Configure Security Settings for vCenter Server by Using PowerCLI

To configure host password length, native VLAN, reserved VLAN, and VGT, you perform the procedure on all vCenter Servers instances.
  1. Log in to vCenter Server by using a PowerCLI console.​
    Setting
    Value
    Command
    Connect-VIServer -Server
    management-domain-vcenter-server-fqdn
    ​​ -Protocol https
    User name​
    administrator@vsphere.local​
  2. VMW-VC-01201
    Configure all port groups to a value different from the value of the native VLAN.
    Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"
  3. VMW-VC-01202
    Configure all port groups to VLAN values not reserved by upstream physical switches
    Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#" 
  4. VMW-VC-01227
    Do not configure VLAN trunking in vCenter Server unless Virtual Guest Tagging (VGT) is required and authorized.
    1. If you use VLAN ranges, enter VLAN ranges with a comma separated value to configure trunking.
      Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanTrunkRange "<VLAN Range(s) comma separated>"
    2. If you use a single VLAN, enter a single VLAN ID to configure trunking.
      Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanId "<New VLAN#>"
  5. VMW-VC-01247
    Services that may be unnecessary should be disabled such as CDP or LLDP network discovery protocols.
    Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"
  6. VMW-VC-01265
    vCenter must reset port configuration when virtual machines are disconnected.
    $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.PortConfigResetAtDisconnect = $True $pg.ReconfigureDVPortgroup_Task($spec) }
  7. VMW-VC-01266
    vCenter must not override port group settings at the port level on distributed switches, except for block ports.
    $pgs = Get-VDPortgroup | Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $spec.Policy.VlanOverrideAllowed = $False $spec.Policy.UplinkTeamingOverrideAllowed = $False $spec.Policy.SecurityPolicyOverrideAllowed = $False $spec.Policy.IpfixOverrideAllowed = $False $spec.Policy.BlockOverrideAllowed = $True $spec.Policy.ShapingOverrideAllowed = $False $spec.Policy.VendorConfigOverrideAllowed = $False $spec.Policy.TrafficFilterOverrideAllowed = $False $pg.ReconfigureDVPortgroup_Task($spec) }
  8. VMW-VC-01275
    Configure the vCenter Server login banner text for access via SSH.
    Get-AdvancedSetting -Entity $VC -Name etc.issue | Set-AdvancedSetting -Value "Authorized login banner"