Virtual Machine STIG.

Post date: Mar 30, 2015 2:29:57 PM

When working with DoD STIGs the following can be run to set the Stig for all VMs in a Datacenter. There are STIGs than cannot be set without a restart of a VM such as the removal of FloppyDrives. Those reboot required STIGs are not covered in this script. Updated for latest STIG release.

#####################################################################

# Set-VMstig.ps1

#

# This will configure VM properties per ESXi5 VM STIG - 7DEC2015

#

# This does not include required device removal or requirements for environments with vShield and/or VMsafe in production.This script also assumes VM log file rotation is not degrading system performance and the VM requires logging to be enabled for troubleshooting.

#

# USE EXAMPLE:

# .\Set-VMstig.ps1 NameOfVM

# .\Set-VMstig.ps1 *

#

# Removing the Parameter and the $VMname will result in the configuration of all VMs in the connected vCenter.

#

# NOTE: This Stig Should be applied to all Templates this will require you to convert existing Templates to a VM then apply the STIG. Applying the STIG after a VM is created from a Template is not sufficient to comply with the STIG.

#

# v1.2 JAN 2014

# Author: KnightUSN #####################################################################

param(

[parameter(Mandatory = $true)]

[string[]]$VMname

)

$VMs = Get-VM $VMname

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.tools = New-Object VMware.Vim.ToolsConfigInfo

#ESXi5-VM-000002 - ESXi5-201

$extra1 = New-Object VMware.Vim.OptionValue

$extra1.Key = "isolation.tools.autoInstall.disable"

$extra1.Value = "true"

$spec.ExtraConfig += $extra1

#ESXi5-VM-000003 - ESXi5-202

$extra2 = New-Object VMware.Vim.OptionValue

$extra2.Key = "isolation.tools.copy.disable"

$extra2.Value = "true"

$spec.ExtraConfig += $extra2

#ESXi5-VM-000004 - ESXi5-203

$extra3 = New-Object VMware.Vim.OptionValue

$extra3.Key = "isolation.tools.dnd.disable"

$extra3.Value = "true"

$spec.ExtraConfig += $extra3

#ESXi5-VM-000005 - ESXi5-204

$extra4 = New-Object VMware.Vim.OptionValue

$extra4.Key = "isolation.tools.setGUIOptions.enable"

$extra4.Value = "false"

$spec.ExtraConfig += $extra4

#ESXi5-VM-000006 - ESXi5-205

$extra5 = New-Object VMware.Vim.OptionValue

$extra5.Key = "isolation.tools.paste.disable"

$extra5.Value = "true"

$spec.ExtraConfig += $extra5

#ESXi5-VM-000007 - ESXi5-206

$extra6 = New-Object VMware.Vim.OptionValue

$extra6.Key = "isolation.tools.diskShrink.disable"

$extra6.Value = "true"

$spec.ExtraConfig += $extra6

#ESXi5-VM-000008 - ESXi5-207

$extra7 = New-Object VMware.Vim.OptionValue

$extra7.Key = "isolation.tools.diskWiper.disable"

$extra7.Value = "true"

$spec.ExtraConfig += $extra7

#ESXi5-VM-000009 - ESXi5-208

$extra8 = New-Object VMware.Vim.OptionValue

$extra8.Key = "isolation.tools.hgfsServerSet.disable"

$extra8.Value = "true"

$spec.ExtraConfig += $extra8

#ESXi5-VM-000011 - ESXi5-210

$extra10 = New-Object VMware.Vim.OptionValue

$extra10.Key = "vmci0.unrestricted"

$extra10.Value = "false"

$spec.ExtraConfig += $extra10

#ESXi5-VM-000013 - ESXi5-212

$extra12 = New-Object VMware.Vim.OptionValue

$extra12.Key = "isolation.monitor.control.disable"

$extra12.Value = "true"

$spec.ExtraConfig += $extra12

#ESXi5-VM-000014 - ESXi5-213

$extra13 = New-Object VMware.Vim.OptionValue

$extra13.Key = "isolation.tools.ghi.autologon.disable"

$extra13.Value = "true"

$spec.ExtraConfig += $extra13

#ESXi5-VM-000015 - ESXi5-214

$extra14 = New-Object VMware.Vim.OptionValue

$extra14.Key = "isolation.bios.bbs.disable"

$extra14.Value = "true"

$spec.ExtraConfig += $extra14

#ESXi5-VM-000016 - ESXi5-215

$extra15 = New-Object VMware.Vim.OptionValue

$extra15.Key = "isolation.tools.getCreds.disable"

$extra15.Value = "true"

$spec.ExtraConfig += $extra15

#ESXi5-VM-000017 - ESXi5-216

$extra16 = New-Object VMware.Vim.OptionValue

$extra16.Key = "isolation.tools.ghi.launchmenu.change"

$extra16.Value = "true"

$spec.ExtraConfig += $extra16

#ESXi5-VM-000018 - ESXi5-217

$extra17 = New-Object VMware.Vim.OptionValue

$extra17.Key = "isolation.tools.memSchedFakeSampleStats.disable"

$extra17.Value = "true"

$spec.ExtraConfig += $extra17

#ESXi5-VM-000019 - ESXi5-218

$extra18 = New-Object VMware.Vim.OptionValue

$extra18.Key = "isolation.tools.ghi.protocolhandler.info.disable"

$extra18.Value = "true"

$spec.ExtraConfig += $extra18

#ESXi5-VM-000020 - ESXi5-219

$extra19 = New-Object VMware.Vim.OptionValue

$extra19.Key = "isolation.ghi.host.shellAction.disable"

$extra19.Value = "true"

$spec.ExtraConfig += $extra19

#ESXi5-VM-000021 - ESXi5-220

$extra20 = New-Object VMware.Vim.OptionValue

$extra20.Key = "isolation.tools.dispTopoRequest.disable"

$extra20.Value = "true"

$spec.ExtraConfig += $extra20

#ESXi5-VM-000022 - ESXi5-221

$extra21 = New-Object VMware.Vim.OptionValue

$extra21.Key = "isolation.tools.trashFolderState.disable"

$extra21.Value = "true"

$spec.ExtraConfig += $extra21

#ESXi5-VM-000023 - ESXi5-222

$extra22 = New-Object VMware.Vim.OptionValue

$extra22.Key = "isolation.tools.ghi.trayicon.disable"

$extra22.Value = "true"

$spec.ExtraConfig += $extra22

#ESXi5-VM-000024 - ESXi5-223

$extra23 = New-Object VMware.Vim.OptionValue

$extra23.Key = "isolation.tools.unity.disable"

$extra23.Value = "true"

$spec.ExtraConfig += $extra23

#ESXi5-VM-000025 - ESXi5-224

$extra24 = New-Object VMware.Vim.OptionValue

$extra24.Key = "isolation.tools.unityInterlockOperation.disable"

$extra24.Value = "true"

$spec.ExtraConfig += $extra24

#ESXi5-VM-000026 - ESXi5-225

$extra25 = New-Object VMware.Vim.OptionValue

$extra25.Key = "isolation.tools.unity.push.update.disable"

$extra25.Value = "true"

$spec.ExtraConfig += $extra25

#ESXi5-VM-000027 - ESXi5-226

$extra26 = New-Object VMware.Vim.OptionValue

$extra26.Key = "isolation.tools.unity.taskbar.disable"

$extra26.Value = "true"

$spec.ExtraConfig += $extra26

#ESXi5-VM-000028 - ESXi5-227

$extra27 = New-Object VMware.Vim.OptionValue

$extra27.Key = "isolation.tools.unityActive.disable"

$extra27.Value = "true"

$spec.ExtraConfig += $extra27

#ESXi5-VM-000029 - ESXi5-228

$extra28 = New-Object VMware.Vim.OptionValue

$extra28.Key = "isolation.tools.unity.windowContents.disable"

$extra28.Value = "true"

$spec.ExtraConfig += $extra28

#ESXi5-VM-000030 - ESXi5-229

$extra29 = New-Object VMware.Vim.OptionValue

$extra29.Key = "isolation.tools.vmxDnDVersionGet.disable"

$extra29.Value = "true"

$spec.ExtraConfig += $extra29

#ESXi5-VM-000031 - ESXi5-230

$extra30 = New-Object VMware.Vim.OptionValue

$extra30.Key = "isolation.tools.guestDnDVersionSet.disable"

$extra30.Value = "true"

$spec.ExtraConfig += $extra30

#ESXi5-VM-000033 - ESXi5-232

$extra32 = New-Object VMware.Vim.OptionValue

$extra32.Key = "isolation.tools.vixMessage.disable"

$extra32.Value = "true"

$spec.ExtraConfig += $extra32

#ESXi5-VM-000039 - ESXi5-238

$extra38 = New-Object VMware.Vim.OptionValue

$extra38.Key = "RemoteDisplay.maxConnections"

$extra38.Value = "1"

$spec.ExtraConfig += $extra38

#ESXi5-VM-000041 - ESXi5-240

$extra40 = New-Object VMware.Vim.OptionValue

$extra40.Key = "log.keepOld"

$extra40.Value = "10"

$spec.ExtraConfig += $extra40

#ESXi5-VM-000042 - ESXi5-241

$extra41 = New-Object VMware.Vim.OptionValue

$extra41.Key = "log.rotateSize"

$extra41.Value = "100000"

$spec.ExtraConfig += $extra41

#ESXi5-VM-000043 - ESXi5-242

$extra42 = New-Object VMware.Vim.OptionValue

$extra42.Key = "tools.setinfo.sizeLimit"

$extra42.Value = "1048576"

$spec.ExtraConfig += $extra42

#ESXi5-VM-000045 - ESXi5-244

$extra44 = New-Object VMware.Vim.OptionValue

$extra44.Key = "isolation.device.connectable.disable"

$extra44.Value = "true"

$spec.ExtraConfig += $extra44

#ESXi5-VM-000046 - ESXi5-245

$extra45 = New-Object VMware.Vim.OptionValue

$extra45.Key = "isolation.device.edit.disable"

$extra45.Value = "true"

$spec.ExtraConfig += $extra45

#ESXi5-VM-000047 - ESXi5-246

$extra46 = New-Object VMware.Vim.OptionValue

$extra46.Key = "tools.guestlib.enableHostInfo"

$extra46.Value = "false"

$spec.ExtraConfig += $extra46

ForEach($VM in $VMs){

$vm.ExtensionData.ReconfigVM($spec)

}