Home > Blogs > VMware vSphere Blog


Automate the Hardening of Your Virtual Machine VMX Configurations

By William Lam, Sr. Technical Marketing Engineer

As you probably have heard, VMware has just released the official vSphere 5.0 Security Hardening Guide. In addition to providing the latest guidelines for the vSphere 5.0 platform, the new hardening guide also includes several enhancements, one of which are the CLI (ESXi Shell, vCLI or PowerCLI) commands for assessment and/or remediation for a given guideline. One particular section of the hardening guide that has been quite popular over the years is securing the Virtual Machine’s VMX configuration file. You might ask, how would you go about automating these change across all your virtual machines?

I had written an article called Accessing Virtual Machine Settings not too long ago which shows shows you how to modify/add a single advanced setting to a virtual machine. You can easily modify those scripts to operate on more than one advanced setting. In this article, we will demonstrate these modified scripts which allows you to specify multiple advanced settings to be applied for a given virtual machine to help harden their configurations.

Disclaimer: These script are provided for informational/educational purposes only. It should be thoroughly tested before attempting to use in a production environment.

Below are examples of both a PowerCLI and vSphere SDK for Perl script which both accepts a file that contains a list of key/value pair advanced settings (separated by a comma) that you wish to add/modify for a virtual machine.

Here is an example of a file containing a few of the vSphere 5 Security Hardening advanced settings I wish to add to a virtual machine:

isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,2
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE

Note: You can apply the advanced settings while the virtual machine is running, but the changes will NOT go into effect until the virtual machine has been completely powered off and then powered back on. A guestOS reboot will not be sufficient as the VMX configurations are only read during the initial power on.

PowerCLI

Download script: http://communities.vmware.com/docs/DOC-18653

Usage: To run this script you will need the latest version of PowerCLI installed and PowerShell v2, paste the script into your editor or Powercli window once connected to the vCenter server using the Connect-VIServer cmdlet.

Here is an example of updating a virtual machine with the list of advanced settings:

Ps-1

Here is an example where we update all VMs in a particular cluster:

Ps-2

Here is an example of listing the advanced settings for the virtual machine:

Ps-3

vSphere SDK for Perl

Download script: http://communities.vmware.com/docs/DOC-18654

Usage: To run the script you will need to have VMware vCLI installed on either a Windows/Linux system or you can use the VMware vMA appliance.

The script now includes a new option called –optionlist which accepts the file containing the list of advanced settings.

Here is an example of updating a virtual machine with the list of advanced settings:

Secure-vmx-1

Here is an example of listing the advanced settings for the virtual machine:

Secure-vmx-2

As you can see with these two scripts, administrators can easily and quickly secure all their virtual machines based on the latest recommendations from the vSphere 5.0 Security Hardening Guide as well as from previous hardening guides.

Additional Resources:
If you are looking for additional automation of the vSphere 5 Security Hardening Guide, be sure to check out this script which generates a report based on the vSphere Security Hardening Guide which supports the new vSphere 5 guide as well as the 4.1 and 4.0 guide.

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

38 thoughts on “Automate the Hardening of Your Virtual Machine VMX Configurations

  1. Tim

    Hello there, I may have not searched hard enough but this is exactly what I have been looking to do. I am in an ESX4i environment and wondering if that is why I do not see the ‘get-vmadvancedconfiguration’ command in my powerCLi? Would you know if that is the case or would you happen to have the command equivolent for this environment to run on ESX4i as I am assuming this documentation was in version 5?

    Reply
  2. Preetam

    Guys, Please read this comment. Very Important.

    log.rotateSize,10000 is missing one zero i.e. it should og.rotateSize,100000. For more information refer : KB:8182749.

    I request William to change this at the earliest or customer might end up configuring size which is not up to recommendation in hardening Guide.

    Thank you,
    Preetam

    Reply
    1. William LamWilliam Lam Post author

      @Preetam,

      Thanks for noticing, the above is just a sample of the various hardening parameters which was used in our script examples. I’ve gone ahead and fixed the extra “0” but customers should be looking at the vSphere Security Hardening Guide and identify the parameters they wish to apply, we merely showed an example which had a typo.

      Thanks

      Reply
    1. William LamWilliam Lam Post author

      @Tanakow,

      Unfortunately no, the free vSphere Hypervisor only has read-only access to the APIs, you will need to purchase a vSphere license to get both read/write capabilities to the API which is what the scripts are using.

      Reply
  3. Ricky

    Hi William,

    I found I can set these configuration paramters globally by adding them to /etc/vmware/config (ESXi 5). This is handy for applying the settings via kickstarts.

    Reply
    1. William LamWilliam Lam Post author

      Hi Ricky,

      Though you can set the VM parameters in that configuration file, it’s not recommended to use that as it applies them to all VMs (which may or may not be what you want). The other side affect is that you would not be able to query what settings have been applied on a per VM basis which makes auditing quite difficult. If you move a VM from one host to another and the host does not contain the same settings, you could easily be out of compliance without knowing about it. Recommendation is to apply this on a per VM basis that way the settings follows the VM

      Reply
    1. William LamWilliam Lam Post author

      Hi Sazzy,

      The disabling of web services is not exposed in the vSphere API (part of those service include the API, so potentially chicken/egg). If you wish to use PowerCLI, you would need to basically remote using SSH as you would normally and execute those commands

      Reply
  4. Jose Lopez

    Hi William,

    Thank you for making our lives so much easier!

    I am presently trying to run the Security Hardening Report Script for 4.1 and have tried to set it up on a Windows platform as we can’t add anything to our present environment (a vMA) for various reasons.

    I followed Maxim Shulga’s steps to execute on a Windows host but not being great at scripting I am struggling to replace the Linux commands which create the various folders with the Windows equivalent.

    Do you have a Windows-version of this script to use? I have reached out to Maxim, with whom you have a working relationship with but was hoping you may also have something as time is not on my side!

    Thanks again for your support.
    Jose Lopez

    Reply
    1. William LamWilliam Lam Post author

      I don’t have a Windows version of the script at the moment. The reason for vMA is just relying on a few OS level tools which I’m sure are also available on Windows. It’s been on my to-do list to check and see if I can port it over. If I get some down time, I’ll try to take a look.

      Reply
  5. Ronel Li

    Dear William,
    Thanks for your awesome sample scripts, which helped me greatly when building the cloud stack of our own.
    Currently I’m working with something related to this kb. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
    I need to update the forbid time sync with host in the vmx file of about 200 vms.
    It seems vmAdvSettings.pl can’t really update following parameters to vmx file.
    tools.syncTime = “0”
    time.synchronize.continue = “0”
    time.synchronize.restore = “0”
    time.synchronize.resume.disk = “0”
    time.synchronize.shrink = “0”
    time.synchronize.tools.startup = “0”
    time.synchronize.tools.enable = “0”
    time.synchronize.resume.host = “0”

    I’ll be thrilled if you lend me a hand on that.

    Ronel Li From SMIC Shanghai China.

    Reply
  6. Piotr Mitoraj

    Is there any documentation that would describe in details what is each of these settings does? The excel sheet with the parameters gives cryptic messages for some of them, like ‘Disable certain unexposed features’

    Reply
  7. Totie Bash

    William, I need your help please please please. Doing this on 5.1U1
    I created a file D:\VMWARE STIG\hardening.txt with the following items:

    isolation.bios.bbs.disable,TRUE
    isolation.device.connectable.disable,TRUE
    isolation.monitor.control.disable,TRUE
    isolation.tools.diskShrink.disable,TRUE
    isolation.tools.diskWiper.disable,TRUE
    log.keepOld,10
    log.rotateSize,100000
    RemoteDisplay.maxConnections,1
    tools.guestlib.enableHostInfo,FALSE
    tools.setInfo.sizeLimit,1048576
    vmci0.unrestricted,FALSE
    isolation.tools.hgfsServerSet.disable,TRUE
    isolation.device.edit.disable,TRUE
    isolation.tools.autoInstall.disable,TRUE
    isolation.tools.copy.disable,TRUE
    isolation.tools.dnd.disable,FALSE
    isolation.tools.setGUIOptions.enable,FALSE
    isolation.tools.paste.disable,TRUE
    isolation.tools.ghi.autologon.disable,TRUE
    isolation.bios.bbs.disable,TRUE
    isolation.tools.getCreds.disable,TRUE
    isolation.tools.ghi.launchmenu.change,TRUE
    isolation.tools.memSchedFakeSampleStats.disable,TRUE
    isolation.tools.ghi.protocolhandler.info.disable,TRUE
    isolation.ghi.host.shellAction.disable,TRUE
    isolation.tools.dispTopoRequest.disable,TRUE
    isolation.tools.trashFolderState.disable,TRUE
    isolation.tools.ghi.trayicon.disable,TRUE
    isolation.tools.unity.disable,TRUE
    isolation.tools.unityInterlockOperation.disable,TRUE
    isolation.tools.unity.push.update.disable,TRUE
    isolation.tools.unity.taskbar.disable,TRUE
    isolation.tools.unityActive.disable,TRUE
    isolation.tools.unity.windowContents.disable,TRUE
    isolation.tools.vmxDnDVersionGet.disable,TRUE
    isolation.tools.guestDnDVersionSet.disable,TRUE
    isolation.tools.vixMessage.disable,TRUE
    tools.setinfo.sizeLimit,1048576

    I installed the latest PowerCLI.
    I hop in to Powershell, Connected to VCenter and issue the following:

    Set-ExecutionPolicy RemoteSigned
    Add-PsSnapin VMware.VimAutomation.Core

    PS D:\VMWARE STIG> $file = Import-Csv ‘D:\VMWARE STIG\hardening.txt’ -Header Key,Value
    PS D:\VMWARE STIG> $VM = Get-VM MY_VM1
    PS D:\VMWARE STIG> $VM | New-AdvancedSetting -Name $file

    ” $VM | New-AdvancedSetting -Name $file ” is this right? I don’t think I have the right syntax.. please please please help.

    Reply
  8. Totie Bash

    After banging my head on the table for a day I finally got it. With you and Duncan’s blog along with so many ones I checked. I got the missing piece here:
    http://www.yellow-bricks.com/2009/03/11/powershell-and-importing-csv-files/

    $stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

    ::APPLY TO JUST MY_VM1
    foreach ($line in $stig_vm) {
    New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
    }

    ::APPLY TO ALL VM
    foreach ($line in $stig_vm) {
    Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
    }

    Reply
  9. KenK

    Why do some VMX values not work at all using the SDK? We cannot seem to set these:

    scsiX;Y.mode=”persistent”
    logging=”true”
    usb.present=”true”

    We have been directed to add these to the VMX file so they cannot be overridden by the GUI. Shutting down the VM and manually editing each VMX is not a pleasing thought.

    Reply
  10. sbobet

    Aw, this was an exceptionally good post. Taking
    the time and actual effort to create a top notch article… but
    what can I say… I procrastinate a lot and don’t manage to get nearly anything done.

    Check out my web blog :: sbobet

    Reply
  11. Ganga

    I want to add new property and value in advanced settings for VM through an API call(REST CALL). How can I do it. Please help me how can I call and what can I use URL and body of the REST call.

    Reply
  12. gajendra d ambi

    Hi william. Thanks for the script.
    The new advanced settings cmdlts won’t work on linux based VMs or appliances, especially with no vmware tools.
    This is what i am doing.
    Get-VM | Get-AdvancedSetting -Name “isolation.tools.diskWiper.disable” | Set-AdvancedSetting -Value “true” -Confirm:$false

    Reply
  13. mai multe diamante

    And another advantage of this platform is open source Android OS supports
    third party applications and developers of free access to all countries.
    One of the greatest video games to arrive in the gaming world lately is
    Minecraft. Why should you fork over another hundred or so dollars when your contract is done.

    Reply
  14. Clicking Here

    (ABC) indicated that Huisgenoot, You and Drum
    have the top of the their list. Though Mars is maraka for Tula Lagna,
    a rightly conjunct or aspected Mars gives benefic results.
    ll don’t know the number of future victims of those crimes might have already been spared.
    Also, you can choose different segments and read exclusively.

    Reply
  15. Get More Information

    3) News media is repeated constantly, often in mind-numbing
    detail, often for trivial topics. However, with fast-pacing lives, this morning routine is no longer followed like earlier times.

    The campaigns were so successfulthat CARE continues to
    approach people on this way. The international news media is definitely dominated
    by the US and UK, mainly the CNN and BBC.

    Reply
  16. Learn More

    Therefore what individuals could be reading will not be fresh news.
    With such sparse evidence, we wonder how scientists could confidently brag relating to.
    They deliver particular news at particular time period.
    4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.

    Reply
  17. Discover More Here

    Here is often a hint about what the most recent discoveries will unfold in this lifetime.

    Though Mars is maraka for Tula Lagna, a rightly conjunct or aspected Mars gives benefic results.
    Second, we can’t make recent improvement trend for granted.
    says Mahamad El Tanahy, Managing Director of Cit – Jo.

    Reply
  18. next page

    “Why not simply power down the flights and secure the borders. Just as there is water does not necessarily mean there might are actually life on Mars. The newspapers turned into a significant tool for freedom struggle. There are home equity loans machinima news programs: partial and fully animated.

    Reply
  19. This Site

    His role from the team is connected with an all-rounder, basically batsman. Neighbors were shocked that
    any crime might happen there. Besides, where is everything
    that supposed lake water now. The international news
    media is definitely dominated by the US and
    UK, mainly the CNN and BBC.

    Reply
  20. PAVAN

    I want to Execute Power-cli scripts which can make my tasks easier such as configuring policies,..using the script, however i wanted to know if its possible to run the script on Vsphere client trail version because it only features read-only API unlike the full version which has both read/write API’s

    Reply
  21. Full Article

    Some creative options will also be there from which people will get updated news.
    In this busy life people don’t get enough time to for
    themselves. ” A most reputed option would be the breaking news India. 3) News media is repeated constantly, often in mind-numbing detail, often for trivial topics.

    Reply
  22. Continue Reading

    However, the sector is not only just tied to
    the education and theoretical areas of life.
    rajkumar patra and saswati sathpathy      love secret revealed.
    These news, would later be discussed among themselves. So, atlanta divorce attorneys state there are several
    channels to provide news in regional languages.

    Reply
  23. our website

    These two states are key players within the growth of the country.
    You will discover bargains on full bloods or percentages goats.

    This way, it behaves as a reminder to everyone who visits your blog or merely glances at
    the profile. Lifestyle news and Indian economy news are both most demanded chapters of this news for people.

    Reply
  24. c7731883904547043267

    There are numerous sources present nowadays from which people could possibly
    get instant news each of the times. The homepage itself displays precisely what
    is inside that website. One thing I may do is read news stories
    about positive things. Today news will come in all of the religion languages in addition to English and Hindi.

    Reply
  25. Clicking Here

    A study by researchers in the Harvard School of Public Health and Brigham and Women. Kegelmaster is really a device to enhance your vaginal muscle strength.
    A Drum magazine digital subscription is available with just a click.
    Lifestyle news and Indian economy news they are both most
    demanded areas of what is the news for people.

    Reply
  26. Going Here

    A study by researchers on the Harvard School of Public Health and Brigham and Women. rajkumar patra and saswati sathpathy      love secret revealed.
    When it arrived at sports news especially cricket news, India
    is a frenzy nation. And the Hunt Continues A quantity of new
    battle pets going to World of Warcraft with patch 6.

    Reply
  27. Continue Reading

    We have been around in the travel industry over ten years online.
    You will see great bargains on full bloods or percentages
    goats. Zigger nailed Edge together with the Zig
    Zag to seal the show. Lifestyle news and Indian economy news
    both of them are most demanded areas of what is this great for people.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>