Automate VMware VMX Security Lockdowns

When building vSphere VM templates best practices would recommend that a number of security lockdowns be incorporated into the template. There are a variety of sources for recommended lockdowns, such as the VMware vSphere 4.1 Hardening Guide. But what if you already have VMs in production that you need to lock down, or want a simple way to configure your VM template settings?

Using some PowerCLI examples I modified them and the result is the script below. The script is called with a single argument, which can be the name of a VM or a wildcard so you can do mass changes. As always, TEST, TEST, TEST! Before you lock down all the settings below, make sure you understand what they do and determine if you really want to disable the feature.

This script can be very handy for XenDesktop 5.0 deployments, as their MCS engine does not properly copy custom VMX settings from the template, so you are left with unsecured VMs. Use the wildcard feature to hit all of the VMs. Also note that many of the settings require the VM to be power cycled, not just rebooted, to read the new values.

Before you run the script you will of course need to use the connect-viserver command to establish a secure connection to vCenter or an ESX(i) host. After the connection is established you can then run the script and monitor the progress in the vCenter recent tasks pane.

# Configure client VM VMX security settings.
# Version 1.0, August 14, 2011
# Argument can be a single VM or a wildcard

$ExtraOptions = @{
 “isolation.device.connectable.disable”=”true”;
 “isolation.device.edit.disable”=”true”;
 “isolation.tools.copy.disable”=”true”;
 “isolation.tools.paste.disable”=”true”;
 “isolation.tools.setGUIOptions.disable”=”true”;
 “Isolation.tools.Setinfo.disable”=”true”;
 “Isolation.tools.connectable.disable”=”true”;
 “isolation.tools.diskShrink.disable”=”true”
 “isolation.tools.diskWiper.disable”=”true”;
 “isolation.tools.hgfs.disable”=”true”;
 “isolation.tools.commandDone.disable”=”true”;
 “isolation.tools.getCreds.disable”=”true”;
 “isolation.tools.guestCopyPasteVersionSet.disable”=”true”;
 “isolation.tools.guestDnDVersionSet.disable”=”true”;
 “isolation.tools.guestlibGuestInfo.disable”=”true”;
 “isolation.tools.guestlibGetInfoDisable.disable”=”true”;
 “isolation.tools.haltReboot.disable”=”true”;
 “isolation.tools.haltRebootStatus.disable”=”true”;
 “isolation.tools.hgfsServerSet.disable”=”true”;
 “isolation.tools.imgCust.disable”=”true”;
 “isolation.tools.memSchedFakeSampleStats.disable”=”true”;
 “isolation.tools.runProgramDone.disable”=”true”;
 “isolation.tools.StateLoggerControl.disable”=”true”;
 “isolation.tools.unifiedLoop.disable”=”true”;
 “isolation.tools.upgraderParameters.disable”=”true”;
 “isolation.tools.vixMessages.disable”=”true”;
 “isolation.tools.vmxCopyPasteVersionGet.disable”=”true”;
 “isolation.tools.vmxDnDVersionGet.disable”=”true”;
 “isolation.tools.setOption.disable”=”true”;
 “isolation.tools.log.disable”=”true”;
 “log.rotateSize”=”100000”;
 “log.keepOld”=”10”;
 “Tools.setinfo.sizelimit”=”1048576”;
 “tools.synchronize.restore”=”false”;
 “time.synchronize.resume.disk”=”false”;
 “time.synchronize.continue”=”false”;
 “time.synchronize.shrink”=”false”;
 “time.synchronize.tools.startup”=”false”;
 “vmci0.unrestricted”=”false”;
 “guest.command.enable”=”false”;
 “tools.guestlib.enableHostInfo”=”false”;
 “isolation.tools.dnd.disable”=”true”;
 “RemoteDisplay.maxConnections”=”1”;
 “Guest.command.enabled”=”false”;
 “devices.hotplug”=”false”;
 “vmxnet.noOprom”=”true”
}
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
Foreach ($Option in $ExtraOptions.GetEnumerator()) {
    $OptionValue = New-Object VMware.Vim.optionvalue
    $OptionValue.Key = $Option.Key
    $OptionValue.Value = $Option.Value
    $vmConfigSpec.extraconfig += $OptionValue
}

# Get all VMs per the argument

$VMs = get-VM $args[0] | get-view

foreach($vm in $vms){
    $vm.ReconfigVM($vmConfigSpec)
}

Related Posts

Subscribe
Notify of
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
October 11, 2011 7:31 am

Thank you for posting this – it really helped me out.

Robert
April 26, 2013 5:44 am

Derek,
Somewhat new to powershell and ran across your security settings script. Can you give command line example or how to execute using wildcard or single VM. Is it something like below?
securevm.ps1 vmser*
securevm.ps1 vmserver1
TIA
Robert