-01153
     ESXi host must enforce the exclusive running of executables from approved VIBs.
    Get-VMHost | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value True
  29. VMW-ESXI-01154
     Configure ESXi host to use approved encryption to protect the confidentiality of network sessions.
    $esxiHosts = Get-VMHost
foreach($esxiHost in $esxiHosts){
$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
$arguments = $esxcli.system.tls.server.set.CreateArgs()
$arguments.profile = "NIST_2024"
$esxcli.system.tls.server.set.invoke($arguments)
}
    A reboot is required to complete the process of changing profiles.

Content feedback and comments