To perform the procedure, you connect to the management domain vCenter Server and perform multiple configurations on the management virtual machines that belong to the management domain. vSphere Cluster Services (vCLS) nodes are not subject of securing as they are service VMs and not true VMs.

After you run the script, you must shut down the guest OS and power on (cold boot) the VMs for the advanced settings to take effect. Do not reboot the VMs. Cold boot must be performed one VM at a time so that service are not interrupted. Cold boot of vCenter Server and SDDC Manager requires a maintenance window.

Perform cold boot in the following order:

  1. NSX-T Edge nodes

  2. NSX-T Manager nodes

  3. vCenter Server

  4. SDDC Manager

Configuration ID

Description

NIST80053-VI-VC-CFG-00070

Disable copy operations.

NIST80053-VI-VC-CFG-00071

Disable drag and drop operations.

NIST80053-VI-VC-CFG-00073

Disable paste operations.

NIST80053-VI-VC-CFG-00076

Disable Host Guest File System (HGFS) file transfers.

NIST80053-VI-VC-CFG-00097

Disable console access through the Virtual Network Computing protocol.

NIST80053-VI-VC-CFG-00099

Limit informational messages from the VM to the VMX file.

NIST80053-VI-VC-CFG-00101

Prevent unauthorized removal, connection and modification through the isolation.device.connectable.disable parameter.

NIST80053-VI-VC-CFG-00102

Restrict sending host information to guests.

NIST80053-VI-VC-CFG-00561

Audit all uses of PCI or PCIe pass-through functionalities.

NIST80053-VI-VC-CFG-01232

Lock the virtual machine guest operating system when the last console connection is closed.

NIST80053-VI-VC-CFG-01233

Disable 3D features on the virtual machine when not required.

Procedure

  1. Log in to the management domain vCenter Server by using a PowerCLI console.​

    Setting

    Value

    Command

    Connect-VIServer -Server management-domain-vcenter-server-fqdn​​ -Protocol https

    User name​

    administrator@vsphere.local​

  2. Run the script to configure advanced settings on all management virtual machines.

    You must enter the names of the VMs that you reconfigure in the first line of the script. For example, $VMs = ("edge-node1", "nsx-manager1", "vcenter-server", "sddc-manager").

    $VMs = (list-of-comma-seperated-management-domain-VM-names)
    $AdvancedSettingsTrue = ("isolation.tools.copy.disable","isolation.tools.dnd.disable","isolation.tools.paste.disable","isolation.tools.hgfsServerSet.disable","isolation.device.connectable.disable","tools.guest.desktop.autolock")
    $AdvancedSettingsFalse = ("RemoteDisplay.vnc.enabled","tools.guestlib.enableHostInfo","pciPassthru*.present","mks.enable3d")
    Foreach ($vm in $VMs){
    	Foreach ($advancedSetting in $AdvancedSettingsTrue) { 		
    		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
     		if(!$setting.Name){
    			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value true -Confirm:$false
    		} 		
    		elseif($setting.Value -ne $true){ 			
    			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value true -Confirm:$false 		
    		}	 	
    	} 	
    	Foreach ($advancedSetting in $AdvancedSettingsFalse) { 		
    		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
     		if(!$setting.Name){
    			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value false -Confirm:$false
    		} 		
    		elseif($setting.Value -ne $false){ 			
    			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value false -Confirm:$false 		
    		} 	
    	} 	 	
    	$advancedSetting = "tools.setinfo.sizeLimit" 	
    	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
    	if(!$setting.Name){ 		
    		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1048576 -Confirm:$false 	
    	} 	
    	elseif($setting.Value -ne 1048576){ 		
    		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1048576 -Confirm:$false 	
    	}	 
    }